[Sugar-devel] Auto-authentication for Browse -
Simon Schampijer
simon at schampijer.de
Thu Feb 12 05:16:22 EST 2009
Martin Langhoff wrote:
> On Wed, Feb 11, 2009 at 11:18 PM, Martin Langhoff
> <martin.langhoff at gmail.com> wrote:
>> On Wed, Feb 11, 2009 at 10:25 PM, Andrés Ambrois
>>> I might be missing something, but you're storing the laptop serial number
>>> instead of the pubkey inside the cookie (unless /ofw/mfg-data/SN doesnt
>>> stores a pubkey), which was the original plan C.
>> Good point. I didn't refer back to the spec. I think SN and the pubkey
>> are roughly equal in this situation
>>
>> - the XS has both
>> - if a 3rd party sniffs the cookie from the ether... is either of
>> them more damaging than the other?
>
> Having slept on this, I think it's better to use a hash of the pubkey.
> The SN known by other XOs without sniffing, as all the XMPP traffic
> has it as your username/jid.
Right and the SN is XO specific - thought we want to use this mechanism
as well in non XO land.
Will look at the new patch now,
Simon
More information about the Sugar-devel
mailing list