From: Eric S. Raymond Date: Mon, 8 Oct 2012 00:00:08 +0000 (-0400) Subject: Why there's no support for password authentication. X-Git-Tag: 1.9~8 X-Git-Url: http://git.tremily.us/gitweb.cgi?a=commitdiff_plain;h=8260dbe9e5e296f166f1aeb3a9910e67189af4e0;p=irker.git Why there's no support for password authentication. --- diff --git a/security.txt b/security.txt index 4bee577..62bcee5 100644 --- a/security.txt +++ b/security.txt @@ -233,6 +233,21 @@ project. The only other competitor to replace CIA known to us In the general case we cannot guarantee this property against groups A and F. +== Why there is no support for passworded channels == + +We've had support for password authentication to IRC requested, but it +would be a rather bad fit for irkerd’s usage pattern. The problem +isn’t that credentials would be difficult to pass to irkerd – an +optional password field wiuld ve easily enough added to the JSON. + +No, the problem is that once irkerd were to acquire such a credential, +it would have to do source-address IP checking to know (at a minimum) +whether the source host of any given notification request is the same +as one that has presented the password. + +It seems best not gong to go there; the potential for IRC access controls +becoming leaky seems too high. + == Risks relative to centralized services == irker and irkerhook.py were written as a replacement for the