Re: Way to tell if it is an XO
On Thu, Dec 11, 2008 at 5:37 AM, John Gilmore [EMAIL PROTECTED] wrote: Basically we want to offer a service just for the Xos and are working now on the authentication model. Why would you want to offer a service just for machines by one manufacturer? If a kid has an XO and also has a Mac, do you want your service to refuse to run on their Mac? If so, why? It seems to me like shooting the messenger. Why would you fail to provide service to someone who only had a Windows machine, or a Fedora machine that didn't happen to be an XO? What about an Ubuntu machine that DOES happen to be an XO, does it qualify? I don't think you get the full picture of how things are here in Uruguay. Our target users will be kids with and XO and 98% of them don't have another computer. They don't have an internet connection at home, so I doubt there is ONE of them that has a MAC. Apart from that, it is not that I want to block every other hardware of software, it is just a way of restricting the use to kids in the Plan Ceibal(Olpc implementation in Uruguay) in order to make it commercially viable. This will be a service that many companies will have expenses to have it functioning and it is meant to be free just for those kids on plan Ceibal. And are you sure that next year's XO software and hardware will continue to meet your test? Ultimately, what is an XO, for your purposes? Would an XO not running Sugar still be an XO? Do you even know whether you *want* next year's XO to work with your service, or not? I don't know if you read my last email but we aren't going to restrict the use to just kids with XO by testing against hardware or software on the XO. We will by installing a signed certificate on each XO. This is a much safer way atought it adds complexity to the deployment. We are going to use a shared certificate authority scheme following the OASIS WSS standard. It's far better to make your system depend on the presence of *features* that you depend on. If it needs a Python client, then ok, it doesn't run on machines without Python. X Window System dependency, ok, it's clear that Mac and Windows users will have to go an extra mile to use it. Test for features you actually need! Then don't add extra tests for random features (like /ofw/model) that you DON'T actually need. Our client app does depend on X, python and and some other libs inside the XO Almost all the schemes I see like this are poorly thought through -- like most vendors' DRM systems (the sort where they decommission the key server after a few years, then are surprised at the public protest, then change their mind). Perhaps yours is not, but that would be noteworthy. Thanks for your comments John John ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Way to tell if it is an XO
Hey Martin! The auth mechanism you mention is what we hoped for when we started working on this project :) So I am glad there's ppl working on that! It will help many other projects too, to have a reliable and secure auth mechanism to be deployed on school servers. We basically had to propose one ourselves for the project definition because otherwise it wouldn't be approved but I personally think that having an auth method based on the school server is the way to go ! We decided to run the app on the XO end for various reasons, but It would be good to authenticate against the school server and route messages through the school server anyways. Yes I am only working in Uruguay. Thanks a lot! Marcel On Thu, Dec 11, 2008 at 11:27 AM, Martin Langhoff [EMAIL PROTECTED] wrote: 2008/12/10 Marcel Renaud [EMAIL PROTECTED]: I will give you guys some background info on the project The goal of the proyect is to provide some way of communication beteween the children who have an XO and their parents and family. Hi Marcel, the project sounds very interesting. We are planning on building an XO to XS (School Server) authentication mechanism that could give you the kind of authentication you are after. And it would be trivial to have webbased UI on the XS -- which already knows who the user is -- to send those messages (relaying them to your xml-rpm/soap service). I mention this as an alternative -- seems like you're on your way already in building something XO based, and that's a valid path too. But it's also a lot more work :-) Are you working in Uruguay only? cheers, martin -- [EMAIL PROTECTED] [EMAIL PROTECTED] -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Way to tell if it is an XO
On Thu, Dec 11, 2008 at 11:46 AM, Marcel Renaud [EMAIL PROTECTED] wrote: We decided to run the app on the XO end for various reasons, but It would be good to authenticate against the school server and route messages through the school server anyways. You might want to keep track of the discussion (on this same list) about Browse.xo and SSO to the XS. Yes I am only working in Uruguay. Barbaro - yo estoy en Buenos Aires hasta el 7 de Enero si les interesa hablar. abrazos, m -- [EMAIL PROTECTED] [EMAIL PROTECTED] -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Way to tell if it is an XO
2008/12/10 Marcel Renaud [EMAIL PROTECTED]: I will give you guys some background info on the project The goal of the proyect is to provide some way of communication beteween the children who have an XO and their parents and family. Hi Marcel, the project sounds very interesting. We are planning on building an XO to XS (School Server) authentication mechanism that could give you the kind of authentication you are after. And it would be trivial to have webbased UI on the XS -- which already knows who the user is -- to send those messages (relaying them to your xml-rpm/soap service). I mention this as an alternative -- seems like you're on your way already in building something XO based, and that's a valid path too. But it's also a lot more work :-) Are you working in Uruguay only? cheers, martin -- [EMAIL PROTECTED] [EMAIL PROTECTED] -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Way to tell if it is an XO
On Thu, Dec 11, 2008 at 11:51 AM, Martin Langhoff [EMAIL PROTECTED] wrote: On Thu, Dec 11, 2008 at 11:46 AM, Marcel Renaud [EMAIL PROTECTED] wrote: We decided to run the app on the XO end for various reasons, but It would be good to authenticate against the school server and route messages through the school server anyways. You might want to keep track of the discussion (on this same list) about Browse.xo and SSO to the XS. Thanks, I will. Yes I am only working in Uruguay. Barbaro - yo estoy en Buenos Aires hasta el 7 de Enero si les interesa hablar. Muchas gracias. Saludos, marcel abrazos, m -- [EMAIL PROTECTED] [EMAIL PROTECTED] -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Way to tell if it is an XO
