Way to tell if it is an XO

Marcel Renaud marcelr01 at gmail.com
Wed Dec 10 14:04:06 EST 2008 

Hey Michael!

I will give you guys some background info on the project

The goal of the proyect is to provide some way of communication beteween the
children who have an XO and their parents and family.

Since most of the parents don't have a computer nor internet access, we
determined telephone is the best way to reach them. Some of them don't have
cellphones either, but line telephones, most of them do.

My partner on this project and I work for a company that does text to speech
and SMS2 to Phone Call services, so we are going to use the infrastructure
for this project.

So we are developing a simple client app for Sugar and the xo, in order to
let children write a message and send it to their parents. The message will
be translated to speech and, and the parents will recieve it in a phone call
on their home line or mobile device.
The message will be sent using web services and the transport will be SOAP
over HTTP although the goal of the project was to base the authentication
system on XMPP and also transport SOAP over xmpp. But for the prototype we
aren't going to use XMPP.

We plan to offer this service just for the children and the security and
authentication concerns are not to let anybody else use the service.

The only threat or attacks to the service is someone pretending to be a
children with an XO to send messages since it is not free of charge for
everyone, that's why we tought of WSS to probe authenticity, integrity and
also that the message was originated by the sender.

There is no threat on the XO's end to my knowledge since it is a one way
only communication system
( Actually we did a reaserch for University and came up with  XMPP using
Jabber server to be the best way to achieve bidirectional communication) but
this is a far bigger project because we need Jabber servers and
authentication schemes to be used globbally here in Uruguay and that is far
from happening I think.)

Finnally, this project is only a prototype and it will be very difficult to
deploy nation wide since there are commercial issues to settle.

Anyways, hope I have been clear and thanks everyone for the support.

Marcel Renaud

On Wed, Dec 10, 2008 at 4:26 PM, Michael Stone <michael at laptop.org> wrote:

> On Wed, Dec 10, 2008 at 09:56:39AM -0200, Marcel Renaud wrote:
>
>> Thanks a lot for your answers.
>>
>> Yes, I think a shared credentials are the best way.
>>
>> Basically we want to offer a service just for the Xos and are working now
>> on
>> the authentication model.
>> We are going to use webservices with
>> WSS<http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss>
>> and place a signed key on each XO that is going to use the service, to
>> authenticate with the webservice provider.
>>
>
> Marcel,
>
> Is it important to keep the credential(s) secret? If so:
>  * why?
>  * for how long?
>  * against what attack(s)?
>  * how?
>  * if (when) they leak, what next?
>
> Also, what are the incentives for keeping the credentials secret? for
> publishing them?


> Regards,
>
> Michael
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.laptop.org/pipermail/devel/attachments/20081210/bbfede48/attachment.html>

More information about the Devel mailing list