|
Replies:
14
-
Last Post:
Aug 27, 2008 12:00 AM
by: alanbur
|
|
|
Posts:
1,218
From:
Registered:
3/9/05
|
|
|
|
Beta of new OSO registration & login application
available for testing
Posted:
Aug 20, 2008 2:33 PM
|
|
I have put a new beta of the Auth application on
http://auth.opensolaris.org/auth This contains the new registration and
login pages which will in time replace the existing account management
pages on opensolaris,org.
I would like people to test the new version and provide feedback. At
the moment I am primarily concerned with functionality and not
appearance, the CSS will be changed before deployment to confirm with
the OSO L&F. I'm particularly interested to see if anyone can hack the
site and/or find any security flaws - for example can you add a bogus
SSH key to an account that you don't own - the 'admin' account would be
a good choice for any attacks.
Some notes
==========
Security
--------
The site is currently running under HTTP, when it is deployed it will be
running HTTPS, so eavesdropping on traffic between the browser and the
app won't be possible.
Confirmation emails
-------------------
At the moment, all emails are sent to auth-test at opensolaris dot org
(http://mail.opensolaris.org/pipermail/auth-test), for testing purposes.
This means that you can enter a made-up email address, as long as it
is correctly formatted. This also means that all token and confirmation
emails are globally visible. When deployed this obviously won't be the
case, so an attacker would have to eavesdrop to obtain a copy of the mails.
Localization
------------
The application is internationalised. The preferred language can either
be specified via your browser preferences, or via the language option on
the account edit screen, with the account setting taking preference. At
present there are only translations for the test-only Esperanto and
Australian English languages.
What isn't there yet
--------------------
1. Member collective editing
The page which will allow you to select which collectives you wish to
participate in is not yet implemented.
2. Sunid confirmation
It is necessary to tie Sun employee's OpenSolaris.org accounts to their
Sun identity, so we know that they don't have to sign an individual SCA.
This isn't implemented yet, but when available it will prompt for a
Sun employee number and the corresponding password. If these match, the
password will be discarded and the Sun employee ID will be saved
read-only in the OpenSolaris.org account.
3. Set language when not logged in
You can specify preferred language via browser preferences, or in your
account settings. A mechanism will also be provided to allow you to
specify the preferred language for anonymous browsing on a per-visit basis.
Pages and processes
===================
Registration
------------
http://auth.opensolaris.org/auth/edit.action
1. Account details are entered and the CAPTCHA is answered. If
successful a confirmation email is sent to the registered address.
2. The account is initially in 'confirm email' mode, and logins are
disabled.
3. The confirmation email contains a validation link. When this is
visited, the account is activated.
4. The token has a validity of 15 minutes. If it expires before the
account is confirmed, the "Email reset" process must be used to generate
another token. This timeout is deliberately short for testing purposes.
Login
-----
http://auth.opensolaris.org/auth/login.action
1. A valid username and password is required.
2. On successful login, a dummy home page is displayed.
3. Only 3 unsuccessful login attempts are allowed in any 5-minute period.
4. After 6 unsuccessful attempts the account is suspended, the account
owner is notified and provided with a password reset token.
Account edit
------------
http://auth.opensolaris.org/auth/edit.action
1. You need to be logged in to edit an account.
2. All account edits need confirmation with the current password. If
the password is entered incorrectly 3 times, the account is locked and
the owner notified.
3. If the email address is changed, the account is put into "confirm
email" state and a confirmation token sent to the member.
SSH key edit
------------
http://auth.opensolaris.org/auth/keys.action
1. You need to be logged in to edit an account.
2. Keys may be uploaded from disk. Keys are validated before being
accepted.
3. Addition of a new key requires the current password confirmation,
deletion does not require password confirmation.
4. If the wrong password is supplied 3 times, the account will be locked.
Password reset
--------------
http://auth.opensolaris.org/auth/resetPassword.action
1. A password reset token may be generated by entering either a member
name or an email, and answering a CAPTCHA. The token is sent to the
registered email address.
