ssl authentication [was (another) WebKit port of Browse]

Carol Lerche cafl at msbit.com
Tue Jul 8 14:46:04 EDT 2008 

> > I am puzzled about the PKI infrastructure you envision.  I envision
> having a
> > private certificate authority that runs on the teacher's XO and keeps its
> > keystore on a USB thumb drive.  So my favorite CA tool is TinyCA
> (currently
> > version2) which is written in Perl.  This works very well for me, it has
> a
> > GTK interface and does its PKI using OpenSSL like everyone else.  This is
> > what I am going to use and document to create the certs.
>
> That seems to require a fairly complex setup, and is vulnerable to
> losing the usb drive.
>

The setup will be untarring a tarball.  I will put the tinyca code in the
tarball, so it will be where the keys are.  Either the CA key material
should be offline or we don't care.  If we don't care, no need to store it
on a  USB drive.  Most people think CA key material should be stored
offline, but it is not a significant implementation issue.


> >>  - change the "Registration" protocol to grab the public part of the
> ...
> > Please point me to your notes on this, if you would be so kind.
>
> There aren't any, unfortunately. I had to read idmgr to understand the
> protocol - so read the source. It is a trivial xml-rpc.
>

Hmmm...I thought you said you had notes, but ok.


> I am a happy Perl hacker in Python land too, and I finding that
> mod_python hacking is similar to mod_perl hacking. Anyway, if you can
> sort out the rest, I can probably deal with the mod_python bit :-)
>
> And yes - using apache so far.
>

Hope it installs ok on an XO, which is my target "fake XS" to mimic the
low-end performance.


>
> Note: The only thing that saddens me is that basing it on FF turns
> your help into more of a political wedge than technical help. The two
> issues (auth, browser) are orthogonal. Short term, we need the
> authentication stuff. Scott's mumblings are about future scenarios,
> and are missing a lot of aspects - see jg's post. In the best of
> cases, it is a medium-term thing.
>

The point of authentication is web authentication by the XO to the XS, I
thought.  (After registration completes.)  That is what I am implementing in
my POC.  If the browse activity in Joyride supports client certs in the same
way Firefox does, I'll use it.  Otherwise I'll use Scott's Firefox 3 and the
authentication for Browse will have to await implementation of client certs
there.  This whole thread started by the assertion that Firefox 3 couldn't
be used because it didn't support authentication.  So I'm pretty confused by
your note.


>
> And it is odd timing to be talking about "ah, let's change the
> browser" when everyone tries to focus on 8.2.0. For example, if you do
> it on Browse instead of FF, and it is a neat patch, we could argue for
> inclusion in a minor update (say, 8.2.1) as it enables proper
> operation of the "restore" part of backup :-)
>

The patch is not to the browser, since proper browsers already implement
client certs.


>
> And that means proper backup/restore is in the hands of thousands of
> kids many MANY moons earlier. Just to put the jockeying in
> perspective.
>
>
One thing at a time.


-- 
Frisbeetarianism is the belief that when you die, your soul goes up on the
roof and gets stuck -- George Carlin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.laptop.org/pipermail/devel/attachments/20080708/b8477bde/attachment.html>

More information about the Devel mailing list