On Sat, Jul 3, 2010 at 8:09 AM, Bernie Innocenti <ber...@codewiz.org> wrote: > El Thu, 01-07-2010 a las 20:55 -0600, Daniel Drake escribió: >> Child connects to a network, perhaps just to go online outside of >> school. The network has an XS. The laptop registers. The journal is >> backed up to the server. > > Ok, this is a serious security issue.
Ho hum. Remove the "serious" and I'll agree. Low pri at the moment. > How about asking the user to confirm registration to an unknown server, > like ssh does? For slightly improved security, we could hash the ssh > fingerprint to a color pair, so the teacher could say "your schoolserver > is blue and red, don't register to any other". Nope. It'd be easy to "brute force" ("gentle force"?) to get the appropriate colours. As you've already figured out, asking a 6-y-o to check an ssh fingerprint is not the fix either... A real fix is to upgrade the reg protocol to be signed -- we can copy the OAT protocol, and use/reuse the OAT keys. To be "secure" then, the XS needs to have a valid OAT delegation. > plenty of scary webapps. *You* are a scary webapp ;-) In more serious terms, I hope you can tone down the level of scare about security. For starters: We don't handle bank acct or CC info. And we don't require users to login to their own user sessions. cheers, m -- martin.langh...@gmail.com mar...@laptop.org -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff _______________________________________________ Server-devel mailing list server-de...@lists.laptop.org http://lists.laptop.org/listinfo/server-devel