On 04/27/2015 03:45 PM, Pierre-Yves Chibon wrote:
pros
- API token per user and per application
- Could support multiple tokens per application
- Central place to manage API token (ie a central place to revoke someone's
access if a machine gets compromised/lost)
- Simpler than dealing with the SSL stack
- Can be re-used by multiple applications
cons:
- It's an idea and it needs work :)
- Impacts
- dist-git
- koji
- ?
The fact, that SSL certs are used for identifying user, always seemed weird to me.
And sometimes it is painful to use it. It is definitely easier to change token than change
a ssl cert.
+1 to use normal SSL cert just for crypto and identify user using token (or even
kerberos/GSSAPI).
--
Miroslav Suchy, RHCA
Red Hat, Senior Software Engineer, #brno, #devexp, #fedora-buildsys