2. The token has a 15 minute validity (for testing purposes). The user
must supply the answers to the 2 preregistered security questions to
reset the password. Only 3 attempts to change the password are allowed
before the account is locked.
3. If the password is successfully changed, a notification email is sent
to the registered email address.
Email reset
-----------
http://auth.opensolaris.org/auth/resetPassword.action
1. A member name and password is supplied, along with a new email
address and the answer to a CAPTCHA.
2. If the member name and password are valid, the email is changed, the
account is put into the "confirm email" state and a confirmation token
is sent to the user. The token has a validity of 15 minutes, for
testing purposes.
3. When the token is clicked, the email is confirmed and the account is
activated.
4. Only 3 tokens may be requested before the account is locked.
Please let me know if you find any problems, or have any questions.
Thanks,
--
Alan Burlison
--
_______________________________________________
website-discuss mailing list
website-discuss at opensolaris dot org
|
|
|
Valerie Bubb Fe...
Valerie.Fenwick@Sun....
|
|
|
|
Re: [osol-announce] Beta of new OSO registration
& login application available for testing
Posted:
Aug 20, 2008 2:51 PM
in response to: alanbur
|
|
On Wed, 20 Aug 2008, Alan Burlison wrote:
> I have put a new beta of the Auth application on
> http://auth.opensolaris.org/auth This contains the new registration and
> login pages which will in time replace the existing account management
> pages on opensolaris,org.
>
> I would like people to test the new version and provide feedback. At
> the moment I am primarily concerned with functionality and not
> appearance, the CSS will be changed before deployment to confirm with
> the OSO L&F. I'm particularly interested to see if anyone can hack the
> site and/or find any security flaws - for example can you add a bogus
> SSH key to an account that you don't own - the 'admin' account would be
> a good choice for any attacks.
>
> Some notes
> ==========
>
> Security
> --------
>
> The site is currently running under HTTP, when it is deployed it will be
> running HTTPS, so eavesdropping on traffic between the browser and the
> app won't be possible.
Which lends credance to the "have fun but don't use real data" argument of
the Confirmation Emails details :)
>
> Confirmation emails
> -------------------
>
> At the moment, all emails are sent to auth-test at opensolaris dot org
> (http://mail.opensolaris.org/pipermail/auth-test), for testing purposes.
> This means that you can enter a made-up email address, as long as it
> is correctly formatted. This also means that all token and confirmation
> emails are globally visible. When deployed this obviously won't be the
> case, so an attacker would have to eavesdrop to obtain a copy of the mails.
>
> Localization
> ------------
>
> The application is internationalised. The preferred language can either
> be specified via your browser preferences, or via the language option on
> the account edit screen, with the account setting taking preference. At
> present there are only translations for the test-only Esperanto and
> Australian English languages.
>
> What isn't there yet
> --------------------
>
> 1. Member collective editing
>
> The page which will allow you to select which collectives you wish to
> participate in is not yet implemented.
>
> 2. Sunid confirmation
>
> It is necessary to tie Sun employee's OpenSolaris.org accounts to their
> Sun identity, so we know that they don't have to sign an individual SCA.
> This isn't implemented yet, but when available it will prompt for a
> Sun employee number and the corresponding password. If these match, the
> password will be discarded and the Sun employee ID will be saved
> read-only in the OpenSolaris.org account.
Do you mean the LDAP password? Where will this verification occur?
I don't think we should have LDAP passwords outside of SWAN for
any reason. The sunID confirmation could instead be something that
is internal that feeds *out* to opensolaris.org (say, once a day)
Thanks,
Valerie
--
Valerie Fenwick, http://blogs.sun.com/bubbva
Solaris Security Technologies, Developer, Sun Microsystems, Inc.
