On Wed, 20 Mar 2013 07:19:27 +0100
Pierre-Yves Chibon <pingou(a)pingoured.fr> wrote:
On Wed, 2013-03-20 at 02:13 -0400, seth vidal wrote:
> On Tue, 12 Mar 2013 08:10:21 +0100
> Pierre-Yves Chibon <pingou(a)pingoured.fr> wrote:
> > On Tue, 2013-03-12 at 03:07 -0400, Bohuslav Kabrda wrote:
> > > A question for this series. If I understand it correctly, the
> > > api_login is just another random generated string, right? Would
> > > you please elaborate a bit more on why having separate logins
> > > is good?
> > Yes it is, (with the addition that that the part before '##' is a
> > based64 of 'copr').
> > I think the basic idea here is to reduce even more the
> > possibility of brute force since one would have to do it for both
> > the api token and the username. Seth, do you see another interest
> > for it?
> > It also seems to be the approach taken by cloud plateform and by
> > oauth system (if my understanding is correct).
> That's correct. I think the idea is that if someone discovers your
> token they don't discover who owns it but if we find someone using
> that token username somewhere else - we can trace back what app it
> came from.
Then I'm wondering if it's interesting to have the base64 of 'copr' in
the token itself.
In a way I think, no otherwise if someone finds your token it can find
out where to use it. On the other side, we already save the token in a
rather explicit place ~/.config/copr so in that respect it doesn't
yah - I'm not really sure. I'd rather plan for the case where we need
to figure out where something is from and less for trying to hide it
from a theoretical attacker.
So encoding copr in there helps us.
If the attacker can figure it out well, then - that's fine - but I just
want to know we can, too.