(another) WebKit port of Browse

Carol Lerche cafl at msbit.com
Tue Jul 8 13:27:17 EDT 2008


So there are two threads here, the first being authentication and the second
whether the standard browser could be used  (I am still interested in a user
story as to why collaborative browsing is interesting/useful as opposed to a
shared bookmark or scrapbook).  While I am mostly interested in the second
issue personally, I can certainly produce a proof of concept for the first,
using client certs via Scott's  Firefox 3.  I don't think it is as hard as
you think, and I promise to provide something concrete by the end of the
weekend.

> As to the PKI infrastructure, I don't think it is any harder to work this>
out than any of the other key management issues already in play.

>
> Well, it's a ton of work, and if I can take you on your offer of
> patches... we cannot provide a PKI infrastructure as a significant
> proportion of schools is disconnected, and we are not keen on imposing
> a complex school server setup procedure. So, assuming each XS does the
> classic self-signed-cert creation, what we want to do is to follow the
> current trust model, which is dead simple: the XO trusts the XS that
> it is registered to.
>

I am puzzled about the PKI infrastructure you envision.  I envision having a
private certificate authority that runs on the teacher's XO and keeps its
keystore on a USB thumb drive.  So my favorite CA tool is TinyCA (currently
version2) which is written in Perl.  This works very well for me, it has a
GTK interface and does its PKI using OpenSSL like everyone else.  This is
what I am going to use and document to create the certs.


>
> During the registration, the XO gives the XS its public SSH key. We need to
>
>  - change the "Registration" protocol to grab the public part of the
> self-signed cert, and add an exception to the PKI checks in Browse.
> The registration stuff is implemented in a tool called idmgr (XS side)
> and in Sugar profile (XO side). If you looking at idmgr is horrible
> enough that you want to help me reimplement it, I have further notes
> on that track ;-) We also need to tackle the protocol change in a
> reasonably backwards compat manner.
>

Please point me to your notes on this, if you would be so kind.


>
>  - figure out a way to use the existing SSH key that the XO has as the
> SSL client cert, and to detect it, and match it on the server side.


There are a couple of ways this can work.  I will implement this in my POC.


>
> The server-side apache-embedded code we are doing with mod_python
> handlers, and this is a perfect fit for an authen handler.
>

Not promising to do the Apache side in Python for the POC.  I write in Perl
by choice, so hold your nose.  But are you planning to use Apache or
lighttpd for the lightweight XS?


>
> Counting on your help to break this silly thread with actual working code
> :-)
>

I'm happy to oblige!  At last a project that doesn't require me to create a
GUI.  Brickbats regarding this plan of action are gratefully accepted.

Carol Lerche
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.laptop.org/pipermail/devel/attachments/20080708/9ca0753c/attachment.html>


More information about the Devel mailing list