[Sugar-devel] Auto-authentication for Browse -

[Carol Farlow Lerche]

Sorry...hit send too soon.  The link

http://boblord.livejournal.com/18402.html

shows how to get rid of the message.

To give the xs the identity of the client you send a certificate request to
the server.  This is in truth the public key of the client, which the server
signs and sends back.  Thus the client now has a client certificate signed
by the server's CA.

There is a nice Firefox addon that manages this process for the issuer if
one wishes there to be some manual oversight as to who is allowed to
register (presumably some functionary at the school who oversees
registration on the first day).

There is an underlying set of security utilities that belong to Mozilla (NSS
libraries and tools) that can perform the cert request building, and would
allow scripting to do the cert requesting under the covers.

As an alternative to a strictly manual approval process for the cert
requests, the XO process for submitting the cr could put the serial number
in a field of the cert request to be checked automatically against a list of
serial numbers on the server, such that the cert is returned automatically.

(Eagerly awaiting an eruption from Ivan).

On Tue, Feb 10, 2009 at 2:11 PM, Carol Farlow Lerche <cafl at msbit.com> wrote:

> http://boblord.livejournal.com/18402.html
>
> On Tue, Feb 10, 2009 at 1:20 PM, Martin Langhoff <
> martin.langhoff at gmail.com> wrote:
>
>> On Wed, Feb 11, 2009 at 4:57 AM, Simon Schampijer <simon at schampijer.de>
>> wrote:
>> >> Thoughts? Opinions? Code?
>> >>
>> >> cheers,
>> >
>> > I wonder if it would not be best to generate a cert per user when we
>> > authenticate the first time with the XS and add this then to the
>> cert8.db in
>> > the profile. This works fine - rainbow wise - as we do this already for
>> the
>> > OLPC - Root CA.
>>
>> How do we
>>
>>  - get the cert of the XS ahead of time and mark it as trusted to
>> avoid the "self-signed cert bad!" screen?
>>
>>  - give the XS our cert so it knows who we are?
>>
>> see the 'Plan A'  (in my opening post) for further notes.
>>
>>
>>
>> m
>> --
>>  martin.langhoff at gmail.com
>>  martin at laptop.org -- School Server Architect
>>  - ask interesting questions
>>  - don't get distracted with shiny stuff  - working code first
>>  - http://wiki.laptop.org/go/User:Martinlanghoff
>> _______________________________________________
>> Sugar-devel mailing list
>> Sugar-devel at lists.sugarlabs.org
>> http://lists.sugarlabs.org/listinfo/sugar-devel
>>
>
>
>
> --
> "It is difficult to get a man to understand something, when his salary
> depends upon his not understanding it." -- Upton Sinclair
>



-- 
"It is difficult to get a man to understand something, when his salary
depends upon his not understanding it." -- Upton Sinclair
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sugarlabs.org/archive/sugar-devel/attachments/20090210/6664ff5e/attachment.htm