launchpad-users team mailing list archive

[Christian Robottom Reis <kiko@xxxxxxxxxxxxx>]

On Wed, Apr 15, 2009 at 12:17:47PM -0500, Lukasz Szybalski wrote:
> On Wed, Apr 15, 2009 at 8:51 AM, Christian Robottom Reis
> <kiko@xxxxxxxxxxxxx> wrote:
> > On Wed, Apr 15, 2009 at 08:46:39AM -0500, Lukasz Szybalski wrote:
> >> So lets get to the point. You mentioned that setting it up so that
> >> https is used only if users is logged is a bit tricky vs implementing
> >> https for all was immediate?  I would think this shouldn't be that
> >> hard(maybe 2-3 days) so I guess maybe we should start talking how
> >> should it be setup/ vs what needs to be done?
> >
> > I didn't understand your sentence, but whatever it is you're suggesting,
> > 2-3 days is crazy <wink>. This requires significant change in how we
> > authenticate our users -- it really isn't as simple as it might appear
> > initially. It is something we will look into after July.
> 
> I would be interested to know how this process works on
> launchpad.net...now and what would need to be done. Can you discuss
> that or is that private information?

Which process? Authentication? The high-level problem is splitting
authentication and identification: we'd need to provide users with two
cookies, one secure and one insecure, and have a way to allow the user
to "sudo" into SSL authenticated mode when actually modifying data. This
would improve the experience for a few different reasons -- it's just
non-trivial to do within our 3.0 roadmap.
-- 
Christian Robottom Reis | [+55 16] 3376 0125 | http://launchpad.net/~kiko
                        | [+55 16] 9112 6430 | http://async.com.br/~kiko