Bug#940144: developers-reference: document self-service givebacks in wanna-build section

[Philipp Kern <pkern@debian.org>]

On 1/21/2020 4:50 PM, Sam Hartman wrote:
>>>>>> "Philipp" == Philipp Kern <phil@philkern.de> writes:
> 
>     Philipp> I'm told it was broken by the upgrade of Apache - apparently it can no
>     Philipp> longer do per path client certificate authentication. There is a
>     Philipp> pending RT ticket from DSA to fix that but I don't think there is
>     Philipp> anything I can do at the moment - except turn on SSO for the whole
>     Philipp> vhost. Maybe that could even be a workaround for now and we could
>     Philipp> check if someone is annoyed by that. :)
> 
> TLS dropped the facilities necessary to do that.
> Ultimately you'll need a vhost for stuff that requires client certs and
> other vhosts that do not.
> The user experience of having a site request client certs when you don't
> have one to give is really bad in some browsers.
> 
> Client certs really kind of are the unloved step child of web
> authentication.

Yeah, so Julien helpfully just created auth.buildd.debian.org (thanks
for that!). I'm going to spend some time on that tomorrow.

That being said, tracker, nm and contributors already moved to request
client certificates on the main host. I find the UI problematic when you
actually have a cert, as it will show a problem. In enterprise
environments you can push a policy to not ask about which certificate to
use but for privacy reasons it is still explicit in the normal case.

And yes, the correct approach would be something like OAuth2. Or use
client certificates with some sort of CLI. :/

Kind regards
Philipp Kern