Debian Bug report logs - #497584
RFP: cosign -- Web single sign-on for intranets

Package: wnpp; Maintainer for wnpp is wnpp@debian.org;

Reported by: Martín Ferrari <tincho@debian.org>

Date: Tue, 2 Sep 2008 21:21:01 UTC

Severity: wishlist

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, martin.ferrari@gmail.com, debian-devel@lists.debian.org, <wnpp@debian.org>, "Martín Ferrari" <tincho@debian.org>:
Bug#497584; Package wnpp. Full text and rfc822 format available.

Acknowledgement sent to Martín Ferrari <tincho@debian.org>:
New Bug report received and forwarded. Copy sent to martin.ferrari@gmail.com, debian-devel@lists.debian.org, <wnpp@debian.org>, "Martín Ferrari" <tincho@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Martín Ferrari <tincho@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ITP: cosign -- Web single sign-on for intranets
Date: Tue, 02 Sep 2008 18:09:48 -0300
Package: wnpp
Severity: wishlist
Owner: "Martín Ferrari" <tincho@debian.org>

* Package name    : cosign
  Version         : 2.1.0rc1
  Upstream Author : The University of Michigan
* URL             : http://weblogin.org/
* License         : MIT
  Programming Lang: C
  Description     : Web single sign-on for intranets

An open source project originally designed to provide a secure single
sign-on web authentication system, with support for different
authentication backends and fault tolerance by means of replicated
servers.

Cosign includes an Apache module for authentication in distributed
applications, CGI scripts tmo handle logon/logoff and a session tracking
daemon.

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)




Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>, "Martín Ferrari" <tincho@debian.org>:
Bug#497584; Package wnpp. Full text and rfc822 format available.

Acknowledgement sent to Neil Williams <codehelp@debian.org>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>, "Martín Ferrari" <tincho@debian.org>. Full text and rfc822 format available.

Message #10 received at 497584@bugs.debian.org (full text, mbox):

From: Neil Williams <codehelp@debian.org>
To: Martín Ferrari <tincho@debian.org>, 497584@bugs.debian.org
Subject: Re: Bug#497584: ITP: cosign -- Web single sign-on for intranets
Date: Tue, 02 Sep 2008 22:51:43 +0100
[Message part 1 (text/plain, inline)]
On Tue, 2008-09-02 at 18:09 -0300, Martín Ferrari wrote:
> Package: wnpp
> Severity: wishlist
> Owner: "Martín Ferrari" <tincho@debian.org>
> 
> * Package name    : cosign
>   Version         : 2.1.0rc1
>   Upstream Author : The University of Michigan
> * URL             : http://weblogin.org/
> * License         : MIT
>   Programming Lang: C
>   Description     : Web single sign-on for intranets

What's the difference between this and OpenId ?

Why the focus on intranets? 

> An open source project originally designed to provide a secure single

(s/open source// ? - implied by licence?)

> sign-on web authentication system, with support for different
> authentication backends and fault tolerance by means of replicated
> servers.
> 
> Cosign includes an Apache module for authentication in distributed
> applications, CGI scripts tmo handle logon/logoff and a session tracking
> daemon.

Is this smartcard based or "hot-desking" via bluetooth or something?
i.e. a system that logs you off when you leave your desk and logs you
back in when you're back from lunch?
;-)

-- 


Neil Williams
=============
http://www.data-freedom.org/
http://www.nosoftwarepatents.com/
http://www.linux.codehelp.co.uk/


[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>:
Bug#497584; Package wnpp. Full text and rfc822 format available.

Acknowledgement sent to "Martín Ferrari" <tincho@debian.org>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>. Full text and rfc822 format available.

Message #15 received at 497584@bugs.debian.org (full text, mbox):

From: "Martín Ferrari" <tincho@debian.org>
To: "Neil Williams" <codehelp@debian.org>
Cc: 497584@bugs.debian.org
Subject: Re: Bug#497584: ITP: cosign -- Web single sign-on for intranets
Date: Wed, 3 Sep 2008 04:01:38 -0300
Neil,

On Tue, Sep 2, 2008 at 18:51, Neil Williams <codehelp@debian.org> wrote:

>>   Description     : Web single sign-on for intranets
>
> What's the difference between this and OpenId ?
> Why the focus on intranets?

