(another) WebKit port of Browse
Martin Langhoff
martin.langhoff at gmail.com
Tue Jul 8 10:12:21 EDT 2008
On Mon, Jul 7, 2008 at 8:47 PM, Carol Lerche <cafl at msbit.com> wrote:
> Martin -- You state that ssl at the network layer is significant. The
> question is when and how much must ssl be used to authenticate with client
> certs? I believe it only needs to be used during initial authentication and
> again when properly designed cookies expire. Since each XO only
That's a good point.
> As to the PKI infrastructure, I don't think it is any harder to work this
> out than any of the other key management issues already in play.
Well, it's a ton of work, and if I can take you on your offer of
patches... we cannot provide a PKI infrastructure as a significant
proportion of schools is disconnected, and we are not keen on imposing
a complex school server setup procedure. So, assuming each XS does the
classic self-signed-cert creation, what we want to do is to follow the
current trust model, which is dead simple: the XO trusts the XS that
it is registered to.
During the registration, the XO gives the XS its public SSH key. We need to
- change the "Registration" protocol to grab the public part of the
self-signed cert, and add an exception to the PKI checks in Browse.
The registration stuff is implemented in a tool called idmgr (XS side)
and in Sugar profile (XO side). If you looking at idmgr is horrible
enough that you want to help me reimplement it, I have further notes
on that track ;-) We also need to tackle the protocol change in a
reasonably backwards compat manner.
- figure out a way to use the existing SSH key that the XO has as the
SSL client cert, and to detect it, and match it on the server side.
The server-side apache-embedded code we are doing with mod_python
handlers, and this is a perfect fit for an authen handler.
Counting on your help to break this silly thread with actual working code :-)
cheers,
m
--
martin.langhoff at gmail.com
martin at laptop.org -- School Server Architect
- ask interesting questions
- don't get distracted with shiny stuff - working code first
- http://wiki.laptop.org/go/User:Martinlanghoff
More information about the Devel
mailing list