(another) WebKit port of Browse
Carol Lerche
cafl at msbit.com
Tue Jul 8 13:27:17 EDT 2008
So there are two threads here, the first being authentication and the second
whether the standard browser could be used (I am still interested in a user
story as to why collaborative browsing is interesting/useful as opposed to a
shared bookmark or scrapbook). While I am mostly interested in the second
issue personally, I can certainly produce a proof of concept for the first,
using client certs via Scott's Firefox 3. I don't think it is as hard as
you think, and I promise to provide something concrete by the end of the
weekend.
> As to the PKI infrastructure, I don't think it is any harder to work this>
out than any of the other key management issues already in play.
>
> Well, it's a ton of work, and if I can take you on your offer of
> patches... we cannot provide a PKI infrastructure as a significant
> proportion of schools is disconnected, and we are not keen on imposing
> a complex school server setup procedure. So, assuming each XS does the
> classic self-signed-cert creation, what we want to do is to follow the
> current trust model, which is dead simple: the XO trusts the XS that
> it is registered to.
>
I am puzzled about the PKI infrastructure you envision. I envision having a
private certificate authority that runs on the teacher's XO and keeps its
keystore on a USB thumb drive. So my favorite CA tool is TinyCA (currently
version2) which is written in Perl. This works very well for me, it has a
GTK interface and does its PKI using OpenSSL like everyone else. This is
what I am going to use and document to create the certs.
>
> During the registration, the XO gives the XS its public SSH key. We need to
>
> - change the "Registration" protocol to grab the public part of the
> self-signed cert, and add an exception to the PKI checks in Browse.
> The registration stuff is implemented in a tool called idmgr (XS side)
> and in Sugar profile (XO side). If you looking at idmgr is horrible
> enough that you want to help me reimplement it, I have further notes
> on that track ;-) We also need to tackle the protocol change in a
> reasonably backwards compat manner.
>
Please point me to your notes on this, if you would be so kind.
>
> - figure out a way to use the existing SSH key that the XO has as the
> SSL client cert, and to detect it, and match it on the server side.
There are a couple of ways this can work. I will implement this in my POC.
>
> The server-side apache-embedded code we are doing with mod_python
> handlers, and this is a perfect fit for an authen handler.
>
Not promising to do the Apache side in Python for the POC. I write in Perl
by choice, so hold your nose. But are you planning to use Apache or
lighttpd for the lightweight XS?
>
> Counting on your help to break this silly thread with actual working code
> :-)
>
I'm happy to oblige! At last a project that doesn't require me to create a
GUI. Brickbats regarding this plan of action are gratefully accepted.
Carol Lerche
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.laptop.org/pipermail/devel/attachments/20080708/9ca0753c/attachment.html>
More information about the Devel
mailing list