OpenId is decentralized and open. This is targeted to a diffrent
public (from what I understand), and the authentication is handled by
a single source.


>> An open source project originally designed to provide a secure single
>
> (s/open source// ? - implied by licence?)

Gah, I was tired and just copied text from the website :)


>> Cosign includes an Apache module for authentication in distributed
>> applications, CGI scripts tmo handle logon/logoff and a session tracking
>> daemon.
>
> Is this smartcard based or "hot-desking" via bluetooth or something?
> i.e. a system that logs you off when you leave your desk and logs you
> back in when you're back from lunch?
> ;-)

hehehehe. No, it only maintains the logged-on/off state, but doesn't
know about your culinary habits :) How would you re-phrase that?


Thanks, Tincho.

-- 
Martín Ferrari




Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>, "Martín Ferrari" <tincho@debian.org>:
Bug#497584; Package wnpp. Full text and rfc822 format available.

Acknowledgement sent to Neil Williams <codehelp@debian.org>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>, "Martín Ferrari" <tincho@debian.org>. Full text and rfc822 format available.

Message #20 received at 497584@bugs.debian.org (full text, mbox):

From: Neil Williams <codehelp@debian.org>
To: Martín Ferrari <tincho@debian.org>
Cc: 497584@bugs.debian.org
Subject: Re: Bug#497584: ITP: cosign -- Web single sign-on for intranets
Date: Wed, 10 Sep 2008 10:15:02 +0100
[Message part 1 (text/plain, inline)]
On Wed, 2008-09-03 at 04:01 -0300, Martín Ferrari wrote:
> >>   Description     : Web single sign-on for intranets
> >
> > What's the difference between this and OpenId ?
> > Why the focus on intranets?
> 
> OpenId is decentralized and open. This is targeted to a diffrent
> public (from what I understand), and the authentication is handled by
> a single source.

Single Point of Failure ?

> >> Cosign includes an Apache module for authentication in distributed
> >> applications, CGI scripts tmo handle logon/logoff and a session tracking
> >> daemon.
> >
> > Is this smartcard based or "hot-desking" via bluetooth or something?
> > i.e. a system that logs you off when you leave your desk and logs you
> > back in when you're back from lunch?
> > ;-)
> 
> hehehehe. No, it only maintains the logged-on/off state, but doesn't
> know about your culinary habits :) How would you re-phrase that?

I'm still not quite sure I understand what cosign is trying to do - is
it offering an alternative to the existing Apache authentication systems
like .htaccess etc.? Some kind of frontend to other website
authentication or some kind of cache that stores your username and
password for next time? Does this only work with particular websites
that have configured their authentication protocols to work with cosign
(aka OpenID) or can it masquerade as the authentication protocol for
unmodified websites, in which case it would seem to be at least storing
the authentication details used by those websites.

I've looked at http://weblogin.org/overview.html but I'm not sure I
understand it. I'm confused about whether this is some kind of portal
for use where internet access is charged / time-limited (like an
internet cafe or hotel) or some kind of network filter that either
blocks or allows traffic to certain websites. I'm also concerned about
*why* a system would be configured to store the web logins of all users
in a single location. Or is this some kind of "keep-me-logged-in"
service like stay-alive or similar that keeps pinging the login to
prevent timeouts?

If it is trying to be something like OpenId for intranets, then it
shouldn't get involved in the cookies themselves, the sites requesting
authentication need to be modified to support the cosign method, without
revealing the login details of the users. I can't work out whether it is
doing that or not.

The website is completely unhelpful in deciding what this package is
trying to do and what problems it is either trying to solve or likely to
generate. The wiki overview is just a rehash of the website overview
that is no clearer, at least to me. I hope this package will come with
some clear documentation. ;-)

I'm confused about why users would want to trust cosign to keep all
their weblogin usernames and passwords - unless those usernames and
passwords are part of the same intranet that uses cosign at which point
it would seem bizarre that to fix the various login problems of a
variety of websites inside an intranet, the admin would add another
login that knows all the login details of all the users.

