I’ve been struggling with how to approach authentication for bender’s interface. The main problem is that the agents use transports that aren’t condusive to authentication (like IRC). As well, the eventing back-end doesn’t really allow for a coupled authenticated/encrypted layer (like SSH), as the framework doesn’t easily allow for session management.

As with any feature, it is worth understaning why it is needed. What is the underlying purpose of authentication? It’s funny what happens when you slice and dice requirements, the process tends to simplify and clarify.

How is authentication useful for a blogging system?

• Prevent graffiti or garbage content from being posted to the system.
• Prevent users from posting content posing as other users of the system.
• Prevent real damage to other users’ systems, or the hosting systems by disallowing any sort of viral or trojan code from being passed through the system.
• Prevent database damage to the hosting system(s) by disallowing most users from access to administrative tools or exploits that would allow damage to be done.

The only scenario that requires any authentication-based security is the administrative functionality, which simplifies the problem greatly. Now, the user-agents can be designed for ease-of-use (and not session management).

Based on this line of thought, the agents will accept content from users without challanging for credentials. The back-end will apply heuristics to validate the content and user, similar to bayesian filtering as used in Mozilla mail. The posted content will be further scrutinized to filter known server/browser exploits. All that remains is to authenticate sessions for access to the administrative tools, a subset of the overall functionality.

The really nice thing about understanding how and where security is needed is that it allows the user-interactions to be improved. Now users of the bender-blogging system will not have to login to submit posts. A simple optimisation, but one that has proved (so far) to be an incredible improvement in usability.