Re: Cosign on a Sub Directory Only

[Phil Pishioneri <pgp@xxxxxxx>]

On 7/20/04 5:06 PM, johanna bromberg craig wrote:

> This was originally a security thought, but I'm not sure our reasons 
> are valid anymore. I think our original logic was not wanting users to 
> turn off/on Cosign if an admin had made it on/off for a whole server, 
> but that might be spurious. Other members of the core cosign team feel 
> free to speak up and correct me if there was a more pressing issue and 
> I've just forgotten it. ;)
>
> Did you want to use it in an .htaccess? 

We were thinking of .htaccess usage, possibly for personal web pages, 
though I think we came up with an alternative.

> Does anyone? Is this something 
> people would like to see changed? Anyone have security thoughts on this 
> matter?
>  

If "CosignProtected" could be classified as an authorization directive 
(I don't know if that would be possible), then an admin could allow its 
use by specifying "AllowOverride AuthConfig" as needed.

-Phil