[sugar] XO identity shared via Browse

Sebastian Silva sebastian at fuentelibre.org
Tue Dec 2 18:35:08 EST 2008 

Heh, so it ends up I did have an interesting unintended proposal to make.

Then, if it  was to use OpenID, it would be in a novel way. Still it
does make perfect sense. See:

1.- The user requests access.
2.- The server checks with his laptop.
3.- The laptop confirms the user is requesting from it.
4.- The server considers the user identified.

This looks like bending the scope of OpenID but in reality it is not.
It was intended all along that Identity Providers can be pretty much
anything or validate against anything (not just user/pass but also
say, biometrics).

To implement this would be much more standard and much less
*"magical"* than underground ;-) ssh tunneling voodoo. Its even sort
of intuitive.

Now it really becomes interesting when the laptop uses face / voice
recognition to validate your identity... Heheh. ( /me puts on his
tinfoil hat ).

So for the laptop to be your identity provider, it needs a FQDN. If
the schoolserver has one by Dynamic DNS, can't it also provide DNS for
the CNAME?

As in say:     sebalaptop1.myschool.myregionsdns.edu...
Being the "myschool" dns subdomain administered by the school server?

If Scott can provider one domain name per laptop, then i really think
this is the most sensible, simple and standard solution.

Let activities deal with OpenID themselves, there are libraries in
python for it.
This also sidesteps all wierd sorcery regarding communicating with browse.

Sebastian

2008/12/2 Benjamin M. Schwartz <bmschwar at fas.harvard.edu>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Luke Faraone wrote:
>> On Tue, Dec 2, 2008 at 17:29, Benjamin M. Schwartz <bmschwar at fas.harvard.edu
>>> wrote:
>>
>>> You misunderstand our purpose.  The immediate technical goal is to
>>> authenticate that a given connection goes to a particular XO.  The machine
>>> itself then becomes the identifying token used to authenticate the
>>> identity of the user.
>>
>>
>> Unfortunately that will only work for web applications which are
>> "sugar-aware"; the plus of openID is it's one standard, and everyone (soon)
>> will support it.
>
> This situation is confusing; perhaps Sebastian is right.  OpenID 1.0
> identities are URLs, so in order for the XO to be the identity provider,
> it must have at least one guaranteed FQDN.  The DNS system then provides
> the authentication mechanism.  If Scott is able to achieve his goal of One
> Domain Name Per Laptop, then this seems entirely reasonable.  We can run
> an identity provider on the laptop as a trivial HTTP server.
>
> If we cannot come up with a way to provide oersistent DNS (or for OpenID
> 2.0, even XRI) names for each laptop, then we cannot run the identity
> providers on the laptops.
>
> - --Ben
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.9 (GNU/Linux)
>
> iEYEARECAAYFAkk1u0YACgkQUJT6e6HFtqQeYwCdHwKz11clxtT/YKKCVkCz/ZNi
> G9wAnjojHcjUyWgkwy1wSzl6uQ+Uzuh0
> =2nk7
> -----END PGP SIGNATURE-----
>



-- 
Sebastian Silva
Iniciativa FuenteLibre
http://blog.sebastiansilva.com/

More information about the Sugar mailing list