On Mon, Jul 7, 2008 at 8:47 PM, Carol Lerche <[EMAIL PROTECTED]> wrote: > Martin -- You state that ssl at the network layer is significant. The > question is when and how much must ssl be used to authenticate with client > certs? I believe it only needs to be used during initial authentication and > again when properly designed cookies expire. Since each XO only
That's a good point. > As to the PKI infrastructure, I don't think it is any harder to work this > out than any of the other key management issues already in play. Well, it's a ton of work, and if I can take you on your offer of patches... we cannot provide a PKI infrastructure as a significant proportion of schools is disconnected, and we are not keen on imposing a complex school server setup procedure. So, assuming each XS does the classic self-signed-cert creation, what we want to do is to follow the current trust model, which is dead simple: the XO trusts the XS that it is registered to. During the registration, the XO gives the XS its public SSH key. We need to - change the "Registration" protocol to grab the public part of the self-signed cert, and add an exception to the PKI checks in Browse. The registration stuff is implemented in a tool called idmgr (XS side) and in Sugar profile (XO side). If you looking at idmgr is horrible enough that you want to help me reimplement it, I have further notes on that track ;-) We also need to tackle the protocol change in a reasonably backwards compat manner. - figure out a way to use the existing SSH key that the XO has as the SSL client cert, and to detect it, and match it on the server side. The server-side apache-embedded code we are doing with mod_python handlers, and this is a perfect fit for an authen handler. Counting on your help to break this silly thread with actual working code :-) cheers, m -- [EMAIL PROTECTED] [EMAIL PROTECTED] -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff _______________________________________________ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel