[Systems] SSO (was: Re: SNI)

Sascha Silbe sascha-ml-reply-to-2010-2 at silbe.org
Sun Sep 5 18:16:51 EDT 2010

Excerpts from Bernie Innocenti's message of Sun Sep 05 22:54:34 +0200 2010:

> > could I set up a VHost bugs-sso.sugarlabs.org and have it ask for client
> > certificates while all other VHosts do not request them? That would
> > even avoid the need to set this up on a separate IP address.
> > With SNI this should be possible, but I don't know whether Apache
> > actually supports it.
> I don't know neither... feel free to try and let us know.

It does work. :D

> FWIW, I don't consider SSL client certificates a feasible solution to
> consolidate Sugar Labs sign-on. While some of us may take advantage of
> it, many users have trouble figuring out how to generate certificates
> and install them in their browsers.

Hehe. While all that browsers support is certificates, I'm actually
using just the public key that's contained in it. It doesn't have to
be signed by anyone. I have PoC code for Browse to (automatically)
import the Sugar key, so once I integrate it (currently it's just a
script) every user of a recent enough version will have a client
certificate in Browse. No need for manual setup.

As for usage outside Sugar, AFAIK at least Mozilla and IE can generate
keys (CSRs) locally from a special HTML form. So all we need to do is to
include such a form in the OpenID provider.

> If we could hook up as many services as possible to a central
> authentication service such as CAS or OpenID, this in turn could offer a
> number of login methods, including passwords and perhaps also SSL
> certificates.

That's exactly my plan for now. In the long run each service should
recognise keys directly (looking it up on some central service) to
avoid the need for entering your OpenID URL and several HTTP roundtrips.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
Url : http://lists.sugarlabs.org/private/systems/attachments/20100906/8fbd593d/attachment.pgp 

More information about the Systems mailing list