You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ponymail.apache.org by Sam Ruby <ru...@intertwingly.net> on 2016/10/05 15:59:54 UTC

Mozilla Persona deprecated; time to rethink authentication?

While lists.apache.org is better in so many ways than what it replaced, 
a pain point for me has been authentication: in particular, following a 
link to see nothing there.  Sometimes it reminds me that logging in 
would help, and with a number of mouse clicks I can do that, but it 
doesn't always.

At the present time, ponymail supports two authentication methods: 
Apache OATH (backed by LDAP) and Mozilla Persona.

In about seven weeks, Mozilla Persona will go away:

https://bugzilla.mozilla.org/page.cgi?id=persona_deprecated.html

My preference would be to replace OATH with standard HTTP basic 
authentication.  The issue being that this service shouldn't require 
authentication for simple browsing of public lists.

Perhaps the split could be http: URLs don't require/support 
authentication, and https: URLs do?

- Sam Ruby

Re: Mozilla Persona deprecated; time to rethink authentication?

Posted by sebb <se...@gmail.com>.

On 5 October 2016 at 16:59, Sam Ruby <ru...@intertwingly.net> wrote:
> While lists.apache.org is better in so many ways than what it replaced, a
> pain point for me has been authentication: in particular, following a link
> to see nothing there.  Sometimes it reminds me that logging in would help,
> and with a number of mouse clicks I can do that, but it doesn't always.
>
> At the present time, ponymail supports two authentication methods: Apache
> OATH (backed by LDAP) and Mozilla Persona.
>
> In about seven weeks, Mozilla Persona will go away:
>
> https://bugzilla.mozilla.org/page.cgi?id=persona_deprecated.html
>
> My preference would be to replace OATH with standard HTTP basic
> authentication.  The issue being that this service shouldn't require
> authentication for simple browsing of public lists.

It does not require auth for public mails.
For example:

https://lists.apache.org/list.html?dev@ponymail.apache.org

Nor does it require auth for lists that have mixed public and private
mails; only the private mails require auth.

However such lists are not displayed currently (this is a server config item)

For example:

https://lists.apache.org/list.html?site-dev@apache.org:2014-8

It was in this month that the list was made public.
The list does not appear in the directory.

> Perhaps the split could be http: URLs don't require/support authentication,
> and https: URLs do?
>
> - Sam Ruby
>
>