I can't help thinking that cosign is a solution looking for a problem.

Maybe open this up to -devel where there are people with more experience
of network-admin/authentication/intranet issues.

-- 


Neil Williams
=============
http://www.data-freedom.org/
http://www.nosoftwarepatents.com/
http://www.linux.codehelp.co.uk/


[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>:
Bug#497584; Package wnpp. Full text and rfc822 format available.

Acknowledgement sent to "Martín Ferrari" <tincho@debian.org>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>. Full text and rfc822 format available.

Message #25 received at 497584@bugs.debian.org (full text, mbox):

From: "Martín Ferrari" <tincho@debian.org>
To: "Neil Williams" <codehelp@debian.org>
Cc: 497584@bugs.debian.org
Subject: Re: Bug#497584: ITP: cosign -- Web single sign-on for intranets
Date: Wed, 10 Sep 2008 20:34:50 -0300
On Wed, Sep 10, 2008 at 06:15, Neil Williams <codehelp@debian.org> wrote:

>> OpenId is decentralized and open. This is targeted to a diffrent
>> public (from what I understand), and the authentication is handled by
>> a single source.

> Single Point of Failure ?

No quite, it provides some fault-tolerance. Anyway, you're missing the
point that this is targeted at a different audience. For example, I've
just deployed cosign at my job, to have SSO in internal webapps that
can't use something open to the world like openid.

>> hehehehe. No, it only maintains the logged-on/off state, but doesn't
>> know about your culinary habits :) How would you re-phrase that?
>
> I'm still not quite sure I understand what cosign is trying to do - is
> it offering an alternative to the existing Apache authentication systems
> like .htaccess etc.? Some kind of frontend to other website
> authentication or some kind of cache that stores your username and
> password for next time? Does this only work with particular websites
> that have configured their authentication protocols to work with cosign
> (aka OpenID) or can it masquerade as the authentication protocol for
> unmodified websites, in which case it would seem to be at least storing
> the authentication details used by those websites.

it works as a authentication module in apache, replacing/complementing
basic auth and the such. It uses a session cookie, but you don't have
it, it redirects you to the main weblogin page when you're asked for
credentials or given a new service-specific cookie if you already had
authenticated there. I think the mechanism is well explained here:
http://weblogin.org/overview.html

> I've looked at http://weblogin.org/overview.html but I'm not sure I
> understand it. I'm confused about whether this is some kind of portal
> for use where internet access is charged / time-limited (like an
> internet cafe or hotel) or some kind of network filter that either
> blocks or allows traffic to certain websites. I'm also concerned about
> *why* a system would be configured to store the web logins of all users
> in a single location. Or is this some kind of "keep-me-logged-in"
> service like stay-alive or similar that keeps pinging the login to
> prevent timeouts?

It's no filter or portal. It's just a system to handle authentication
centrally passing tokens around in the form of cookies, I think it can
be paralleled to kerberos in that idea. You can compare it with
bitcard (used in rt.cpan.org) or other similar projects, like
Shibboleth, pubcookie, mod_auth_tkt and openSSO. It's difficult to
explain, I guess all those websites will do a better job :)

> If it is trying to be something like OpenId for intranets, then it
> shouldn't get involved in the cookies themselves, the sites requesting
> authentication need to be modified to support the cosign method, without
> revealing the login details of the users. I can't work out whether it is
> doing that or not.

This requires no modification to applications that were already
relying on apache authentication.
In any case I think it's not me or you who decide how it should be
implemented  :)

> The website is completely unhelpful in deciding what this package is
> trying to do and what problems it is either trying to solve or likely to
> generate. The wiki overview is just a rehash of the website overview
> that is no clearer, at least to me. I hope this package will come with
> some clear documentation. ;-)

Yes, the documentation is crap. I'm trying to work on that, but
there's no clear license on the current web docs, so I cannot work
with them as a base ATM.