17 Network Circle, Menlo Park, CA, 94025.
_______________________________________________
website-discuss mailing list
website-discuss at opensolaris dot org
|
|
|
|
|
Posts:
1,218
From:
Registered:
3/9/05
|
|
|
|
Re: [osol-announce] Beta of new OSO registration
& login application available for testing
Posted:
Aug 20, 2008 3:50 PM
in response to: Valerie Bubb Fe...
|
|
Valerie Bubb Fenwick wrote:
>> The site is currently running under HTTP, when it is deployed it will be
>> running HTTPS, so eavesdropping on traffic between the browser and the
>> app won't be possible.
>
> Which lends credance to the "have fun but don't use real data" argument of
> the Confirmation Emails details :)
Exactly so - I wanted people to be able to see how it worked without
exposing anything they cared about :-)
>> 2. Sunid confirmation
>>
>> It is necessary to tie Sun employee's OpenSolaris.org accounts to their
>> Sun identity, so we know that they don't have to sign an individual SCA.
>> This isn't implemented yet, but when available it will prompt for a
>> Sun employee number and the corresponding password. If these match, the
>> password will be discarded and the Sun employee ID will be saved
>> read-only in the OpenSolaris.org account.
>
> Do you mean the LDAP password? Where will this verification occur?
> I don't think we should have LDAP passwords outside of SWAN for
> any reason. The sunID confirmation could instead be something that
> is internal that feeds *out* to opensolaris.org (say, once a day)
The LDAP passwords won't be held on OpenSolaris.org at all. The process
is the same one that is currently used when you log in to sun.com with
your Sun username and password. This will *not* require that we keep
copies of the LDAP passwords on opensolaris.org, the only thing that
will be held is the SunID once it is confirmed, and that won't be made
public.
--
Alan Burlison
--
_______________________________________________
website-discuss mailing list
website-discuss at opensolaris dot org
|
|
|
|
|
Valerie Bubb Fe...
Valerie.Fenwick@Sun....
|
|
|
|
Re: [osol-announce] Beta of new OSO registration
& login application available for testing
Posted:
Aug 20, 2008 3:54 PM
in response to: alanbur
|
|
On Wed, 20 Aug 2008, Alan Burlison wrote:
> Valerie Bubb Fenwick wrote:
>
>>> The site is currently running under HTTP, when it is deployed it will be
>>> running HTTPS, so eavesdropping on traffic between the browser and the
>>> app won't be possible.
>>
>> Which lends credance to the "have fun but don't use real data" argument of
>> the Confirmation Emails details :)
>
> Exactly so - I wanted people to be able to see how it worked without exposing
> anything they cared about :-)
>
>>> 2. Sunid confirmation
>>>
>>> It is necessary to tie Sun employee's OpenSolaris.org accounts to their
>>> Sun identity, so we know that they don't have to sign an individual SCA.
>>> This isn't implemented yet, but when available it will prompt for a
>>> Sun employee number and the corresponding password. If these match, the
>>> password will be discarded and the Sun employee ID will be saved
>>> read-only in the OpenSolaris.org account.
>>
>> Do you mean the LDAP password? Where will this verification occur?
>> I don't think we should have LDAP passwords outside of SWAN for
>> any reason. The sunID confirmation could instead be something that
>> is internal that feeds *out* to opensolaris.org (say, once a day)
>
> The LDAP passwords won't be held on OpenSolaris.org at all. The process is
> the same one that is currently used when you log in to sun.com with your Sun
> username and password. This will *not* require that we keep copies of the
> LDAP passwords on opensolaris.org, the only thing that will be held is the
> SunID once it is confirmed, and that won't be made public.
Hi Alan -
But will you be asking folks to put their LDAP password in to start with?
I'm curious as to which password you mean here:
"it will prompt for a Sun employee number and the corresponding password."
Which sounds like opensolaris.org will have the LDAP password, if only
temporarily.
Valerie
--
Valerie Fenwick, http://blogs.sun.com/bubbva
Solaris Security Technologies, Developer, Sun Microsystems, Inc.
17 Network Circle, Menlo Park, CA, 94025.
_______________________________________________
website-discuss mailing list
website-discuss at opensolaris dot org
|
|
|
|
|
Posts:
1,218
From:
Registered:
3/9/05
|
|
|
|
Re: [osol-announce] Beta of new OSO registration
& login application available for testing
Posted:
Aug 20, 2008 4:04 PM
in response to: Valerie Bubb Fe...
|
|
Valerie Bubb Fenwick wrote:
> Hi Alan -
>
> But will you be asking folks to put their LDAP password in to start with?
