ubuntu-phone team mailing list archive

["Alejandro J. Cura" <alejandro.cura@xxxxxxxxxxxxx>]

On Fri, Sep 12, 2014 at 11:33 AM, Martin Albisetti
<martin.albisetti@xxxxxxxxxxxxx> wrote:
> Hi all,
>
> As part of tightening security in SSO, we will need to invalidate
> all[1] current SSO tokens within the next week or two, and they will
> all need to be re-created.
> We are doing this now and in this manner because we frequently need to
> do so whenever there are security breaches in third-party sites and
> users in our systems used the same passwords, as well as when a user
> changes their password on the server, their tokens are no longer
> valid.
> So what I want us to ensure early on is that the phone can handle this
> situation gracefully and in a user-friendly manner. We won't have the
> luxury of hand-holding each person if the device gets confused in the
> future, and I don't want us to be in a position where we need to
> choose between security and user confusion, where we can avoid it.
> I have talked to Mardy and David a month or two back to let them know
> this was coming, but I'm not sure what other areas of the phone it
> will affect or how.

Sounds great to be doing this, and checking for problems before phones
are in lots of users' hands.
Please let me do a review of how invalidated credentials are handled
in all the uses of the apps scope and payments, and to come up with
fixes if needed before doing the full invalidation.

thanks!
-- 
alecu