(another) WebKit port of Browse

Martin Langhoff martin.langhoff at gmail.com
Tue Jul 8 10:12:21 EDT 2008


On Mon, Jul 7, 2008 at 8:47 PM, Carol Lerche <cafl at msbit.com> wrote:
> Martin -- You state that ssl at the network layer is significant.  The
> question is when and how much must ssl be used to authenticate with client
> certs?  I believe it only needs to be used during initial authentication and
> again when properly designed cookies expire.   Since each XO only

That's a good point.

> As to the PKI infrastructure, I don't think it is any harder to work this
> out than any of the other key management issues already in play.

Well, it's a ton of work, and if I can take you on your offer of
patches... we cannot provide a PKI infrastructure as a significant
proportion of schools is disconnected, and we are not keen on imposing
a complex school server setup procedure. So, assuming each XS does the
classic self-signed-cert creation, what we want to do is to follow the
current trust model, which is dead simple: the XO trusts the XS that
it is registered to.

During the registration, the XO gives the XS its public SSH key. We need to

 - change the "Registration" protocol to grab the public part of the
self-signed cert, and add an exception to the PKI checks in Browse.
The registration stuff is implemented in a tool called idmgr (XS side)
and in Sugar profile (XO side). If you looking at idmgr is horrible
enough that you want to help me reimplement it, I have further notes
on that track ;-) We also need to tackle the protocol change in a
reasonably backwards compat manner.

 - figure out a way to use the existing SSH key that the XO has as the
SSL client cert, and to detect it, and match it on the server side.
The server-side apache-embedded code we are doing with mod_python
handlers, and this is a perfect fit for an authen handler.

Counting on your help to break this silly thread with actual working code :-)

cheers,



m
-- 
 martin.langhoff at gmail.com
 martin at laptop.org -- School Server Architect
 - ask interesting questions
 - don't get distracted with shiny stuff - working code first
 - http://wiki.laptop.org/go/User:Martinlanghoff



More information about the Devel mailing list