> I'm curious as to which password you mean here:
> "it will prompt for a Sun employee number and the corresponding password."
>
> Which sounds like opensolaris.org will have the LDAP password, if only
> temporarily.
It will transiently have the LDAP password, it will only ever be held in
memory and as soon as it is verified it will be discarded. The username
and password you log into OSO with are completely separate.
--
Alan Burlison
--
_______________________________________________
website-discuss mailing list
website-discuss at opensolaris dot org
|
|
|
|
|
Posts:
1,218
From:
Registered:
3/9/05
|
|
|
|
Re: [osol-announce] Beta of new OSO registration
& login application available for testing
Posted:
Aug 20, 2008 4:25 PM
in response to: Valerie Bubb Fe...
|
|
Valerie Bubb Fenwick wrote:
> But will you be asking folks to put their LDAP password in to start with?
> I'm curious as to which password you mean here:
> "it will prompt for a Sun employee number and the corresponding password."
>
> Which sounds like opensolaris.org will have the LDAP password, if only
> temporarily.
I've talked to Valerie offline and explained that I'm following standard
Sun methodology and have received a security audit. I can't disclose
the exact details, but Valerie assures me she's happy, and that means
I'm happy too - thanks Valerie :-)
--
Alan Burlison
--
_______________________________________________
website-discuss mailing list
website-discuss at opensolaris dot org
|
|
|
|
|
Posts:
3,835
From:
JP
Registered:
4/6/05
|
|
|
|
Re: Beta of new OSO registration & login
application available for testing
Posted:
Aug 21, 2008 7:44 AM
in response to: alanbur
|
|
Alan Burlison wrote:
> I have put a new beta of the Auth application on
> http://auth.opensolaris.org/auth This contains the new registration and
> login pages which will in time replace the existing account management
> pages on opensolaris,org.
>
Very nice. So much easier. :)
> Confirmation emails
> -------------------
>
> At the moment, all emails are sent to auth-test at opensolaris dot org
> (http://mail.opensolaris.org/pipermail/auth-test), for testing purposes.
>
Ok, I didn´t realize initially that this is where we have to go to get
the confirmation. Clear now.
> Localization
> ------------
>
> The application is internationalised. The preferred language can either
> be specified via your browser preferences, or via the language option on
> the account edit screen, with the account setting taking preference. At
> present there are only translations for the test-only Esperanto and
> Australian English languages.
>
I also sent this to i18n-discuss for some an internationalization look.
Also, the current live registration page on os.org is translated into
Japanese and Chinese, but with this new application I hope the community
will be able to help get the user-facing pages translated to a dozen or
so languages.
> http://auth.opensolaris.org/auth/edit.action
>
> 1. Account details are entered and the CAPTCHA is answered. If
> successful a confirmation email is sent to the registered address.
>
> 2. The account is initially in 'confirm email' mode, and logins are
> disabled.
>
> 3. The confirmation email contains a validation link. When this is
> visited, the account is activated.
>
Just a link to a web page for confirmation? Not an option to email confirm?
> 4. The token has a validity of 15 minutes. If it expires before the
> account is confirmed, the "Email reset" process must be used to generate
> another token. This timeout is deliberately short for testing purposes.
>
What will it be set to when it goes live? The reason I ask is that we
often run registration programs around the world at various events (get
a free server at Tech Days, etc) and we set up computers for people to
register on site, but they don´t necessarily have access to their email
to confirm until they get home later on. In places like East Asia
(China, Japan, Korea) it´s not as common to bring your laptop to
conferences like it is in the the US and Europe.
> Login
> -----
>
> http://auth.opensolaris.org/auth/login.action
>
> 1. A valid username and password is required.
