|
Grex > Oldcoop > #407: PROPOSAL: Levels of User Access to Internet/EMail Resources | |
|
| Author |
Message |
| 20 new of 44 responses total. |
gelinas
|
|
response 25 of 44:
| 
Apr 22 03:57 UTC 2007 |
From the MotD:
} To see statements of grex principles and limits, run
}
} /usr/local/bin/grex-principles
} /usr/local/bin/grex-limits
Thus, you can use !grex-limits at the next available prompt. Comments, of
course, are welcome.
I like the idea of decoupling membership and access levels. I do not like
the idea of coupling access levels and donations. Verification, and thus
increased access, should NOT rely on a contribution to the corporation.
I don't want to get into fees for services rendered.
|
mcnally
|
|
response 26 of 44:
|
Apr 22 04:00 UTC 2007 |
Boy, those limits haven't been updated in a while, have they?
They don't appear to say anything about phishing. Is that in
the principles document?
|
cross
|
|
response 27 of 44:
|
Apr 22 16:19 UTC 2007 |
Regarding #25; No, I wouldn't think that verification would be tied to
contributions to the corporation; my PayPal example was just one method by
which one could be verified. Mailing a photocopy of an ID to the treasurer
or some other designated entity would be another method (though, I guess, then
one is donating a stamp to the corporation. :-))
|
krokus
|
|
response 28 of 44:
|
Apr 23 02:54 UTC 2007 |
Part of the updating could be using terminology that others would
recognize ToS. Those filenames would make me think of what the ideals
are, and the limitations of the system.
|
maus
|
|
response 29 of 44:
|
Apr 23 06:12 UTC 2007 |
While those two are a good starting point, I would recommend that they
be extended in such a way as to provide a means for enforcement.
Additionally, phrasing it as "it would be nice if" decreases
enforceability. Because the rules are fairly specific, they are harder
to enforce on the edge cases ("well, it doesn't say I can't use my
account to trick people out of their credit card information"). Lastly,
Cyberspace Communications needs to provide a means by which liability
can be transfered to the infringing party; that is, if I use Grex to do
something illegal, Cyberspace Communications needs to make sure that
they have already established legal grounds by which they can sue my
sorry tail if they get sued.
Oh, and the terms of service also need cheese.
|
aruba
|
|
response 30 of 44:
|
Apr 25 17:56 UTC 2007 |
I am a little confused why Dan says we've never formalized the internet
access categories he describes in #0; the membership category was
formalized a long time ago, and the distinction between the first two was
formalized at the last board meeting.
The content of Dan's proposal seems to be that we should allow people full
internet access if they are verified but not members. This was in fact the
original intent when Grex first instituted an internet access policy, but
for various reasons full access has always been linked to membership.
I am in favor, in principle, of allowing verified members full internet
access. There are a few logistical problems we need to consider, however.
1. How long should a validation be valid? If I take out a Paypal account
today, verify it, pay Grex a dollar, then move next year but don't tell
Grex, the validation information from Paypal is not very valid. If I did
something destructive and Grex handed over my info to law enforcement, I
doubt that they could find me.
Now, granted, this is a bit far-fetched; it's unlikely someone will go to
the trouble to gain privileges on Grex in order to abuse them several years
in the future. But it is certainly possible.
If we allow verification to last 5 years, I envision us having a lot of
accounts on the verified rolls which have not been logged into for a long
time.
2. Someone needs to accept and record validation information. I assume
that will be the treasurer (currently me). I don't expect a deluge of
people requesting validation, so it will probably be fine; but I am aware
that everything that gets added to the treasurer's job will make it harder
to find someone to do it in the future. Also, presumably, when a verified
account's verification period is up, presumably someone will need to remind
(nag) that person to re-validate. I presume that will also fall to the
treasurer. If it's been 5 years, it's not at all unlikely that it will be
hard to find an email that works.
3. Do we accept the same forms of ID that we always have? Currently that
includes school IDs and library cards. (See ~aruba/idpolicy for a
description of currently acceptable IDs.) No one has used such an ID in a
while, I must say; by far the most popular form of ID these days is a
verified Paypal membership. I bring the topic up because if we are
reducing the bar required for access, perhaps we should make up for that by
requiring a little more ID. (In other words, it's possible that the
necessity of sending $6 along with one's library card may have discouraged
certain vandals who will not be discouraged by simply sending the library
card.)
People should be aware that we will probably lose a few members as a result
of changing the policy, because there have lways been a (changing) handful
of people who become members in order to have the internet privileges. I'd
estimate there are 1-5 such members at any given time. We can afford to
lose that much income.
|
nharmon
|
|
response 31 of 44:
|
Apr 25 19:07 UTC 2007 |
I generally become a member in order to have the internet privileges and
to vote. Although I would also become a member if Grex needed the money,
but that hasn't been the case lately.
|
cross
|
|
response 32 of 44:
|
Apr 25 20:01 UTC 2007 |
Regarding #30; (First Para): Sorry, that was ambiguous; I was trying to give
a brief recap of the discussion at the board meeting, but I didn't make that
clear. At the board meeting, we said that the access levels had never really
been formalized, and then sorta formalized them, but also said we should take
it to the membership (unless I misunderstood things). Hence the proposal.
