Passwd in response

[Benn Oshrin]

Andrew Petro <apetro at unicon.net> wrote on May 6, 2008 10:47:48 AM -0700:

] I worry that implementing this feature locally multiple times invites
] redundant effort and local adoption of less-ideal implementations of
] this feature than could be achieved centrally.  If one is going to be
] passing passwords around with CAS, one wants a solid, considered,
] secure  implementation that passes the information securely and
] authenticates  the the services before giving them the password and
] that doesn't break  anything.  It seems a waste to invite people to
] locally trip over these  issues for lack of a shared implementation
] of this feature.
]
] Rutgers/Benn Oshrin have a thread going about where CAS can go next
] and  what additional extension points/features would be welcome.
] I'll look  to engage that thread on this idea and invite you and
] other interested  people to chime in.

I think I generally agree with the overall assessment which is that 
while nobody particularly likes this feature, enough people have a 
legitimate need for it that there should be some level of "support" for 
it, even if it requires jumping through some extra hoops and signing a 
disclaimer.

I would imagine that the "official" implementation of this would be 
tied into the CAS 4 roadmap.  However, given that some people may not 
want to wait while the roadmap is developed and revised, we can 
certainly start a discussion on the dev list much sooner as to what 
might be considered a legitimate approach.

To be clear, Rutgers does not have a long-term interest in developing 
this feature.  While we are happy to help guide the conversation, and 
maybe even endorse an approach, any development required by a solution 
accepted by the community will need to be provided by the community.

-Benn-