On Thu, Aug 27, 2015 at 02:20:35PM +0200, Mario Lang wrote:

> > Ok, I'm evaluating alternatives. Do you have any experience running lynx
> > through stunnel?
> No, I'm afraid not.

Ok, I'm still trying to work out alternatives.

> curl --key mlang.key --cert mlang.crt 
> https://sso.debian.org/spkac/test/env|lynx -stdin
> works, but that is barely a solution since you will not be able to
> follow any site-specific links.  It is a shame lynx apparently doesn't
> have support for client certificates.

Indeed, I wouldn't ask anybody to use curl as a web browser.

It's also a shame that lynx isn't build using libcurl :)

> OTOH, while I am not really up-to-date with the newest ideas in web
> development, it strikes me a bit restrictive to require only
> client certificates for SSO in the future.  I can imagine a few
> situations where I'd just prefer to enter a password, instead of having
> to make sure my environment is modern and permissive enough to let me have 
> client certs.

Unfortunately, it seems that all the current options for having
centralised password management are a nightmare to maintain server side:
either SAML implementations in a nightmare of java code that requires a
field expert full time to be maintained, or OAuth2 which has no
maintained server implementations and would basically require us to
become upstream for our own one.

This seems to be so far the best tradeoff between maintainability and
security. Let's see if we can make it work for all of us.


GPG key: 4096R/E7AD5568 2009-05-08 Enrico Zini <enr...@enricozini.org>

Attachment: signature.asc
Description: Digital signature

Reply via email to