<br><div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="Ih2E3d">> I am puzzled about the PKI infrastructure you envision.  I envision having a<br> > private certificate authority that runs on the teacher's XO and keeps its<br> > keystore on a USB thumb drive.  So my favorite CA tool is TinyCA (currently<br> > version2) which is written in Perl.  This works very well for me, it has a<br> > GTK interface and does its PKI using OpenSSL like everyone else.  This is<br> > what I am going to use and document to create the certs.<br> <br> </div>That seems to require a fairly complex setup, and is vulnerable to<br> losing the usb drive.<br> <div class="Ih2E3d"></div></blockquote><div><br>The setup will be untarring a tarball.  I will put the tinyca code in the tarball, so it will be where the keys are.  Either the CA key material should be offline or we don't care.  If we don't care, no need to store it on a  USB drive.  Most people think CA key material should be stored offline, but it is not a significant implementation issue.<br> <br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="Ih2E3d"><br> >>  - change the "Registration" protocol to grab the public part of the<br> </div>...<br> <div class="Ih2E3d">> Please point me to your notes on this, if you would be so kind.<br> <br> </div>There aren't any, unfortunately. I had to read idmgr to understand the<br> protocol - so read the source. It is a trivial xml-rpc.<br> <div class="Ih2E3d"></div></blockquote><div><br>Hmmm...I thought you said you had notes, but ok.<br><br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> <div class="Ih2E3d"><br> </div>I am a happy Perl hacker in Python land too, and I finding that<br> mod_python hacking is similar to mod_perl hacking. Anyway, if you can<br> sort out the rest, I can probably deal with the mod_python bit :-)<br> <br> And yes - using apache so far.<br> <div class="Ih2E3d"></div></blockquote><div><br>Hope it installs ok on an XO, which is my target "fake XS" to mimic the low-end performance.<br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> <div class="Ih2E3d"><br> </div>Note: The only thing that saddens me is that basing it on FF turns<br> your help into more of a political wedge than technical help. The two<br> issues (auth, browser) are orthogonal. Short term, we need the<br> authentication stuff. Scott's mumblings are about future scenarios,<br> and are missing a lot of aspects - see jg's post. In the best of<br> cases, it is a medium-term thing.<br> </blockquote><div><br>The point of authentication is web authentication by the XO to the XS, I thought.  (After registration completes.)  That is what I am implementing in my POC.  If the browse activity in Joyride supports client certs in the same way Firefox does, I'll use it.  Otherwise I'll use Scott's Firefox 3 and the authentication for Browse will have to await implementation of client certs there.  This whole thread started by the assertion that Firefox 3 couldn't be used because it didn't support authentication.  So I'm pretty confused by your note.<br>  </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br> And it is odd timing to be talking about "ah, let's change the<br> browser" when everyone tries to focus on <a href="http://8.2.0." target="_blank">8.2.0.</a> For example, if you do<br> it on Browse instead of FF, and it is a neat patch, we could argue for<br> inclusion in a minor update (say, 8.2.1) as it enables proper<br> operation of the "restore" part of backup :-)<br> </blockquote><div><br>The patch is not to the browser, since proper browsers already implement client certs.<br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> <br> And that means proper backup/restore is in the hands of thousands of<br> kids many MANY moons earlier. Just to put the jockeying in<br> perspective.<br> <div><div></div><div class="Wj3C7c"><br> </div></div></blockquote><div><br>One thing at a time. <br></div></div><br clear="all"><br>-- <br>Frisbeetarianism is the belief that when you die, your soul goes up on the roof and gets stuck -- George Carlin