Tech Forum

We are trying an experiment with the use of a double level password protected discussion forum.

Due to our crazy employment schedules of each member of our bishopric, I can up with the idea
of using forum board to assist us in keeping track of our assignments. This allows our executive
secretary to collect items that need to be put on the Sunday meeting agenda.

I see this as an opportunity for our good Bishop who is a CPA, facing tax season, and will be work
insane hours.

Have any of your tried this idea?

EW

I have not tried this.

I would think a better solution would be a certificate / PKI system. Three passwords are not really any more secure than one, since if you can get (or guess) one, then the process to get the rest is similar. You really need to find a different method to authenticate.

The general rules go something like:
Something you know (password / username)
Something you have (card / key fob / key)
Something you are (fingerprint / appearance)

Notice that your bank uses two separate methods (card AND pin). By using a certificate, you add 'something you have', the certificate, to the authentication process in addition to the 'known' password and username..

I am not familiar with using client side certificates to authenticate web users, but I understand it is possible. It is also trivially simple to generate a certificate and install it on the machines needed. You do need to distribute the certificates, but it is a one-time cost, and simple enough that a tech savvy person could do it.

I'll see if anyone can shed some light on this. I'll see what I can figure out in the mean time.

I have used PKI keys to authenticate SSH sessions, but that is a bit different.

Thanks
The Earl

This idea is in a beta stage and everyone involved has been briefed to keep it simple until we see if this
idea works or not.

I am putting in place an SSL Cert and a number of other layers. May even play with VPN tunnelling.

We had a little proof of concept tonight when the exe. sec. needed some data, and we could have had the Bishop log on and give him the entire list in the system, by cutting and pasting.

I will report back how this is going.

EW

The Earl wrote:I am not familiar with using client side certificates to authenticate web users, but I understand it is possible. It is also trivially simple to generate a certificate and install it on the machines needed. You do need to distribute the certificates, but it is a one-time cost, and simple enough that a tech savvy person could do it.

You can have client side certificates, but the problem is the verification chain you need to trusted authority to sign. And the signiture is what costs the pretty penny for not much.

thedqs wrote:You can have client side certificates, but the problem is the verification chain you need to trusted authority to sign. And the signiture is what costs the pretty penny for not much.

You wouldn't need a trust broker to sign the certificates for this project. You could create a key and sign them yourself as long as you protected the original key. If the signing key ever got out, you would have to generate another, and new certificates. This isn't that hard to do, but it is difficult to figure out if someone you don't intend has the original private key.