[Sugar-devel] [sugar] XO identity shared via Browse

[Sebastian Silva]

Tomeu Vizoso wrote:
> Second, we may need to think a bit about how we are going to resource
> this task. Simon is the Browse maintainer and has a good knowledge of
> its internals, though Marco and me have hacked occasionally on it.
> AFAIK, none of us have a good knowledge of security issues and use to
> ask Michael for advice. And the third knowledge area involved is the
> school server, with Martin on the wheel.
>   
It looks like currently different custom solutions are being tried but 
nothing has been decided that is a Standard. Once we agree on that, 
stakeholders for it perhaps should own it and coordinate on it instead 
of each reinventing the wheel (or we making up some "custom" magic 
instead of a good standard). I know I'm a stakeholder for this, but 
can't lead it, I'd like to help as much as I can.
> So I propose that server and security experts discuss the different
> possibilities first and then ask the sugar people about how best to
> implement the client side of this. Mozilla gives us lots of hooks for
> altering  the conversation between the browser and the server, so we
> have a good deal of flexibility there that we can take advantage of.
>   
Yes, one thing though: As Adam correctly pointed out to me, security is 
also about Usability. I'm not convinced laptop=user is a good policy and 
in our general educational mantra of not dumbing down the real world, my 
contention is that ONE user/pass combination is all a kid needs (if we 
use OpenID). Small kids are perfectly capable of understanding this 
concept (40% of kids in Uy already use GMail, btw that means they 
already have one openid - I'm suggesting the school should provide 
identity for its students and its teachers and NOT Google).
> So I'm cc'ing to devel at l.o and sugar-devel at s.o where OLPC and other
> Sugar deployers (I'm thinking specially on Brendan and Caroline) can
> discuss the different alternatives.
>   
Please lets not invent some magic voodoo way that only we can use to 
auth a laptop. We are solving one little problem by ignoring one much 
larger one. There is nothing to gain by saving kids from one password 
and forcing them to get new accounts for everything else.