> I'm confused about why users would want to trust cosign to keep all
> their weblogin usernames and passwords - unless those usernames and

err... I don't understand you :) This is thought for places when you
can trust a central place to manage users (think ldap, kerberos, nis,
etc), and in any case, cosign doesn't keep the usernames and
passwords, it just relies on any authentication scheme you want to
use.

> passwords are part of the same intranet that uses cosign at which point
> it would seem bizarre that to fix the various login problems of a
> variety of websites inside an intranet, the admin would add another
> login that knows all the login details of all the users.

Well, that's exactly the point, you have 20 websites, each with its
own htaccess file, and you as a sysadmin hate that. You can configure
ldap/krb/etc and make apache authenticate against that on _each_
server, which will solve the single password issue, but the users
still have to enter user/pass each time, also you need to protect the
channel because the passwords are sent in the clear.

> I can't help thinking that cosign is a solution looking for a problem.

> Maybe open this up to -devel where there are people with more experience
> of network-admin/authentication/intranet issues.

That's ok to me, if you want. Not sure if anything productive can be
taken out of the common thread you see in -devel.

-- 
Martín Ferrari




Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>, "Martín Ferrari" <tincho@debian.org>:
Bug#497584; Package wnpp. Full text and rfc822 format available.

Acknowledgement sent to Neil Williams <codehelp@debian.org>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>, "Martín Ferrari" <tincho@debian.org>. Full text and rfc822 format available.

Message #30 received at 497584@bugs.debian.org (full text, mbox):

From: Neil Williams <codehelp@debian.org>
To: Martín Ferrari <tincho@debian.org>
Cc: 497584@bugs.debian.org
Subject: Re: Bug#497584: ITP: cosign -- Web single sign-on for intranets
Date: Thu, 11 Sep 2008 08:52:25 +0100
[Message part 1 (text/plain, inline)]
On Wed, 2008-09-10 at 20:34 -0300, Martín Ferrari wrote:
> On Wed, Sep 10, 2008 at 06:15, Neil Williams <codehelp@debian.org> wrote:
> No quite, it provides some fault-tolerance. Anyway, you're missing the
> point that this is targeted at a different audience. For example, I've
> just deployed cosign at my job, to have SSO in internal webapps that
> can't use something open to the world like openid.

OK, this is beginning to make some sense - squeezing this into the
description is going to be a challenge. :-)

> it works as a authentication module in apache, replacing/complementing
> basic auth and the such. It uses a session cookie, but you don't have
> it, it redirects you to the main weblogin page when you're asked for
> credentials or given a new service-specific cookie if you already had
> authenticated there. I think the mechanism is well explained here:
> http://weblogin.org/overview.html

Hmm, that page could do with a lot of simplification.

> > I've looked at http://weblogin.org/overview.html but I'm not sure I
> > understand it. I'm confused about whether this is some kind of portal
> > for use where internet access is charged / time-limited (like an
> > internet cafe or hotel) or some kind of network filter that either
> > blocks or allows traffic to certain websites. I'm also concerned about
> > *why* a system would be configured to store the web logins of all users
> > in a single location. Or is this some kind of "keep-me-logged-in"
> > service like stay-alive or similar that keeps pinging the login to
> > prevent timeouts?
> 
> It's no filter or portal. It's just a system to handle authentication
> centrally passing tokens around in the form of cookies, I think it can
> be paralleled to kerberos in that idea. You can compare it with
> bitcard (used in rt.cpan.org) or other similar projects, like
> Shibboleth, pubcookie, mod_auth_tkt and openSSO. It's difficult to
> explain, I guess all those websites will do a better job :)

It is difficult to explain but if the description would contain little
nuggets like "centrally handles authentication using tokens in a similar
manner to kerberos" and then give a bit of detail about how it compares
with those similar projects (the ones already in Debian).

> > If it is trying to be something like OpenId for intranets, then it
> > shouldn't get involved in the cookies themselves, the sites requesting
> > authentication need to be modified to support the cosign method, without
> > revealing the login details of the users. I can't work out whether it is
> > doing that or not.
> 
> This requires no modification to applications that were already
> relying on apache authentication.
> In any case I think it's not me or you who decide how it should be
> implemented  :)

True, but the description probably needs to give some hints about how it
could be implemented.