>
The log in screen says ¨Member name¨ and not ¨username¨. Any reason for
that? I´d suggest using Username instead of Member name since ¨Member¨
is a governance term with specific meaning and may cause confusion. Same
issue with Member name in other pages.
On the registration page: I seem to remember some red ¨required field¨
notices next to some fields while registering using my Sun Ray at work
(probably have Firefox 2x there), but I don´t see them with
FF3/OpenSolaris now unless I enter incorrect info or leave out obviously
required fields.
Jim
--
http://blogs.sun.com/jimgris/
_______________________________________________
website-discuss mailing list
website-discuss at opensolaris dot org
|
|
|
|
|
Posts:
1,495
From:
Registered:
5/18/05
|
|
|
|
Re: Beta of new OSO registration & login
application available for testing
Posted:
Aug 21, 2008 8:17 AM
in response to: jimgris
|
|
> Alan Burlison wrote:
>> I have put a new beta of the Auth application on
>> http://auth.opensolaris.org/auth
Initial impressions (other than the default "looks pretty good"):
-----------
Member names must be between 3 and eight characters long and
start with a letter. The allowed characters are lowercase letters,
numbers, period, underline and hyphen.
What about our European friends who have punctuated names, or
those in Asia whose names use more than the 26 lower case ascii
characters?
Good Old Garret D'Amore comes to mind, as do Jörg and the folks
in Asia....
Localization and internationalization should include this sort
of stuff as well...
-----------
Passwords must be between six and twenty characters long and
must contain at least two letters and at least one number or
punctuation character.
Why "yet another password construction policy"? What if my pass
phrase is longer, or uses non-alphanumeric and non-punctuation
characters? Other sites analyze the entered password and inform
the user of its strength factor rather than forcing everyone to
use a single arbitrary site-specific scheme.
-----------
Security Questions
The "default" should be "PICK ONE" rather than the first question
on the list.
------------
If you can't read the words, press the "Get a new challenge"
button to the right of the words.
There is no such button. Instead, there are three graphical
images, one of which has ALT TEXT that contains that phrase,
The above text implies that those images are ineffectual :-)
Instead, explicitly put the link in the instructions:
If you can't read the words, press [HREF'd IMG] to Get a new challenge.
-John
_______________________________________________
website-discuss mailing list
website-discuss at opensolaris dot org
|
|
|
|
|
Posts:
1,218
From:
Registered:
3/9/05
|
|
|
|
Re: Beta of new OSO registration & login
application available for testing
Posted:
Aug 21, 2008 2:52 PM
in response to: plocher
|
|
John Plocher wrote:
> Member names must be between 3 and eight characters long and
> start with a letter. The allowed characters are lowercase letters,
> numbers, period, underline and hyphen.
>
> What about our European friends who have punctuated names, or
> those in Asia whose names use more than the 26 lower case ascii
> characters?
> Good Old Garret D'Amore comes to mind, as do Jörg and the folks
> in Asia....
The member names have to map onto Solaris login names, because they are
used when you connect via SSH to do a Mercurial or Subversion operation.
Solaris login names are limited to 8 characters, we have to pass that
restriction through. There isn't anything we can do about it.
> Localization and internationalization should include this sort
> of stuff as well...
Everything else is i18n'd - for example JimG registered with his full
name in Japanese.
> Passwords must be between six and twenty characters long and
> must contain at least two letters and at least one number or
> punctuation character.
>
> Why "yet another password construction policy"? What if my pass
> phrase is longer, or uses non-alphanumeric and non-punctuation
> characters? Other sites analyze the entered password and inform
> the user of its strength factor rather than forcing everyone to
> use a single arbitrary site-specific scheme.
That's inherited from the existing application, we will be migrating
accounts from there so it seemed reasonable to keep the rules the same.
The 'test your strength' password schemes just apply the same rules
behind the scenes, all we are doing is making the rules explicit.
> Security Questions
>
> The "default" should be "PICK ONE" rather than the first question
> on the list.
Or just blank - all the existing accounts don't have questions defined
in any case, so I agree we need some way of indicating that.
