Minutes of meeting on 4th Sept 2004

hi moderators and administrators,

I've drafted the minutes, kindly review it. Place your feedback as reply to this posting. Thanks!

Accompanying ppt slides for those who have missed out on the meeting. Once the entire minutes are reviewed, I will join the files together. In the meantime, make do

This is Triplez slides on SgDotNet development

This are the slides from KitKai on nova

Thanks microlau

Pleasure..Someone has to take down whatever we have discussed...So that the rest who missed out can pour through it..Just another vital part of Project Management

Looks ok to me, recaps the discussions of that day. Except wasn't there more details about Nova?

Btw, side-note not related to meeting: Rob Howard got in touch with me and asked if I'd like to fix bugs on Telligent's list (certainly a frighteningly whole lot more than what we've unearthed!). I feel this is a good deal since changes i perform will make their way back to the official version, and thus become less of a worry that things i hack on my own will become more and more incompatible with time.

So i'll be accepting and doing "development" not so much on Sg.Net per se but more to Telligent's side. But they will come around, so no worries.

icelava wrote:

Looks ok to me, recaps the discussions of that day. Except wasn't there more details about Nova? Btw, side-note not related to meeting: Rob Howard got in touch with me and asked if I'd like to fix bugs on Telligent's list (certainly a frighteningly whole lot more than what we've unearthed!). I feel this is a good deal since changes i perform will make their way back to the official version, and thus become less of a worry that things i hack on my own will become more and more incompatible with time. So i'll be accepting and doing "development" not so much on Sg.Net per se but more to Telligent's side. But they will come around, so no worries.

2 Thumbs Up, IceLava. Gr8 stuff ! Thanks a lot for the hardwork and the effort you put into sgdotnet.

icelava... was thinking (aloud)... if we can get the whole usergroup to be involved in the bug fixing... to get more people involved... I dun know...

microlau, pls update ur minutes to add the following

Vector's first concept of articles is having common topic for a week or so, and members contribute. Dan he will compile and publish it as an article.

Nova side,
Wse security will not be implemented because web login is not secured either.
weeyhong provided sample plugin codes for reference
shunjie joined the team, and he will be handling webservices. Currently starting with novasupported() and understanding forum architecture.

kitkai wrote:

Nova side, Wse security will not be implemented because web login is not secured either.

Your web login is using http-post ... is that what you meant by not secured ?

1) Do you plan to use Web Services for logins ?

2) So, the logins for Web / Smart Clients should still be secured one way or another. Hashing the passwords would not solve the transport issue. For Web Logins, if Web Services are not an alternative, can we look at X509 Certs. This is FREE as IIS/CertAuthority that comes with Windows 2000/2003 Server can issue these certs for FREE. The only thing is that the certs cannot be trusted to a root CA (such as CheckPoint, Verisign, etc). However, I think this could be a smaller issue. As long as members trust a cert that is issued by sgdotnet, and click on the "PROCEED" button when a dialog appears on the first time they login, it will be OK.

3) Once that Web Login is secured, then for your Nova Smart Client, you can use WSE for security. Altho, I would hesitate to use that due to the fast evolving nature of WSE could cause you deployment problems. Maybe we can look at Point 4 below.

4) I believe due to some failure of an import tool, imported passwords are not hashed at the DB. Members shld hash their passwords at the DB to prevent any infringments. I am sure the administrators of sgdotnet would also like to see that as well. I believe it is more of a burden to the administrators if passwords of sgdotnet are stored in the clear in the DB. What kind of hashing utility is being implemented at the intelligent systems version of this forum ? If it is a standard SHA-1 Hash, we can implement it on our own with the .Security.Cryptography Classes. Once that is done, we can use the same function algorithm and implement it on the Nova Smart Client side. This will be designed to hash the password just before they go out onto the WebRequest Stream. In this case, the Passwords will be hashed on the wire already and will not be snooped along the way. At the Web Service end, you just have to do a simple comparision of both the hashes in the Request Stream and the one stored in the DB to determine a match.