> > I'm confused about why users would want to trust cosign to keep all
> > their weblogin usernames and passwords - unless those usernames and
> 
> err... I don't understand you :) This is thought for places when you
> can trust a central place to manage users (think ldap, kerberos, nis,
> etc), and in any case, cosign doesn't keep the usernames and
> passwords, it just relies on any authentication scheme you want to
> use.

That is what needs to be set out in the description - if that had been
put in at the start (or even mentioned on the website), it would have
saved a lot of confusion.

> > passwords are part of the same intranet that uses cosign at which point
> > it would seem bizarre that to fix the various login problems of a
> > variety of websites inside an intranet, the admin would add another
> > login that knows all the login details of all the users.
> 
> Well, that's exactly the point, you have 20 websites, each with its
> own htaccess file, and you as a sysadmin hate that. You can configure
> ldap/krb/etc and make apache authenticate against that on _each_
> server, which will solve the single password issue, but the users
> still have to enter user/pass each time, also you need to protect the
> channel because the passwords are sent in the clear.

OK, so cosign is passing on existing authentication from one server to
another within an intranet, sort of. 

I don't think I understand it sufficiently to rewrite the description
but I think if you have set out the main points yourself, it just a bit
of reorganising. The description should cover these basic ideas:

1. cosign is a system to handle authentication centrally, passing tokens
around in the form of cookies, in a similar manner to kerberos.
2. it works as a authentication module in apache,replacing/complementing
basic auth and the such. It uses a session cookie, but you don't have
it, it redirects you to the main weblogin page when you're asked for
credentials or given a new service-specific cookie if you already had
authenticated there.
3. it is for places when you can trust a central place to manage users
(think ldap, kerberos, nis, etc), and in any case, cosign doesn't keep
the usernames and passwords, it just relies on any authentication scheme
you want to use.
4.  You can compare it with bitcard (used in rt.cpan.org) or other
similar projects, like Shibboleth, pubcookie, mod_auth_tkt and openSSO.

The original description was:

An open source project originally designed to provide a secure single
sign-on web authentication system, with support for different
authentication backends and fault tolerance by means of replicated
servers.

Cosign includes an Apache module for authentication in distributed
applications, CGI scripts tmo handle logon/logoff and a session tracking
daemon.

The 4 points above can replace the old description completely, just
reorganised a bit. 

Cosign is a system to centrally handle authentication, passing tokens
around in the form of cookies, in a similar manner to kerberos. An
Apache module is included to replace or complement existing
authentication methods like basic auth. 
.
Cosign uses a session cookie, which is not sent to the browser, and
redirects you to the main weblogin page when a user is asked for
credentials or given a new service-specific cookie if you already had
authenticated there.
(that bit needs to be reworded)
.
Cosign is useful when you can trust a central place to manage users
(e.g. ldap, kerberos, nis, etc). Cosign doesn't keep the usernames and
passwords, it just relies on any authentication scheme you want to use.
.
Cosign can be compared with bitcard (used in rt.cpan.org) or other
similar projects, like Shibboleth, pubcookie, mod_auth_tkt and openSSO.

Something like that.

-- 


Neil Williams
=============
http://www.data-freedom.org/
http://www.nosoftwarepatents.com/
http://www.linux.codehelp.co.uk/


[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>, "Martín Ferrari" <tincho@debian.org>:
Bug#497584; Package wnpp. (Mon, 21 Dec 2009 22:12:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Martín Ferrari <tincho@debian.org>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>, "Martín Ferrari" <tincho@debian.org>. (Mon, 21 Dec 2009 22:12:11 GMT) Full text and rfc822 format available.

