On Sat, Jul 3, 2010 at 8:09 AM, Bernie Innocenti <ber...@codewiz.org> wrote:
> El Thu, 01-07-2010 a las 20:55 -0600, Daniel Drake escribió:
>> Child connects to a network, perhaps just to go online outside of
>> school. The network has an XS. The laptop registers. The journal is
>> backed up to the server.
>
> Ok, this is a serious security issue.
Ho hum. Remove the "serious" and I'll agree. Low pri at the moment.
> How about asking the user to confirm registration to an unknown server,
> like ssh does? For slightly improved security, we could hash the ssh
> fingerprint to a color pair, so the teacher could say "your schoolserver
> is blue and red, don't register to any other".
Nope. It'd be easy to "brute force" ("gentle force"?) to get the
appropriate colours. As you've already figured out, asking a 6-y-o to
check an ssh fingerprint is not the fix either...
A real fix is to upgrade the reg protocol to be signed -- we can copy
the OAT protocol, and use/reuse the OAT keys.
To be "secure" then, the XS needs to have a valid OAT delegation.
> plenty of scary webapps.
*You* are a scary webapp ;-)
In more serious terms, I hope you can tone down the level of scare
about security. For starters: We don't handle bank acct or CC info.
And we don't require users to login to their own user sessions.
cheers,
m
--
martin.langh...@gmail.com
mar...@laptop.org -- School Server Architect
- ask interesting questions
- don't get distracted with shiny stuff - working code first
- http://wiki.laptop.org/go/User:Martinlanghoff
_______________________________________________
Server-devel mailing list
server-de...@lists.laptop.org
http://lists.laptop.org/listinfo/server-devel
