[Sugar-devel] Auto-authentication for Browse -

Martin Langhoff martin.langhoff at gmail.com
Wed Feb 11 19:29:08 EST 2009


On Wed, Feb 11, 2009 at 11:18 PM, Martin Langhoff
<martin.langhoff at gmail.com> wrote:
> On Wed, Feb 11, 2009 at 10:25 PM, Andrés Ambrois
>> I might be missing something, but you're storing the laptop serial number
>> instead of the pubkey inside the cookie (unless /ofw/mfg-data/SN doesnt
>> stores a pubkey), which was the original plan C.
>
> Good point. I didn't refer back to the spec. I think SN and the pubkey
> are roughly equal in this situation
>
>  - the XS has both
>  - if a 3rd party sniffs the cookie from the ether... is either of
> them more damaging than the other?

Having slept on this, I think it's better to use a hash of the pubkey.
The SN known by other XOs without sniffing, as all the XMPP traffic
has it as your username/jid.

The pubkey hash is less widely known.

Fleshing out a new patch...



m
-- 
 martin.langhoff at gmail.com
 martin at laptop.org -- School Server Architect
 - ask interesting questions
 - don't get distracted with shiny stuff  - working code first
 - http://wiki.laptop.org/go/User:Martinlanghoff


More information about the Sugar-devel mailing list