> If you can't read the words, press the "Get a new challenge"
> button to the right of the words.
>
> There is no such button. Instead, there are three graphical
> images, one of which has ALT TEXT that contains that phrase,
> The above text implies that those images are ineffectual :-)
>
> Instead, explicitly put the link in the instructions:
> If you can't read the words, press [HREF'd IMG] to Get a new challenge.
Unfortunately you can't. The entire reCAPTCHA widget is generated by a
(reCAPTCHA supplied) Javascript library that makes a call to the
reCAPTCHA server to build the CAPTCHA, and then inserts the widget
dynamically into document.
I did toy with not putting anything at all, but ocassionally reCAPTCHA
provides unreadable images, I wanted to give some sort of hint that you
could generate a different challenge.
Thanks for the feedback,
--
Alan Burlison
--
_______________________________________________
website-discuss mailing list
website-discuss at opensolaris dot org
|
|
|
|
|
Posts:
50
From:
toronto
Registered:
7/22/05
|
|
|
|
Re: Beta of new OSO registration & login
application available for testing
Posted:
Aug 21, 2008 4:43 PM
in response to: alanbur
|
|
Hi,
> John Plocher wrote:
>
>> Member names must be between 3 and eight characters long and
>> start with a letter. The allowed characters are lowercase letters,
>> numbers, period, underline and hyphen.
>>
>> What about our European friends who have punctuated names, or
>> those in Asia whose names use more than the 26 lower case ascii
>> characters?
>> Good Old Garret D'Amore comes to mind, as do Jörg and the folks
>> in Asia....
>
> The member names have to map onto Solaris login names, because they are
> used when you connect via SSH to do a Mercurial or Subversion operation.
> Solaris login names are limited to 8 characters, we have to pass that
> restriction through. There isn't anything we can do about it.
ok. Thanks for the clarification on that.
Though I'd be more specific in the description. 'ASCII character' or
'a-zA-Z' rather than just 'character' or 'letter'.
>> Localization and internationalization should include this sort
>> of stuff as well...
>
> Everything else is i18n'd - for example JimG registered with his full
> name in Japanese.
I think the 'Preferred Language' list should be expanded.
It should include a lot more languages [even if there's little chance of
the site, or *solaris ever fully supporting them.]
It'd be very interesting to know the range of languages used in the
community, and might help focus future localization efforts.
Also, I think Australian can be removed from the list.
---
btw/fyi - The field labels & drop down text might expand when translated
- might skew the table.
Thanks,
~mm
>
>> Passwords must be between six and twenty characters long and
>> must contain at least two letters and at least one number or
>> punctuation character.
>>
>> Why "yet another password construction policy"? What if my pass
>> phrase is longer, or uses non-alphanumeric and non-punctuation
>> characters? Other sites analyze the entered password and inform
>> the user of its strength factor rather than forcing everyone to
>> use a single arbitrary site-specific scheme.
>
> That's inherited from the existing application, we will be migrating
> accounts from there so it seemed reasonable to keep the rules the same.
> The 'test your strength' password schemes just apply the same rules
> behind the scenes, all we are doing is making the rules explicit.
>
>> Security Questions
>>
>> The "default" should be "PICK ONE" rather than the first question
>> on the list.
>
> Or just blank - all the existing accounts don't have questions defined
> in any case, so I agree we need some way of indicating that.
>
>> If you can't read the words, press the "Get a new challenge"
>> button to the right of the words.
>>
>> There is no such button. Instead, there are three graphical
>> images, one of which has ALT TEXT that contains that phrase,
>> The above text implies that those images are ineffectual :-)
>>
>> Instead, explicitly put the link in the instructions:
>> If you can't read the words, press [HREF'd IMG] to Get a new challenge.
>
> Unfortunately you can't. The entire reCAPTCHA widget is generated by a
> (reCAPTCHA supplied) Javascript library that makes a call to the
> reCAPTCHA server to build the CAPTCHA, and then inserts the widget
> dynamically into document.
