[Freeipa-devel] auto Firefox configuration status

[Rob Crittenden]

I've looked into using the javacript function 
netscape.security.PrivilegeManager.enablePrivilege() to allow modifying 
the browser config.

Here are some notes to take away:

1. The javascript needs to be packaged as a signed jar. We can generate 
a signing cert during our SSL setup step.
2. We'll need to create the javascript on the fly so we can customize it 
to match the domain we're installing IPA into. The existing template 
system should work fine.
3. The browser needs to trust the CA that is presenting the signed jar. 
A semi- chicken and egg problem. As long as the user goes to an SSL site 
signed by our temporary CA we're fine (our IPA web server, for example). 
But if they get their account and hit some other SSO site their browser 
will not be setup. We may have to live with this. The code should be 
easily transportable though.

Alternatively they can use their own CA to sign our code.

Oh, and you get a huge, ugly, nasty time-delayed warning about having 
your preferences written to.

I still have a fair bit of clean up to do before I can start integrating 
it into IPA (remembering how I issued the signing cert for one). I 
should have something to at least demo in the next day or two.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071206/0efaf14a/attachment.bin>