Thanks a lot for your answers. Yes, I think a shared credentials are the best way. Basically we want to offer a service just for the Xos and are working now on the authentication model. We are going to use webservices with WSShttp://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss and place a signed key on each XO that is going to use the service, to authenticate with the webservice provider. Regards, Marcel On Tue, Dec 9, 2008 at 8:14 PM, Carl-Daniel Hailfinger [EMAIL PROTECTED] wrote: Hi, On 09.12.2008 22:37, Chris Ball wrote: Hello, I need to know what is a good way to find out if the local machine running a python script is a XO. One way might be to cat /ofw/model. If the file doesn't exist, or doesn't return a letter and number, you probably aren't running on an XO. The goal is to check it the machine running the program is in fact an XO or some other machine, and to do it in a way that is very hard to fake from some other computer. I don't think making this hard to fake is possible, because any computer with root access can reply to your test in whatever way is necessary. I think you probably shouldn't try to accomplish this, or should try to use a different method such as a pre-shared credential. Yes, regardless of which test Marcel implements, it should be easy to fool the test in a few minutes. Regards, Carl-Daniel -- http://www.hailfinger.org/ ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Way to tell if it is an XO
On Wed, Dec 10, 2008 at 09:56:39AM -0200, Marcel Renaud wrote: Thanks a lot for your answers. Yes, I think a shared credentials are the best way. Basically we want to offer a service just for the Xos and are working now on the authentication model. We are going to use webservices with WSShttp://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss and place a signed key on each XO that is going to use the service, to authenticate with the webservice provider. Marcel, Is it important to keep the credential(s) secret? If so: * why? * for how long? * against what attack(s)? * how? * if (when) they leak, what next? Also, what are the incentives for keeping the credentials secret? for publishing them? Regards, Michael ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Way to tell if it is an XO
Hey Michael! I will give you guys some background info on the project The goal of the proyect is to provide some way of communication beteween the children who have an XO and their parents and family. Since most of the parents don't have a computer nor internet access, we determined telephone is the best way to reach them. Some of them don't have cellphones either, but line telephones, most of them do. My partner on this project and I work for a company that does text to speech and SMS2 to Phone Call services, so we are going to use the infrastructure for this project. So we are developing a simple client app for Sugar and the xo, in order to let children write a message and send it to their parents. The message will be translated to speech and, and the parents will recieve it in a phone call on their home line or mobile device. The message will be sent using web services and the transport will be SOAP over HTTP although the goal of the project was to base the authentication system on XMPP and also transport SOAP over xmpp. But for the prototype we aren't going to use XMPP. We plan to offer this service just for the children and the security and authentication concerns are not to let anybody else use the service. The only threat or attacks to the service is someone pretending to be a children with an XO to send messages since it is not free of charge for everyone, that's why we tought of WSS to probe authenticity, integrity and also that the message was originated by the sender. There is no threat on the XO's end to my knowledge since it is a one way only communication system ( Actually we did a reaserch for University and came up with XMPP using Jabber server to be the best way to achieve bidirectional communication) but this is a far bigger project because we need Jabber servers and authentication schemes to be used globbally here in Uruguay and that is far from happening I think.) Finnally, this project is only a prototype and it will be very difficult to deploy nation wide since there are commercial issues to settle. Anyways, hope I have been clear and thanks everyone for the support. Marcel Renaud On Wed, Dec 10, 2008 at 4:26 PM, Michael Stone [EMAIL PROTECTED] wrote: On Wed, Dec 10, 2008 at 09:56:39AM -0200, Marcel Renaud wrote: Thanks a lot for your answers. Yes, I think a shared credentials are the best way. Basically we want to offer a service just for the Xos and are working now on the authentication model. We are going to use webservices with WSShttp://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss and place a signed key on each XO that is going to use the service, to authenticate with the webservice provider. Marcel, Is it important to keep the credential(s) secret? If so: * why? * for how long? * against what attack(s)? * how? * if (when) they leak, what next? Also, what are the incentives for keeping the credentials secret? for publishing them? Regards, Michael ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Way to tell if it is an XO
On Tue, 2008-12-09 at 16:37 -0500, Chris Ball wrote: Hello, I need to know what is a good way to find out if the local machine running a python script is a XO. One way might be to cat /ofw/model. If the file doesn't exist, or doesn't return a letter and number, you probably aren't running on an XO. Note that this is not an upstream'd kernel interface and thus really shouldn't be being depended on... Jeremy ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Way to tell if it is an XO
Hi Marcel, Hello, I need to know what is a good way to find out if the local machine running a python script is a XO. One way might be to cat /ofw/model. If the file doesn't exist, or doesn't return a letter and number, you probably aren't running on an XO. The goal is to check it the machine running the program is in fact an XO or some other machine, and to do it in a way that is very hard to fake from some other computer. I don't think making this hard to fake is possible, because any computer with root access can reply to your test in whatever way is necessary. I think you probably shouldn't try to accomplish this, or should try to use a different method such as a pre-shared credential. Hope that helps, - Chris. -- Chris Ball [EMAIL PROTECTED] ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel
Re: Way to tell if it is an XO
Hi, On 09.12.2008 22:37, Chris Ball wrote: Hello, I need to know what is a good way to find out if the local machine running a python script is a XO. One way might be to cat /ofw/model. If the file doesn't exist, or doesn't return a letter and number, you probably aren't running on an XO. The goal is to check it the machine running the program is in fact an XO or some other machine, and to do it in a way that is very hard to fake from some other computer. I don't think making this hard to fake is possible, because any computer with root access can reply to your test in whatever way is necessary. I think you probably shouldn't try to accomplish this, or should try to use a different method such as a pre-shared credential. Yes, regardless of which test Marcel implements, it should be easy to fool the test in a few minutes. Regards, Carl-Daniel -- http://www.hailfinger.org/ ___ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel