-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martin Langhoff wrote: > - A backchannel call using SSH > - A challenge-response call using the fact that the XS knows the > public SSH key of the XO.
You really like SSH! I'm less sure, though. I'd prefer a standard system. One interesting option is OpenID authentication over Jabber (standardized as XEP-0070), e.g. http://openid.xmpp.za.net/. In this system, OpenID authentication requests appear to the user as chat messages. This means that the Identity Provider can live on any jabber server with which the school server is federated. In fact, if we can accept standard chat invitations in the UI, we could simply federate the school server with xmpp.za.net and declare victory! Architecturally, this approach is appealing to me because Jabber IDs, not SSH pubkeys, are our principal identifiers. It also gives us the flexibility of putting the identity provider almost anywhere. If the XO runs its own jabber server, then the identity provider can live on the XO or any jabber server with which the XO is federated. An ideal form of this scheme would include creating an implementation of XEP-0070 (still standard-compliant) that sends the authentication approval request over XMPP in a machine-readable format, to be received by a consumer on the XO that approves or denies the request, possibly based on some interaction in a special-purpose GUI. - --Ben -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkk1xM8ACgkQUJT6e6HFtqQYOwCfX94DBVpPikPkvmDGkaXYezgV Ql0AoIg7iizkouSv7Ake6856qJT/GqRM =SJ0s -----END PGP SIGNATURE----- _______________________________________________ Sugar mailing list [email protected] http://lists.laptop.org/listinfo/sugar
