Hi Brad,
Great talk. Since it's security related, I thought I'd mention to you
and the rest of the list a discussion that look place last week in a
Data Science meeting. If you or anyone has an feedback about this,
please let me know!
Thanks,
Phil
p.s. The message I just sent:
Just a quick follow up to the question about storing passwords in a
config file for a SWORD* client to communicate with DVN's upcoming
Data Deposit API.
I think the *right* way to do this is to somehow implement the passing
of API keys rather than usernames and passwords but I checked with
other implementers of the SWORDv2 protocol and no one seems to be
doing this yet as it has been deemed "Too Hard":
http://www.mail-archive.com/sword-app-tech@lists.sourceforge.net/msg00340.h…
The spec lead for SWORD seems eager to know if there is anything in
the spec that would preclude anyone from implementing API keys so
maybe someone will figure this out in the future.
In the meantime, as I mentioned, in all of my testing I'm sending
usernames and passwords over HTTPS, so they are encrypted across the
wire.
Perhaps in the dvn_client** we demo'd we could at least encrypt the
password in the config file so it isn't visible in clear text. And we
could encourage people using the Data Deposit API to do the same. The
encryption would need to be reversible, however, since the actual
password needs to be sent to use the SWORD protocol.
For more detail on all of this, please see DVN Suggestion #3208 -
Allow the Data Deposit API to use API keys:
https://redmine.hmdc.harvard.edu/issues/3208
Phil
* SWORD stands for Simple Web-service Offering Repository Deposit:
http://en.wikipedia.org/wiki/SWORD_%28protocol%29
**
https://github.com/dvn/swordpoc/tree/master/dvn_client
On Thu, Jul 25, 2013 at 1:51 PM, Frank, Bradley <bfrank(a)hmdc.harvard.edu> wrote:
Hi all,
The security tech talk presentation is available here to download:
http://scholar.harvard.edu/bfrank/presentations/tech-talk-security.
Both formats are over 6MB, so I'm disinclined to attach them to an email.
--
Bradley Frank
HMDC Operations
(617) 496-2183
bfrank(a)hmdc.harvard.edu
_______________________________________________
TechTalkFollowup mailing list
TechTalkFollowup(a)lists.iq.harvard.edu
To unsubscribe from this list or get other information:
https://lists.iq.harvard.edu/mailman/listinfo/techtalkfollowup
--
Philip Durbin
Software Developer for
http://thedata.org
http://www.iq.harvard.edu/people/philip-durbin