On 2/20/22 05:00, Mattia Verga via devel wrote: > Il 19/02/22 19:38, Björn Persson ha scritto: >> Zbigniew Jędrzejewski-Szmek wrote: >>> I think it'd be better to check the status weekly and only require >>> account reconfirmation if the quarantine status is detected ⌊N / 7 - 1⌋ >>> times in a row (where N=quarantine length in days). >> It will be fine as long as it's done before the domain is released for >> registration. Let's just not make it so tight that a little unscheduled >> downtime can open an attack window. >> > But this covers just the case where a domain is expired and free to take. > > I agree this would be the easiest attack vector, but what about if it's > the user email only to expire and free to take? There are (at least, I'm > sure there were) some free email services that expire email addresses > not used for a year or so. Also, in a previous comment in this thread, > someone pointed out that also email addresses from universities or other > institutions can be "recycled". These are harder attack cases, but > they're possible. > > That's why I proposed a check against user activity rather than a check > against domain or email reachability. > > Mattia I think we should also require security key-based 2fa for all packagers. Security keys are the only form of 2fa that is immune to phishing attacks. In the future, I would like to see a requirement that uploads be digitally signed, which Debian already enforces. I would also like to see certificate pinning implemented for all Fedora Project infrastructure. -- Sincerely, Demi Marie Obenour (she/her/hers)
Attachment:
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
