Discussion Forum For Bishopric

Some discussions just don't fit into a well defined box. Use this forum to discuss general topics and issues revolving around the Church and the technology offerings we use and share.
Post Reply
Eric Werny-p40
Member
Posts: 57
Joined: Wed Feb 07, 2007 8:21 am
Location: St. George, Utah
Contact:

Discussion Forum For Bishopric

#1

Post by Eric Werny-p40 »

We are trying an experiment with the use of a double level password protected discussion forum.

Due to our crazy employment schedules of each member of our bishopric, I can up with the idea
of using forum board to assist us in keeping track of our assignments. This allows our executive
secretary to collect items that need to be put on the Sunday meeting agenda.

I see this as an opportunity for our good Bishop who is a CPA, facing tax season, and will be work
insane hours.

Have any of your tried this idea?

EW
The_Earl
Member
Posts: 278
Joined: Wed Mar 21, 2007 9:12 am

Security

#2

Post by The_Earl »

I have not tried this.

I would think a better solution would be a certificate / PKI system. Three passwords are not really any more secure than one, since if you can get (or guess) one, then the process to get the rest is similar. You really need to find a different method to authenticate.

The general rules go something like:
Something you know (password / username)
Something you have (card / key fob / key)
Something you are (fingerprint / appearance)

Notice that your bank uses two separate methods (card AND pin). By using a certificate, you add 'something you have', the certificate, to the authentication process in addition to the 'known' password and username..

I am not familiar with using client side certificates to authenticate web users, but I understand it is possible. It is also trivially simple to generate a certificate and install it on the machines needed. You do need to distribute the certificates, but it is a one-time cost, and simple enough that a tech savvy person could do it.

I'll see if anyone can shed some light on this. I'll see what I can figure out in the mean time.

I have used PKI keys to authenticate SSH sessions, but that is a bit different.

Thanks
The Earl
Eric Werny-p40
Member
Posts: 57
Joined: Wed Feb 07, 2007 8:21 am
Location: St. George, Utah
Contact:

Cert

#3

Post by Eric Werny-p40 »

This idea is in a beta stage and everyone involved has been briefed to keep it simple until we see if this
idea works or not.

I am putting in place an SSL Cert and a number of other layers. May even play with VPN tunnelling.

We had a little proof of concept tonight when the exe. sec. needed some data, and we could have had the Bishop log on and give him the entire list in the system, by cutting and pasting.

I will report back how this is going.

EW
User avatar
thedqs
Community Moderators
Posts: 1042
Joined: Wed Jan 24, 2007 8:53 am
Location: Redmond, WA
Contact:

#4

Post by thedqs »

The Earl wrote:I am not familiar with using client side certificates to authenticate web users, but I understand it is possible. It is also trivially simple to generate a certificate and install it on the machines needed. You do need to distribute the certificates, but it is a one-time cost, and simple enough that a tech savvy person could do it.

You can have client side certificates, but the problem is the verification chain you need to trusted authority to sign. And the signiture is what costs the pretty penny for not much.
- David
The_Earl
Member
Posts: 278
Joined: Wed Mar 21, 2007 9:12 am

Verified Certificates

#5

Post by The_Earl »

thedqs wrote:You can have client side certificates, but the problem is the verification chain you need to trusted authority to sign. And the signiture is what costs the pretty penny for not much.
You wouldn't need a trust broker to sign the certificates for this project. You could create a key and sign them yourself as long as you protected the original key. If the signing key ever got out, you would have to generate another, and new certificates. This isn't that hard to do, but it is difficult to figure out if someone you don't intend has the original private key.
Post Reply

Return to “General Discussions”