Message #35 received at 497584@bugs.debian.org (full text, mbox):

From: Martín Ferrari <tincho@debian.org>
To: Erik Rose <ErikRose@psu.edu>
Cc: 497584@bugs.debian.org
Subject: Re: Already packaged CoSign 3.0.2
Date: Mon, 21 Dec 2009 23:09:27 +0100
[Message part 1 (text/plain, inline)]
Erik,

On Mon, Dec 21, 2009 at 22:57, Erik Rose <ErikRose@psu.edu> wrote:
> I've packaged the CoSign 3.0.2 Apache module, in case anyone is interested.
> (Is this thread even still alive?) You can try out my package by adding this
> to your sources.list...
>
>   deb http://deb.weblion.psu.edu/debian lenny-unstable main non-free contrib
>
> ...and aptitude installing libapache2-mod-cosign from the lenny-unstable
> distro.
>
> This work is based on a package of 2.x (for Etch) which I made about a year
> ago and which we've been using in production on about 16 VMs.
>
> Source code for the package is available at
> https://weblion.psu.edu/trac/weblion/browser/weblion/hosting/packages/cosign/trunk.
> If this thread truly is dead, I'm very interested in contributing this work
> to Debian. Martin, are you still planning to move on this?

I had mostly lost interest in cosing, since I have quit my job in
March where we where using it. I've never uploaded since the package
was still not in shape for it. So if you want to take the lead, I'm
more than happy to hand it over to you.

You might like to check what I've already done on it, on the attached tarball.


-- 
Martín Ferrari
[cosign-debian.tgz (application/x-gzip, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>, "Martín Ferrari" <tincho@debian.org>:
Bug#497584; Package wnpp. (Mon, 21 Dec 2009 22:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Erik Rose <ErikRose@psu.edu>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>, "Martín Ferrari" <tincho@debian.org>. (Mon, 21 Dec 2009 22:39:03 GMT) Full text and rfc822 format available.

Message #40 received at 497584@bugs.debian.org (full text, mbox):

From: Erik Rose <ErikRose@psu.edu>
To: Martín Ferrari <tincho@debian.org>
Cc: 497584@bugs.debian.org
Subject: Re: Already packaged CoSign 3.0.2
Date: Mon, 21 Dec 2009 17:36:14 -0500
> I had mostly lost interest in cosing, since I have quit my job in
> March where we where using it. I've never uploaded since the package
> was still not in shape for it. So if you want to take the lead, I'm
> more than happy to hand it over to you.
>
> You might like to check what I've already done on it, on the  
> attached tarball.

Thanks, Martín! I like how you broke out some top-level directives  
into a mod_cosign.conf. I may have to borrow that. For anyone else  
following along, I'll note that your package includes both the CoSign  
server and client, while mine includes just the client, which is all I  
ever need to install.

Cheers,
Erik Rose



Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>, "Martín Ferrari" <tincho@debian.org>:
Bug#497584; Package wnpp. (Mon, 21 Dec 2009 22:57:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Erik Rose <ErikRose@psu.edu>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>, "Martín Ferrari" <tincho@debian.org>. (Mon, 21 Dec 2009 22:57:07 GMT) Full text and rfc822 format available.

Message #45 received at 497584@bugs.debian.org (full text, mbox):

From: Erik Rose <ErikRose@psu.edu>
To: 497584@bugs.debian.org, tincho@debian.org
Subject: Already packaged CoSign 3.0.2
Date: Mon, 21 Dec 2009 16:57:55 -0500
I've packaged the CoSign 3.0.2 Apache module, in case anyone is  
interested. (Is this thread even still alive?) You can try out my  
package by adding this to your sources.list...

   deb http://deb.weblion.psu.edu/debian lenny-unstable main non-free  
contrib

...and aptitude installing libapache2-mod-cosign from the lenny- 
unstable distro.

This work is based on a package of 2.x (for Etch) which I made about a  
year ago and which we've been using in production on about 16 VMs.

Source code for the package is available at https://weblion.psu.edu/trac/weblion/browser/weblion/hosting/packages/cosign/trunk 
. If this thread truly is dead, I'm very interested in contributing  
this work to Debian. Martin, are you still planning to move on this?

Many thanks,
Erik Rose
Lead Developer
The WebLion Group
The Pennsylvania State University




Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>, "Martín Ferrari" <tincho@debian.org>:
Bug#497584; Package wnpp. (Mon, 21 Dec 2009 23:12:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Martín Ferrari <tincho@debian.org>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>, "Martín Ferrari" <tincho@debian.org>. (Mon, 21 Dec 2009 23:12:07 GMT) Full text and rfc822 format available.

