Sorry...hit send too soon. The link <br><br><a href="http://boblord.livejournal.com/18402.html">http://boblord.livejournal.com/18402.html</a><br><br>shows how to get rid of the message.<br><br>To give the xs the identity of the client you send a certificate request to the server. This is in truth the public key of the client, which the server signs and sends back. Thus the client now has a client certificate signed by the server's CA.<br>
<br>There is a nice Firefox addon that manages this process for the issuer if one wishes there to be some manual oversight as to who is allowed to register (presumably some functionary at the school who oversees registration on the first day).<br>
<br>There is an underlying set of security utilities that belong to Mozilla (NSS libraries and tools) that can perform the cert request building, and would allow scripting to do the cert requesting under the covers.<br><br>
As an alternative to a strictly manual approval process for the cert requests, the XO process for submitting the cr could put the serial number in a field of the cert request to be checked automatically against a list of serial numbers on the server, such that the cert is returned automatically.<br>
<br>(Eagerly awaiting an eruption from Ivan).<br><br><div class="gmail_quote">On Tue, Feb 10, 2009 at 2:11 PM, Carol Farlow Lerche <span dir="ltr"><<a href="mailto:cafl@msbit.com">cafl@msbit.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><a href="http://boblord.livejournal.com/18402.html" target="_blank">http://boblord.livejournal.com/18402.html</a> <br>
<div><div></div><div class="Wj3C7c"><br><div class="gmail_quote">On Tue, Feb 10, 2009 at 1:20 PM, Martin Langhoff <span dir="ltr"><<a href="mailto:martin.langhoff@gmail.com" target="_blank">martin.langhoff@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">On Wed, Feb 11, 2009 at 4:57 AM, Simon Schampijer <<a href="mailto:simon@schampijer.de" target="_blank">simon@schampijer.de</a>> wrote:<br>
>> Thoughts? Opinions? Code?<br>
>><br>
>> cheers,<br>
><br>
> I wonder if it would not be best to generate a cert per user when we<br>
> authenticate the first time with the XS and add this then to the cert8.db in<br>
> the profile. This works fine - rainbow wise - as we do this already for the<br>
> OLPC - Root CA.<br>
<br>
How do we<br>
<br>
- get the cert of the XS ahead of time and mark it as trusted to<br>
avoid the "self-signed cert bad!" screen?<br>
<br>
- give the XS our cert so it knows who we are?<br>
<br>
see the 'Plan A' (in my opening post) for further notes.<br>
<br>
<br>
<br>
m<br>
--<br>
<a href="mailto:martin.langhoff@gmail.com" target="_blank">martin.langhoff@gmail.com</a><br>
<a href="mailto:martin@laptop.org" target="_blank">martin@laptop.org</a> -- School Server Architect<br>
- ask interesting questions<br>
- don't get distracted with shiny stuff - working code first<br>
- <a href="http://wiki.laptop.org/go/User:Martinlanghoff" target="_blank">http://wiki.laptop.org/go/User:Martinlanghoff</a><br>
_______________________________________________<br>
Sugar-devel mailing list<br>
<a href="mailto:Sugar-devel@lists.sugarlabs.org" target="_blank">Sugar-devel@lists.sugarlabs.org</a><br>
<a href="http://lists.sugarlabs.org/listinfo/sugar-devel" target="_blank">http://lists.sugarlabs.org/listinfo/sugar-devel</a><br>
</blockquote></div><br><br clear="all"><br></div></div><font color="#888888">-- <br>"It is difficult to get a man to understand something, when his salary depends upon his not understanding it." -- Upton Sinclair<br>
</font></blockquote></div><br><br clear="all"><br>-- <br>"It is difficult to get a man to understand something, when his salary depends upon his not understanding it." -- Upton Sinclair<br>