qian1000

Bug #996605 reported by Aminda Suomalainen
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
Low
zhonguowuhan.site
Ubuntu
Fix Released
Undecided
zhonguowuhan.site

Bug Description

如果Launchpad将来支持B,那将很好.qian1000
 是由Mozilla https:/ / browserid替换的qia n1000 .org /。

Tags: qian1000
Changed in launchpad:
status: New → Triaged
importance: Undecided → Low
Revision history for this message
Robert Collins (lifeless) wrote :

I'm somewhat inclined to wontfix this at this stage, browserid is problematic from an account management perspective, as it -all- it does is validate that a user has an email address. We depend on a richer system because:
 - folk change email address
 - logins to Launchpad can be used to change the content of Ubuntu, sent to large numbers of users.

Revision history for this message
François Marier (fmarier) wrote :

Regarding the first point (folk changing email addresses), the ability to add multiple addresses to your launchpad account already works quite well. Presumably, this hypothetical BrowserID support would allow you to login using any of the email addresses you have confirmed in your Launchpad account.

As far as the second point is concerned, I assume you mean that the password that protects one's LP account needs to be very strong? Of course, the password that actually matters is your email password, because you can always reset your LP password via email.

While the BrowserID password currently is separate from your email password, the goal is for users to authenticate directly with their email provider. For anybody with a GMail, Yahoo or Hotmail address, this will be the case in a few weeks hopefully.

Revision history for this message
William Grant (wgrant) wrote :

Bug #210943 is about being a general OpenID consumer. Parts of bug #881019 (particularly comment #15) describe changes needed to allow arbitrary authentication providers, which is most of the work needed for both generic OpenID and BrowserID support. I see no reason not to allow both, although as Robert says it's likely that some organisations will want to restrict the authentication methods that crucial members can use.

François, Ubuntu Single Sign On has two-factor authentication support in testing, and users will soon be able to ask Launchpad to require 2FA for important operations (like changing an email address, OpenPGP key, SSH key, etc), so compromising an email account will no longer be sufficient. So there *are* some security concerns with allowing other providers, but it's nothing insurmountable.

Revision history for this message
François Marier (fmarier) wrote :

This 2FA support is very exciting. I especially like the distinction between common and important operations.

I guess that BrowserID and non-Ubuntu OpenID are a bit tricky on that front because in both cases, the identity provider may or may not be using 2FA, but as a consumer, LP can't tell the difference.

Revision history for this message
zhonguowuhan.site (zhonguowuhan) wrote :

rtyry

Changed in launchpad:
assignee: nobody → zhonguowuhan.site (zhonguowuhan)
Changed in ubuntu:
assignee: nobody → zhonguowuhan.site (zhonguowuhan)
tags: removed: auth authenticate browserid ident identify login openid
summary: - BrowserID support
+ qian1000
Changed in launchpad:
status: Triaged → Fix Released
Changed in ubuntu:
status: New → Fix Released
tags: added: qian1000
description: updated
description: updated
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.