>
> I did toy with not putting anything at all, but ocassionally reCAPTCHA
> provides unreadable images, I wanted to give some sort of hint that you
> could generate a different challenge.
>
> Thanks for the feedback,
>
_______________________________________________
website-discuss mailing list
website-discuss at opensolaris dot org
|
|
|
|
|
Posts:
1,218
From:
Registered:
3/9/05
|
|
|
|
Re: Beta of new OSO registration & login
application available for testing
Posted:
Aug 21, 2008 5:40 PM
in response to: mickm
|
|
Michael Monaghan wrote:
>> The member names have to map onto Solaris login names, because they are
>> used when you connect via SSH to do a Mercurial or Subversion operation.
>> Solaris login names are limited to 8 characters, we have to pass that
>> restriction through. There isn't anything we can do about it.
>
> ok. Thanks for the clarification on that.
>
> Though I'd be more specific in the description. 'ASCII character' or
> 'a-zA-Z' rather than just 'character' or 'letter'.
That's a good point, I'm pretty certain it will probably unicode
characters & digits at the moment, I probably want to tighten up the
validation checks too
> I think the 'Preferred Language' list should be expanded.
> It should include a lot more languages [even if there's little chance of
> the site, or *solaris ever fully supporting them.]
> It'd be very interesting to know the range of languages used in the
> community, and might help focus future localization efforts.
The preferred language is the same as the list of country portals, we
don't want people to have to play Russian Roulette to get a language
that we actually provide content for.
> Also, I think Australian can be removed from the list.
It's for i18n/l11n testing. Have you tried selecting it, saving the
account & reloading the page?
> btw/fyi - The field labels & drop down text might expand when translated
> - might skew the table.
Yeah, but there's not much I can do until I have the translations. As I
said, the emphasis in this phase is the functionality, the L&F is
something that will need more work.
--
Alan Burlison
--
_______________________________________________
website-discuss mailing list
website-discuss at opensolaris dot org
|
|
|
|
|
Posts:
50
From:
toronto
Registered:
7/22/05
|
|
|
|
Re: Beta of new OSO registration & login
application available for testing
Posted:
Aug 22, 2008 8:29 AM
in response to: alanbur
|
|
>>> The member names have to map onto Solaris login names, because they
>>> are used when you connect via SSH to do a Mercurial or Subversion
>>> operation. Solaris login names are limited to 8 characters, we have
>>> to pass that restriction through. There isn't anything we can do
>>> about it.
>>
>> ok. Thanks for the clarification on that.
>>
>> Though I'd be more specific in the description. 'ASCII character' or
>> 'a-zA-Z' rather than just 'character' or 'letter'.
>
> That's a good point, I'm pretty certain it will probably unicode
> characters & digits at the moment,
Unicode characters will be allowed for the 'Real Name' and 'Password'
fields, but not for the 'Member name' field - right? That needs to be
pure ASCII.
> I probably want to tighten up the
> validation checks too
>
>> I think the 'Preferred Language' list should be expanded.
>> It should include a lot more languages [even if there's little chance
>> of the site, or *solaris ever fully supporting them.]
>> It'd be very interesting to know the range of languages used in the
>> community, and might help focus future localization efforts.
>
> The preferred language is the same as the list of country portals, we
> don't want people to have to play Russian Roulette to get a language
> that we actually provide content for.
Yep - fair enough. But I think there's value is asking users to choose
their preferred language, /and/ interface language.
Though that could be overkill for reg.
>> Also, I think Australian can be removed from the list.
>
> It's for i18n/l11n testing. Have you tried selecting it, saving the
> account & reloading the page?
Yes, think so, -.. what should I see?
>> btw/fyi - The field labels & drop down text might expand when
>> translated - might skew the table.
>
> Yeah, but there's not much I can do until I have the translations. As I
> said, the emphasis in this phase is the functionality, the L&F is
> something that will need more work.
>
btw - Apparently, no two accounts can have the same 'Real Name'. Is that
intended?
