[sugar] (another) WebKit port of Browse

Martin Langhoff martin.langhoff
Tue Jul 8 14:07:44 EDT 2008


On Tue, Jul 8, 2008 at 2:27 PM, Carol Lerche <cafl at msbit.com> wrote:
> I can certainly produce a proof of concept for the first,
> using client certs via Scott's  Firefox 3.  I don't think it is as hard as
> you think, and I promise to provide something concrete by the end of the
> weekend.

Thanks! [ but do see my note at the end ]

> I am puzzled about the PKI infrastructure you envision.  I envision having a
> private certificate authority that runs on the teacher's XO and keeps its
> keystore on a USB thumb drive.  So my favorite CA tool is TinyCA (currently
> version2) which is written in Perl.  This works very well for me, it has a
> GTK interface and does its PKI using OpenSSL like everyone else.  This is
> what I am going to use and document to create the certs.

That seems to require a fairly complex setup, and is vulnerable to
losing the usb drive.

>>  - change the "Registration" protocol to grab the public part of the
...
> Please point me to your notes on this, if you would be so kind.

There aren't any, unfortunately. I had to read idmgr to understand the
protocol - so read the source. It is a trivial xml-rpc.

>>  - figure out a way to use the existing SSH key that the XO has as the
>> SSL client cert, and to detect it, and match it on the server side.
>
> There are a couple of ways this can work.  I will implement this in my POC.

Cool.

>> The server-side apache-embedded code we are doing with mod_python
>> handlers, and this is a perfect fit for an authen handler.
>
> Not promising to do the Apache side in Python for the POC.  I write in Perl
> by choice, so hold your nose.  But are you planning to use Apache or
> lighttpd for the lightweight XS?

I am a happy Perl hacker in Python land too, and I finding that
mod_python hacking is similar to mod_perl hacking. Anyway, if you can
sort out the rest, I can probably deal with the mod_python bit :-)

And yes - using apache so far.

>> Counting on your help to break this silly thread with actual working code
>> :-)
>
> I'm happy to oblige!  At last a project that doesn't require me to create a
> GUI.  Brickbats regarding this plan of action are gratefully accepted.

Note: The only thing that saddens me is that basing it on FF turns
your help into more of a political wedge than technical help. The two
issues (auth, browser) are orthogonal. Short term, we need the
authentication stuff. Scott's mumblings are about future scenarios,
and are missing a lot of aspects - see jg's post. In the best of
cases, it is a medium-term thing.

And it is odd timing to be talking about "ah, let's change the
browser" when everyone tries to focus on 8.2.0. For example, if you do
it on Browse instead of FF, and it is a neat patch, we could argue for
inclusion in a minor update (say, 8.2.1) as it enables proper
operation of the "restore" part of backup :-)

And that means proper backup/restore is in the hands of thousands of
kids many MANY moons earlier. Just to put the jockeying in
perspective.



m
-- 
 martin.langhoff at gmail.com
 martin at laptop.org -- School Server Architect
 - ask interesting questions
 - don't get distracted with shiny stuff - working code first
 - http://wiki.laptop.org/go/User:Martinlanghoff



More information about the Sugar-devel mailing list