[sugar] XO identity shared via Browse

[Benjamin M. Schwartz]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin Langhoff wrote:
>  - A backchannel call using SSH
>  - A challenge-response call using the fact that the XS knows the
> public SSH key of the XO. 

You really like SSH!

I'm less sure, though.  I'd prefer a standard system.  One interesting
option is OpenID authentication over Jabber (standardized as XEP-0070),
e.g. http://openid.xmpp.za.net/.  In this system, OpenID authentication
requests appear to the user as chat messages.  This means that the
Identity Provider can live on any jabber server with which the school
server is federated.  In fact, if we can accept standard chat invitations
in the UI, we could simply federate the school server with xmpp.za.net and
declare victory!

Architecturally, this approach is appealing to me because Jabber IDs, not
SSH pubkeys, are our principal identifiers.  It also gives us the
flexibility of putting the identity provider almost anywhere.  If the XO
runs its own jabber server, then the identity provider can live on the XO
or any jabber server with which the XO is federated.

An ideal form of this scheme would include creating an implementation of
XEP-0070 (still standard-compliant) that sends the authentication approval
request over XMPP in a machine-readable format, to be received by a
consumer on the XO that approves or denies the request, possibly based on
some interaction in a special-purpose GUI.

- --Ben
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkk1xM8ACgkQUJT6e6HFtqQYOwCfX94DBVpPikPkvmDGkaXYezgV
Ql0AoIg7iizkouSv7Ake6856qJT/GqRM
=SJ0s
-----END PGP SIGNATURE-----