Re: [boinc_dev] Proposal: Simple Attach (Cookieless Installs)

2015-09-27 Thread Hugh Wormington 
> Where is the nonce generated?

By the installer.


> If it is generated by the installer and passed to the account manager,
how to we know who it came from?

The installer loads a browser on the url passing the "nonce" as a url
parameter. The receiving page is then able to associate it with a logged-in
user, after which the association is known.


A little side issue for avoidance of lexical confusion I'm a little
unsure if this is really a "nonce" :

   - *Nonce:* is an arbitrary number that may only be used once in secure
   communication exchange (See diagram on this wikipedia page
   ) It doesn't carry
   any information itself.
   - *GUID: *A globally unique identifier (GUID, /ˈɡuːɪd/) is a unique
   reference number used as an identifier in computer software. The term
   "GUID" typically refers to various implementations of the universally
   unique identifier
    (UUID)
   standard (Wikipedia
   )

I think we're talking about a GUID which the installer generates at install
time and uses to identify itself to two different processes 1) the front
end web application 2) the account manager server.

(A CPID is a kind of GUID, but this one isn't a CPID, since CPIDs are
(AFAIK) generated by the BOINC project servers.)


So is it a nonce or a GUID?

Hugh


PS Many apologies if I'm teaching grandmothers to suck eggs (does that work
internationally??).


On 26 September 2015 at 02:56, Rom Walton  wrote:

> In theory we could open up a browser with a URL like that.
>
>
>
> Where is the nonce generated?
>
>
>
> If it is generated from the account manager, how does the installer find
> it?
>
>
>
> If it is generated by the installer and passed to the account manager, how
> to we know who it came from?
>
>
>
> - Rom
>
>
>
> *From:* mblumb...@picador.net [mailto:mblumb...@picador.net] *On Behalf
> Of *Matthew Blumberg
> *Sent:* Friday, September 25, 2015 6:27 PM
> *To:* Rom Walton 
> *Cc:* Hugh Wormington ; Rytis Slatkevičius <
> ry...@gridrepublic.org>; BOINC Developers Mailing List <
> boinc_dev@ssl.berkeley.edu>
>
> *Subject:* Re: [boinc_dev] Proposal: Simple Attach (Cookieless Installs)
>
>
>
> So for GR/CE/PTP you end up with filenames like:
> gr_setup_asc_ODU0NjVfZWEwYWJkNjc4NDc2MjllMWFlOWVkM2I4YWRmZmZmZmY=.exe
>
>
>
>
>
> i'm really not comfortable with filenames like that
>
>
>
> for AMS, is it possible to  :
>
>1. open a browser window upon completion of install (*as is done
>already); but instead of using return_url from the cookie, use instead the
>URL from acct_mgr_url.xml, and append a random number as a parameter, e.g.
>http://acctmgr.com/?return_id=[nonce]
>2. and then also use that same return_id as the user email address
>(e.g. as of the user had entered this into the email field when registering
>manually)
>
>
>
> (*tristan/rytis/hught, pls add any clarification if i'm missing something
> or got something wrong)
>
>
>
>
>
>
>
>
>
>
>
> On Fri, Sep 25, 2015 at 10:21 AM, Rom Walton  wrote:
>
> A point of clarification.
>
> Everything the client needs to communicate with a project/account manager
> will be in project_init.xml or acct_mgr_url.xml.
>
> All that will be missing to do an attach is an authenticator.
>
> - Rom
>
> -Original Message-
> From: boinc_dev [mailto:boinc_dev-boun...@ssl.berkeley.edu] On Behalf Of
> Rom Walton
> Sent: Friday, September 25, 2015 10:02 AM
> To: Hugh Wormington ; Rytis Slatkevičius <
> ry...@gridrepublic.org>
> Cc: Matthew Blumberg ; BOINC Developers Mailing
> List 
> Subject: Re: [boinc_dev] Proposal: Simple Attach (Cookieless Installs)
>
> In essence this is what the setup cookie is for.
>
> In cases where there is a customized installer, everything the client
> needs will be in the project_init.xml or acct_mgr_url.xml (in the case of
> account managers) files.  BOINC will treat the setup cookie as opaque data
> and just send it back to
> https:///lookup_account.php 
> >.
>
> So for GR/CE/PTP you end up with filenames like:
> gr_setup_asc_ODU0NjVfZWEwYWJkNjc4NDc2MjllMWFlOWVkM2I4YWRmZmZmZmY=.exe
>
> The filename can be made shorter as it depends on how large you want your
> random piece of data to be.
>
> - Rom
>
> From: hugh.w...@gmail.com [mailto:hugh.w...@gmail.com] On Behalf Of Hugh
> Wormington
> Sent: Friday, September 25, 2015 6:56 AM
> To: Rytis Slatkevičius 
> Cc: Matthew Blumberg ; Rom Walton ;
> BOINC Developers Mailing List ; Tristan Olive
>

Re: [boinc_dev] Proposal: Simple Attach (Cookieless Installs)

2015-09-27 Thread Rom Walton 
GUID would be more appropriate.