First point: My vision was that verification should take place, and then
remain valid for as long as the account is active, plus a grace period
aftwards. I'm okay with the grace period being as short as a year or two,
five is good too, but that's a detail that will have to be formalized.
Second point: I'm not sure we need to make verification a responsiblity of
the treasurer. If most of it is done by Paypal, then we could write a script
to do it automagically (just query PayPal as necessary, and update the user's
primary group ID). I guess that other mechanisms need a bit of thought, if
for no other reason than that we are constrained by who actually picks up the
(physical) mail at the PO Box.
Third point: Personally, I don't think that library cards are sufficient
anymore. Some sort of picture ID is probably best.
|
aruba
|
|
response 33 of 44:
|
Apr 26 05:44 UTC 2007 |
Any automatic querying of Paypal would require storing Grex's Paypal
password somewhere; I'm not at all crazy about that idea.
|
ric
|
|
response 34 of 44:
|
May 5 04:07 UTC 2007 |
That's probably not true.
Paypal's integration does NOT require you to store your paypal account
information in scripts. Merchants direct buyers to their paypal store, and
paypal redirects them via a special link back, or possibly makes an alternate
request, either way the informatio nca be verified WITHOUT needing the grex
paypal accont password *BY* the receiving script.
|
aruba
|
|
response 35 of 44:
|
May 10 04:01 UTC 2007 |
Re #34: Dan was talking about automatically querying Paypal from time to
time to get info on recent transactions; to do that, you need the password.
However, Paypal does send a confirmation notice when someone sends money to
Grex. I suppose those notices could be (in theory) parsed when they come
in, and people added to the appropriate groups automatically. We'd have to
verify that the messages really came from Paypal, though, or someone could
send such a message themselves and become falsely validated.
|
cross
|
|
response 36 of 44:
|
May 10 14:11 UTC 2007 |
Hmm; I wonder if there's a way to ask them to send a signed message or
something....
|
maus
|
|
response 37 of 44:
|
May 10 19:08 UTC 2007 |
I think cryptographic signing, creation and management of keys, etc
would be far too complicated for the majority of our users; keesan would
give birth to kittens and complain loudly that it is not part of default
pine, and damnit, telnetting in and using pine right on the server is
the way the gods meant for humankind to do email, thankyouverymuch.
|
cross
|
|
response 38 of 44:
|
May 10 19:52 UTC 2007 |
Well, only between PayPal and the script that interprets whatever comes back
from PayPal, not for the end users.
|
maus
|
|
response 39 of 44:
|
May 11 22:53 UTC 2007 |
Oh, have PayPal send a signed message. I thought you meant have the
prospective validated member send a signed message. Pardon my confusion.
|
cross
|
|
response 40 of 44:
|
May 11 23:00 UTC 2007 |
Not at all!
|
eteepell
|
|
response 41 of 44:
|
May 12 19:40 UTC 2007 |
What has been proposed seems quite appropriate and reasonable, without any
particular change.
Having newusers with the ability to host pages
automatically always seemed unnecessary to me. Losing that function for
new accounts does not seem to be a big deal. And probably may be a good
idea in the long run. No reason they could not host a locally
accessible page, but otherwise I see no reason why we cannot drop
hosting for --brand new users--. (note emphasis)
One thing I always liked about grex
was even as a newuser there was full shell access (albeit without outbound
internet connectivity). I am seeing nothing here that would change that.
Kudos.
Also the ability to self-create accounts on the system for INSTANT access
is as far as I can see without any other equivalent out there.
Insofar as paying for access, I would not have any problem with any
particular users paying for ::
--larger disk quota
--larger mailbox quota
..etc.etc.
If some people pay for more space, etc. that allows purchase of larger
disks, better hardware, and it can then purposefully flow down to all
users on the system as everyones space and service increases in benefit.
Any thoughts?
|
eteepell
|
|
response 42 of 44:
|
May 12 19:45 UTC 2007 |
Almost forgot, I'm not for nitpicking the levels, everyone gets email at a
certain level. If they dont use it fine, they can "> /dev/null" or fill up
their disk space quota at their option. Everyone gets specific access at
specific levels and they choose if, and when they use the access, if they ever
do. thx. (I personally dont use the email, glad it's there though. I dont get
ANY email, spam or otherwise, just FYI).
|
kingjon
|
|
response 43 of 44:
|
May 12 19:49 UTC 2007 |
My only objection to adding web hosting to the list of privileges restricted to
activated users is that Grex was founded on the principles of free speech, and
if the verification process required a name that could be harmed.
On the other hand, Grex was also designed as an online community, not as a
fee-for-service model, on which grounds I would object to letting users pay for
more disk space, etc.
(The founding was before my time, of course, so I know whereof I speak only
second-hand.)
|
cross
|
|
response 44 of 44:
|
May 13 15:18 UTC 2007 |
I don't think we need to ask people to pay for more disk space, mail quota,
etc.
The thing about web pages is that we need to balance out the risk of an
unverified user creating a phishing hole (get it? ha ha ha) versus legitimate
users who want to create pseudo-anonymous web sites. I'm honestly not sure
where the balance should be there.
|