Launchpad itself

qian1000

Bug #996605 reported by Aminda Suomalainen on 2012-05-08

10

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Launchpad itself	Fix Released	Low	zhonguowuhan.site
	Ubuntu	Fix Released	Undecided	zhonguowuhan.site

Bug Description

如果Launchpad将来支持B，那将很好.qian1000
是由Mozilla https：/ / browserid替换的qia n1000 .org /。

See original description

Tags:

Francis J. Lacoste (flacoste) on 2012-05-08

Changed in launchpad:
status:	New → Triaged
importance:	Undecided → Low

Revision history for this message

Robert Collins (lifeless) wrote on 2012-05-08:

#1

I'm somewhat inclined to wontfix this at this stage, browserid is problematic from an account management perspective, as it -all- it does is validate that a user has an email address. We depend on a richer system because:
- folk change email address
- logins to Launchpad can be used to change the content of Ubuntu, sent to large numbers of users.

Revision history for this message

François Marier (fmarier) wrote on 2012-05-08:

#2

Regarding the first point (folk changing email addresses), the ability to add multiple addresses to your launchpad account already works quite well. Presumably, this hypothetical BrowserID support would allow you to login using any of the email addresses you have confirmed in your Launchpad account.

As far as the second point is concerned, I assume you mean that the password that protects one's LP account needs to be very strong? Of course, the password that actually matters is your email password, because you can always reset your LP password via email.

While the BrowserID password currently is separate from your email password, the goal is for users to authenticate directly with their email provider. For anybody with a GMail, Yahoo or Hotmail address, this will be the case in a few weeks hopefully.

Revision history for this message

William Grant (wgrant) wrote on 2012-05-09:

#3

Bug #210943 is about being a general OpenID consumer. Parts of bug #881019 (particularly comment #15) describe changes needed to allow arbitrary authentication providers, which is most of the work needed for both generic OpenID and BrowserID support. I see no reason not to allow both, although as Robert says it's likely that some organisations will want to restrict the authentication methods that crucial members can use.

François, Ubuntu Single Sign On has two-factor authentication support in testing, and users will soon be able to ask Launchpad to require 2FA for important operations (like changing an email address, OpenPGP key, SSH key, etc), so compromising an email account will no longer be sufficient. So there *are* some security concerns with allowing other providers, but it's nothing insurmountable.

Revision history for this message

François Marier (fmarier) wrote on 2012-05-09:

#4

This 2FA support is very exciting. I especially like the distinction between common and important operations.

I guess that BrowserID and non-Ubuntu OpenID are a bit tricky on that front because in both cases, the identity provider may or may not be using 2FA, but as a consumer, LP can't tell the difference.

Revision history for this message

zhonguowuhan.site (zhonguowuhan) wrote on 2018-06-25:

#5

rtyry

Changed in launchpad:
assignee:	nobody → zhonguowuhan.site (zhonguowuhan)
Changed in ubuntu:
assignee:	nobody → zhonguowuhan.site (zhonguowuhan)
tags:	removed: auth authenticate browserid ident identify login openid
summary:	- BrowserID support + qian1000
Changed in launchpad:
status:	Triaged → Fix Released
Changed in ubuntu:
status:	New → Fix Released
tags:	added: qian1000
description:	updated
description:	updated

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.