I foresee a few problems with this approach though:

1.   The ‘default’ browser wxWidgets detects may not be the browser the 
volunteer downloaded BOINC with.

2.   The manager would have to wait on the association to complete which 
means it has to know how to deal with whatever browser to launched.
(Basically the manager would have to know how each browser works. (window 
names, window class names, window titles, what events each window responds too))
(This is actually a more complicated problem than dealing with cookies.)

3.   We may never be able to find out if the association was successful 
from the manager perspective.

4.   Some browser plugins redirect errors and monkey with the error pages. 
(Norton 360, Google Toolbar, Yahoo Toolbar, etc.)

5.   There is a remote possibility that two machines can generate the same 
GUID, without being able to check against the master list ahead of time it 
could happen.

This solution might look okay from a server perspective, but it is a monster 
from a client implementation perspective.

- Rom


From: hugh.w...@gmail.com [mailto:hugh.w...@gmail.com] On Behalf Of Hugh 
Wormington
Sent: Sunday, September 27, 2015 5:22 PM
To: Rom Walton 
Cc: Matthew Blumberg ; Hugh Wormington 
; Rytis Slatkevičius ; BOINC 
Developers Mailing List 
Subject: Re: [boinc_dev] Proposal: Simple Attach (Cookieless Installs)

> Where is the nonce generated?
By the installer.

> If it is generated by the installer and passed to the account manager, how to 
> we know who it came from?
The installer loads a browser on the url passing the "nonce" as a url 
parameter. The receiving page is then able to associate it with a logged-in 
user, after which the association is known.

A little side issue for avoidance of lexical confusion I'm a little unsure 
if this is really a "nonce" :

  *   Nonce: is an arbitrary number that may only be used once in secure 
communication exchange (See diagram on this wikipedia 
page) It doesn't carry any 
information itself.
  *   GUID: A globally unique identifier (GUID, /ˈɡuːɪd/) is a unique reference 
number used as an identifier in computer software. The term "GUID" typically 
refers to various implementations of the universally unique 
identifier (UUID) 
standard (Wikipedia)

I think we're talking about a GUID which the installer generates at install 
time and uses to identify itself to two different processes 1) the front end 
web application 2) the account manager server.
(A CPID is a kind of GUID, but this one isn't a CPID, since CPIDs are (AFAIK) 
generated by the BOINC project servers.)

So is it a nonce or a GUID?
Hugh

PS Many apologies if I'm teaching grandmothers to suck eggs (does that work 
internationally??).

On 26 September 2015 at 02:56, Rom Walton 
> wrote:
In theory we could open up a browser with a URL like that.

Where is the nonce generated?

If it is generated from the account manager, how does the installer find it?

If it is generated by the installer and passed to the account manager, how to 
we know who it came from?

- Rom

From: mblumb...@picador.net 
[mailto:mblumb...@picador.net] On Behalf Of 
Matthew Blumberg
Sent: Friday, September 25, 2015 6:27 PM
To: Rom Walton >
Cc: Hugh Wormington >; 
Rytis Slatkevičius >; 
BOINC Developers Mailing List 
>

Subject: Re: [boinc_dev] Proposal: Simple Attach (Cookieless Installs)

So for GR/CE/PTP you end up with filenames like:
gr_setup_asc_ODU0NjVfZWEwYWJkNjc4NDc2MjllMWFlOWVkM2I4YWRmZmZmZmY=.exe


i'm really not comfortable with filenames like that

for AMS, is it possible to  :

  1.  open a browser window upon completion of install (*as is done already); 
but instead of using return_url from the cookie, use instead the URL from 
acct_mgr_url.xml, and append a random number as a parameter, e.g. 
http://acctmgr.com/?return_id=[nonce]
  2.  and then also use that same return_id as the user email address (e.g. as 
of the user had entered this into the email field when registering manually)

(*tristan/rytis/hught, pls add any clarification if i'm missing something or 
got something wrong)





On Fri, Sep 25, 2015 at 10:21 AM, Rom Walton 
> wrote:
A point of clarification.

Everything the client needs to communicate with a project/account manager will 
be in