On 01/06/12 18:35, Fabio M. Di Nitto wrote:
On 5/30/2012 1:37 PM, Chris Dix wrote:
> Fabio,
>
> If you implement a password recovery feature, that would email the new
> password to the user. That does no good if they don't have access to
> their email account.
>
> We probably do want an alternate email that can be used for these
> situations.
I don´t think we understood each other :)
I am suggesting that every user in fas has 2 emails registered, one
primary one backup. Both active at the same time. If you lose access to
one email and password to fas, you still have one backup email address
that is recognized for password recovery.
<sarcasm>
If the user can manage to lose password, and access to 2 emails at the
same time, I am not entirely sure I´d want his packages to be installed
on my system.
</sarcasm>
The point being that there is already all the code there written to
handle one email address, and it would be enough to make it understand
backup address vs rewriting a whole new chunk of code for security
questions, store them, hash answers, crypt the db... etc.
Fabio
>
> Chris
>
> On May 30, 2012 3:41 AM, "Fabio M. Di Nitto" <fdinitto(a)redhat.com
> <mailto:fdinitto@redhat.com>> wrote:
>
> On 5/29/2012 11:45 PM, Andre Robatino wrote:
> > Kevin Fenzi <kevin@...> writes:
> >
> >> I think adding a 'security question(s)' feature would be great.
> >>
> >> I would strongly suggest however that the questions and answers
> be free
> >> form. There's little security in canned security questions that
have
> >> answers people can find out. ie, 'What was your high school?'
> >
> > I just use a password manager and if a site forces me to answer
> "security"
> > questions, I put them in the Notes section using strong random
> passwords for the
> > answers. For example
> >
> > What was your high school? 48ZGrNaDQR75
> >
> > I think the security questions should be optional in any case to
> save the
> > trouble of having to make and store several strong random
> passwords rather than
> > just one.
>
> Or maybe have primary (company?) email and private email registered.
>
> Instead of re-inventing a whole new chunk of code by introducing a
> security question and all, simple allow 2 emails to be valid at any
> given time.
>
> Fabio
> _______________________________________________
> infrastructure mailing list
> infrastructure(a)lists.fedoraproject.org
> <mailto:infrastructure@lists.fedoraproject.org>
>
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
>
>
>
> _______________________________________________
> infrastructure mailing list
> infrastructure(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
_______________________________________________
infrastructure mailing list
infrastructure(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure If a user maintains
packages, he will know how to use a public key ;-p.
And as such know gnupg and how to sign emails with his private key.
People should just remember to put in their public keys.
The only reason why I was so vocal about the user asking about a change
was, that he is a former red hat employee and as such should receive a
common courtesy of going the extra mile. As long as he contacts his
supervisor/manger/HR person who can verify that he is who he claims to be.
With other people this would be harder.
Regards,
Tristan
--
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore(a)internexusconnect.net
Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)
For Fedora related issues, please email me at:
TSantore(a)fedoraproject.org