Using Dashlane as TEC credentials manager

Using Dashlane as TEC credentials manager

Until now we were using Keybase for sharing credentials and keeping a registry of the members with access to each platform. With platforms like Dashlane we don’t need to share credentials anymore we can just share access. And credentials could be changed every month without affecting the workflow.

We could use Dashlane until more decentralized technologies such as https://www.nucypher.com/ or Fidelius are available.

Doing a change like this brings up a lot of questions. For example, decisions like this centralizes our process and that’s why I think it’s worth opening this vote before doing it.

PROS:

• Increasing the security in case of future conflicts “The problem of decentralizing states is defence, and the problem of decentralizing daos is password management :-D”

• Access can be revoked when members are not contributing on a task anymore

• Every reset (2 month) restricts access to inactive contributors and/or to people with previous access who have broken the code of conduct.

CONS:

• Centralize power and the consequences of that.

• Add bureaucratic steps

• Sharing access isn’t much different from sharing credentials, people with it can do the same except sharing access with third parties.

On our platforms such as GitHub or Discord. In my opinion we are doing a great job. We have different projects with different members with powers, for example we have Gitbook admin powers on 1 account. Then we have Github where there are many contributors but at the same time the contracts are on another repo where there are not many contributors. And we could adapt the rules in the future if we as a community want to.

Regarding the process on sharing access for example we could add a Typeform with questions like asking for handle, which platform do the contributor need access to and what it’s the job going to be done on that platform (to decide what kind of access we should give) And the results of the typeform could be share on the stewards chat with a poll and if no one is against on 24hrs we give the access corresponding to that Typeform. This process would have a delay of 48h more or less.

I suggest we do an audit on our access document on the gibook every 2 month and setup Dashlane with Zep and Chuy as admins that will held Twitter and Gmail (Youtube, Medium Hubspot and Google Analytic), the reasoning it that we both are who have 2FA right now and at least for comms I feel it make sense for efficiency and it can always change if we have a further discussion on who and why show held the credentials.

Great job on this @ZeptimusQ!! We’ve been struggling with this issue for some months now and I feel this process is gonna bring stability and efficiency to how Comms contributors onboard.

Major praise to @durgadas for being a great SME and suggesting Dashlane as a safe method for giving access and to @sem for Fidelius and its exciting goals!!

Hi @ZeptimusQ, awesome to see the progress on the credentials discussion
So this proposal wants to:
1- change credential management from keybase to dashlane
2- dashlane will manage access to twitter, youtube, medium, hubspot and google analytic
3- Zep and Chuy will have access to it.

It all sounds great, I just think two people might be too little to have admin access to all this accounts, I suggest a @iviangita is added as a third person since she is very involved in this process and also co-leads the transparency wg

I agree with this and think your idea is a good one.

I also agree. Two people is a bit low and I also agree adding @iviangita (maybe even another?) is probably wise. Thanks for laying it out so clearly ZeptimusQ.

Originally we have a system more decentralize (keybase) where everyone having access to any platform had also access to the credentials, and there were some concerns in the community about everyone having access could cause problems and we would not even know who did what. This process its something that can evolve constantly 2 persons having admin powers that doesn’t mean only 2 persons will be working on the platform for example we could have 2 admins but then 5 contributors with access on twitter.

Actually, after reading those concerns that 2 persons might be to low quorum we sync with @iviangita and gave her admin access (without voting for it). The good thing about this process its it can constantly evolve and we can include all the feedback if the community supports it.

We are re-visiting our advice process and we were talking about this decision on the unconference with @liviade and we decided we should ask personally to @chuygarcia92 as comms steward, @Griff as common swarm and parameters steward and @Tamara as steward of the stewards.

The intention it’s to talk with them and report back in this thread.

Dashlane trial just finished I feel that we should go ahead and aim to request funding for handling this, it was one of the most seamless processes we’ve had for handling credentials

The free version seems ok to me, what do you think Chuy? What are we missing ?

The more I think about this topic, the less urgency I have in attempting to solve it. Ideally, I want EVERYONE to have access to all of our platforms and trust that they will be used responsibly. However, each platform carries a different degree of MAX risk that is detrimental to the operations of the TEC. Platforms such as Hubspot which holds a significant amount of data and information about our members needs much more protection (bureaucracy & monitoring) than say our Medium Blog. And while someone may go on a Twitter Rant that is not representative of the values of the TEC, or post some awful blog post and cause harm to the community through their use of this access power, most platforms (if adequately monitored) can retroactively mitigate that damage – identify and punish those who are responsible.

Bottom line, the focus on Monitoring and Tracking users on these platforms is far more important than how we distribute that access. With that being said, I’m fairly neutral whether or not we use Dashlane or Keybase.