On Tue, Dec 2, 2008 at 8:19 PM, Sebastian Silva <[EMAIL PROTECTED]> wrote: >> That's a different model. We want the openID _provider_ to be either on the >> laptop itself or on the school server. Since the _server_ has a changing >> FQDN, this becomes harder. The solution would be to propose a change to the >> protocol or register the school servers domains (or subs) with a Dynamic DNS >> provider. >> > Now we are talking, this is only a technical problem.
Hi! We've discussed openid several times on this list -- do google the archives for the full argument :-) -- It's reasonably likely that the XS will be an OpenID IDP (noting all the serious caveats around OpenID that make it a phishing-magnet), but _first_ the laptop needs to identify itself to the xS. So we are talking about that first step. As you've spotted, we can't use openID there. The plans that seem viable, after a lot of consideration, are - A backchannel call using SSH - Browse.xo when connecting to something that looks like the XS will trigger an ssh connection to the server, grab a one-time-use token over the ssh connection and use it to prove its identity over http. - A challenge-response call using the fact that the XS knows the public SSH key of the XO. So Browse could request a special url, the XS respond with a random string that the XO has to sign with its key and post it back to the XS - which can verify the sig. Once that step happens, the XS hands a cookie to the XO (the process above is fairly expensive!). From that point onwards, we are vulnerable to spoofing unless we switch to https (which we will eventually do, but right now is very complicated for a long list of reasons). If we could switch to https easily, we could skip all this song and dance and just use client certs. cheers, m -- [EMAIL PROTECTED] [EMAIL PROTECTED] -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff _______________________________________________ Sugar mailing list Sugar@lists.laptop.org http://lists.laptop.org/listinfo/sugar