I hope I am making some sense here...Let me know what you think.

Thank you.

Actually, I favor implementing wse 2.0, even if there is a performance issue, and even if wse is fast evolving. The main reason is
1. Ppl, (esp me) can learn it. Y wait until it stablelise, you didn't...
2. You know Microsoft design and developed apps like taskvision, issuevision, for the sole purpose of educating developers, and allow presenters to present them in conferences... Y not make nova your presentation tool for you to present wse 2.0, or even wse 3.0 or indigo?

But it's not my decision to implement wse or not. I rather the community decides whether they want it in, since they will be using it, and the login process might be a bit slower... Memory footprint might be bigger.

Great job microlau. Thanks a million.

Icelava, great. We'll get the community to chip in for the bugs.

Softwaremaker, one word, chim. LOL. And yes, it's SHA-1 Hash. If it's possible to encrypt all the passwords using Security.Cryptography, I'll write a small tool to convert all the passwords in the db to SHA-1 Hash.

No worries.

BTW, can I move this thread under Development?

kitkai wrote:

Actually, I favor implementing wse 2.0, even if there is a performance issue, and even if wse is fast evolving. The main reason is 1. Ppl, (esp me) can learn it. Y wait until it stablelise, you didn't... 2. You know Microsoft design and developed apps like taskvision, issuevision, for the sole purpose of educating developers, and allow presenters to present them in conferences... Y not make nova your presentation tool for you to present wse 2.0, or even wse 3.0 or indigo? But it's not my decision to implement wse or not. I rather the community decides whether they want it in, since they will be using it, and the login process might be a bit slower... Memory footprint might be bigger.

I am happy for your show of enthusiasm. BUT I got burnt when I implemented WSE1.0 for one of my projects and then they deprecated WS-Routing... Of course, it still worked for side-by-side installation. Luckily, mine was a server installation. If you deploy it to clients, you may encounter more deployment issues. I am, however, not saying that you shld not do it. I am just highlighting to you some of the pitfalls that may happen.

WS-Security has been accepted into OASIS, which makes it an acceptable standard. So use that implementation that comes with WSE2.0, NOT WSE1.0. WSE1.0 uses the WS-I's implementation. Dont use that So if you are just using WS-Security, I reckon u shld be quite safe.

Of course, your installation footprint is bigger. WSE2.0 comes with its own re-distributable, so you will find it easier to deploy. BUT memory footprint is very neglible, if at all. Payload for XML Messages on the wire is not that big as issue as you are just transmitting encrypted username/pwd, NOT datacontainers of any type.

Of course, as wth all Web Services, the XML serialization process eats up quite a bit of the starting time performances...which shld be solved by .NET Framework 2.0

triplez wrote:

Great job microlau. Thanks a million. Icelava, great. We'll get the community to chip in for the bugs. Softwaremaker, one word, chim. LOL. And yes, it's SHA-1 Hash. If it's possible to encrypt all the passwords using Security.Cryptography, I'll write a small tool to convert all the passwords in the db to SHA-1 Hash.

yes, it is possible to extract the passwords and then hash them using SHA-1, then store it back into the DB.

Do not encrypt or decrypt them. Just hash them.

Some issues I can think of,

1) U need to make the hashing function available to all. Probably used a static method or shared (VB.NET). Gotta co-ordinate with the rest of the "partners-in-crime" Read on to find out why...

2) Your checking of passwords will involve hashing the incoming passwords and compare to that stored in the DB.

3) Your Reset Password will involving choosing a Random Password, Hashing it again and then
a) Storing the hashed-digest Random Password into the DB AND
b) Sending the Random Password to the user's Mailbox.

Btw i'm talking to my programmer friend and asking if she's interested in helping out. It's actually unlikely she can chip it coz she's still involved in that horrible project which I wisely detached myself away after contract expiry. But if she's got remaining juice, she may work out on Web Services for Nova.