Thanks,
~mm
_______________________________________________
website-discuss mailing list
website-discuss at opensolaris dot org
|
|
|
|
|
Posts:
1,218
From:
Registered:
3/9/05
|
|
|
|
Re: Beta of new OSO registration & login
application available for testing
Posted:
Aug 22, 2008 9:09 AM
in response to: mickm
|
|
Michael Monaghan wrote:
> Unicode characters will be allowed for the 'Real Name' and 'Password'
> fields, but not for the 'Member name' field - right? That needs to be
> pure ASCII.
Yes, I'm not sure what the rules on unicode in /etc/passwd are, but that
is in effect where the member names will end up.
> Yep - fair enough. But I think there's value is asking users to choose
> their preferred language, /and/ interface language.
>
> Though that could be overkill for reg.
Yes, I think having two language fields on the registration form would
just be confusing.
>>> Also, I think Australian can be removed from the list.
>>
>> It's for i18n/l11n testing. Have you tried selecting it, saving the
>> account & reloading the page?
>
> Yes, think so, -.. what should I see?
Australian text ;-) You'll probably have to hit shift-reload.
> btw - Apparently, no two accounts can have the same 'Real Name'. Is that
> intended?
Yes. The same goes for email addresses.
--
Alan Burlison
--
_______________________________________________
website-discuss mailing list
website-discuss at opensolaris dot org
|
|
|
|
|
Posts:
807
From:
US
Registered:
3/9/05
|
|
|
|
Re: Beta of new OSO registration &
login application available for testing
Posted:
Aug 27, 2008 12:00 AM
in response to: alanbur
|
|
On Wed 20 Aug 2008 at 10:33PM, Alan Burlison wrote:
> I have put a new beta of the Auth application on
> http://auth.opensolaris.org/auth This contains the new registration and
> login pages which will in time replace the existing account management
> pages on opensolaris,org.
>
> I would like people to test the new version and provide feedback. At
> the moment I am primarily concerned with functionality and not
> appearance, the CSS will be changed before deployment to confirm with
> the OSO L&F. I'm particularly interested to see if anyone can hack the
> site and/or find any security flaws - for example can you add a bogus
> SSH key to an account that you don't own - the 'admin' account would be
> a good choice for any attacks.
>
Alan-- I am in the midst of playing with this and have found a
nuisance problem.
I entered all of my information. Then I entered the captcha.
However, I neglected to follow the password rules (I just used
"foobar").
So, it flagged that my password was no good in red. I fixed the
password. I hit submit. It errored on me because I forgot to type
the captcha. So I typed the captcha, and it errored on me because
each time it reloads it clears the password field, and now I have
no password!
I don't know if the right way to handle this is with some
javascript, or a smarter refresh, or what. But I can see this
kind of iteration making a user frustrated and making them go
away.
-dp
--
Daniel Price - Solaris Kernel Engineering - dp at eng dot sun dot com - blogs.sun.com/dp
_______________________________________________
website-discuss mailing list
website-discuss at opensolaris dot org
|
|
|
|
|
Posts:
1,218
From:
Registered:
3/9/05
|
|
|
|
Re: Beta of new OSO registration &
login application available for testing
Posted:
Aug 27, 2008 1:54 AM
in response to: dp
|
|
Dan Price wrote:
> Alan-- I am in the midst of playing with this and have found a
> nuisance problem.
>
> I entered all of my information. Then I entered the captcha.
> However, I neglected to follow the password rules (I just used
> "foobar").
>
> So, it flagged that my password was no good in red. I fixed the
> password. I hit submit. It errored on me because I forgot to type
> the captcha. So I typed the captcha, and it errored on me because
> each time it reloads it clears the password field, and now I have
> no password!
>
> I don't know if the right way to handle this is with some
> javascript, or a smarter refresh, or what. But I can see this
> kind of iteration making a user frustrated and making them go
> away.
There isn't much I can do about this. it's the standard way it is done.
See for example https://www.google.com/accounts/CreateAccount.
--
Alan Burlison
--
_______________________________________________
website-discuss mailing list
website-discuss at opensolaris dot org
|
|
|
|
|