Message #50 received at 497584@bugs.debian.org (full text, mbox):

From: Martín Ferrari <tincho@debian.org>
To: Erik Rose <ErikRose@psu.edu>
Cc: 497584@bugs.debian.org
Subject: Re: Already packaged CoSign 3.0.2
Date: Tue, 22 Dec 2009 00:07:43 +0100
On Mon, Dec 21, 2009 at 23:36, Erik Rose <ErikRose@psu.edu> wrote:

> Thanks, Martín! I like how you broke out some top-level directives into a
> mod_cosign.conf. I may have to borrow that. For anyone else following along,
> I'll note that your package includes both the CoSign server and client,
> while mine includes just the client, which is all I ever need to install.

Well, people using cosign need to install at least one server somewhere :)

-- 
Martín Ferrari




Information forwarded to debian-bugs-dist@lists.debian.org, <wnpp@debian.org>, "Martín Ferrari" <tincho@debian.org>:
Bug#497584; Package wnpp. (Tue, 22 Dec 2009 15:09:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Erik Rose <ErikRose@psu.edu>:
Extra info received and forwarded to list. Copy sent to <wnpp@debian.org>, "Martín Ferrari" <tincho@debian.org>. (Tue, 22 Dec 2009 15:09:06 GMT) Full text and rfc822 format available.

Message #55 received at 497584@bugs.debian.org (full text, mbox):

From: Erik Rose <ErikRose@psu.edu>
To: Martín Ferrari <tincho@debian.org>
Cc: 497584@bugs.debian.org
Subject: Re: Already packaged CoSign 3.0.2
Date: Tue, 22 Dec 2009 10:05:41 -0500
> Well, people using cosign need to install at least one server  
> somewhere :)

Sure, but one of CoSign's main audiences is large universities, where  
we have to install the server only once (usually not on a Debian  
system) but the client many times.




Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, "Martín Ferrari" <tincho@debian.org>:
Bug#497584; Package wnpp. (Sat, 19 Feb 2011 18:12:46 GMT) Full text and rfc822 format available.

Acknowledgement sent to Lucas Nussbaum <lucas@debian.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, "Martín Ferrari" <tincho@debian.org>. (Sat, 19 Feb 2011 18:12:46 GMT) Full text and rfc822 format available.

Message #60 received at 497584@bugs.debian.org (full text, mbox):

From: Lucas Nussbaum <lucas@debian.org>
To: 497584@bugs.debian.org
Cc: control@bugs.debian.org
Subject: cosign: changing back from ITP to RFP
Date: Sat, 19 Feb 2011 17:02:37 +0000
retitle 497584 RFP: cosign -- Web single sign-on for intranets
noowner 497584
thanks

Hi,

This is an automatic email to change the status of cosign back from ITP
(Intent to Package) to RFP (Request for Package), because this bug hasn't seen
any activity during the last 6 months.

If you are still interested in adopting cosign, please send a mail to
<control@bugs.debian.org> with:

 retitle 497584 ITP: cosign -- Web single sign-on for intranets
 owner 497584 !
 thanks

However, it is not recommended to keep ITP for a long time without acting on
the package, as it might cause other prospective maintainers to refrain from
packaging that software. It is also a good idea to document your progress on
this ITP from time to time, by mailing <497584@bugs.debian.org>.

Thank you for your interest in Debian,
-- 
Lucas, for the QA team <debian-qa@lists.debian.org>




Changed Bug title to 'RFP: cosign -- Web single sign-on for intranets' from 'ITP: cosign -- Web single sign-on for intranets' Request was from Lucas Nussbaum <lucas@debian.org> to control@bugs.debian.org. (Sat, 19 Feb 2011 18:26:35 GMT) Full text and rfc822 format available.

Removed annotation that Bug was owned by "Martín Ferrari" <tincho@debian.org>. Request was from Lucas Nussbaum <lucas@debian.org> to control@bugs.debian.org. (Sat, 19 Feb 2011 18:26:36 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 19:14:13 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.