[sldev] OpenID & SSL certificates

[Erik Anderson]

I don't know if this helps in the conversation at all, but here is my
(limited) experience with OpenID.  I create an ID of the form
username at someopenIDprovoder.com (there are ways to customize the domain name
to something you host).  This ID is given to an application.  Then the
application tries to open up the OpenID site and authenticate with that ID.
The OpenID site will initially open up a web page asking you to login,
select the identity that you wish to pass back, and verify that you really
want that website to know about you.  Optionally you can go through the
process of creating a certificate on your local browser so that it simply
asks you if you want to authenticate with the website.  If you state "always
yes", then the authentication would proceed without any prompts using the
client certificate installed on your browser.

The identity that you choose when logging into the OpenID provider does not
seem to be the kind of information that could be used to establish alt
accounts in SL, in the end the only thing that SL has is the OpenID, so
multiple alts in SL would most likely require multiple OpenID accounts.

I am kinda split on whether or not OpenId is a good direction to go with (as
opposed to the integrated login that currently exists).  I *really* don't
want logging into the website to log into the SL client without
authentication (for reasons that have been explained at great length here
already).  A lot of the site spoofing that I'm thinking is worried about
here I'm guessing is the kind of spoofing that would confuse users (for
instance, using international coding to make it look like the same domain
name when it isn't) but would not as easily confuse applications (check the
domain on the SSL certificate, make sure it matches the openID that the user
has entered)

None of this in my opinion has anything to do with modified clients though,
nor could it.  LL could do checks to try to track changing IP addresses and
require more authentication if the login location changes to an unexpected
place, but this is hardly anything that changing the authentication stream
in this manner would affect at all.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.secondlife.com/pipermail/sldev/attachments/20071001/a61c5e88/attachment.htm