Network transparent XS services - limitations and alternatives

Martin Langhoff martin.langhoff at gmail.com
Tue Aug 26 21:02:14 EDT 2008 

On Wed, Aug 27, 2008 at 11:53 AM, C. Scott Ananian <cscott at laptop.org> wrote:
> a) Don't lie about DNS entries when you are connected.
> b) When you are disconnected, use a DNS server which allows you to map
> names to short lifetime addresses, then serve resources for those
> addresses.
> c) Don't try to provide services you can't.

The problem lies between b and c. There is a good chance for confusion
there, specially for services that don't have "virtualhost" support as
we have in HTTP.

> d) HTTP is one of the services you clearly can.

I would say it is one of the very few ones where I can do some stuff.

Unfortunately, this limits the reach of our "network principles".
Being able to deliver locally a subset of HTTP is good, but the world
does not end there. Our network principles need to pragmatically say:

 "for protocols that cannot be proxied transparently, flag X tells you
whether you're in a Schoolserver network, and it may be a good idea to
contact a host called 'schoolserver' or - if provided - a service
specific hostname (ie:'presence').".

> Maybe we should reboot this discussion.

Definitely.

>> I also asked a
>> few questions around points where you are saying that I "should know
>> better".
>
> You said, "Will we never care for end-user privacy?"  I said you
> should know better: we clearly do.  That's irrelevant to the
> HTTP-vs-HTTPS issue.

Some background: the XS will soon have various web-based tools for
collaboration. Top-of-the-list are Moodle and large (editable?)
wikislices. A webmail facility (for teachers, not for kids) is a very
popular request too. Initial implementation of this stuff will use
http, but I want to have a clear path should we want to switch to
https with a self-signed-cert to ensure better privacy.

We are also discussing patching Browse to perform a brief handshake
over https to do initial XO-to-XS authentication. It is one of the
alternatives - the handhsake could happen over ssh too.

So we might not be using https right now, but we are reasonably likely
to do soon, barring a watershed industry migration to something
better...

cheers,




m
-- 
 martin.langhoff at gmail.com
 martin at laptop.org -- School Server Architect
 - ask interesting questions
 - don't get distracted with shiny stuff - working code first
 - http://wiki.laptop.org/go/User:Martinlanghoff

More information about the Devel mailing list