[sldev] OpenID & SSL certificates

[Dzonatas]

Ryan McDougall wrote:
> The solution is to not worry about that case
>   
>
> I think this discussion is suffering from a serious lack of
> clarification on exactly what case we are trying to fix. I'd love to
> hear from Sabin what he thinks of the discussion, and what use cases he
> is after.

This is where smartness is not better at experience with security. Some 
one could be a complete genius at crypto systems, but it doesn't do one 
bit of good not to know what affects of lack of security can do and how 
it has been done. Most cases, it is not something the experienced (with 
some decent common sense) really want to share and explain in complete 
detail.

What has been requested, or revealed out of fear by the public general, 
is the need to supply a password each and every time one enters the SL 
world.  They've shown how easy that is to exploit.

Okay, so simple solution: drop the password entirely upon login.

The question then becomes how do we validate identity after that step.

Simple solution: why worry about it. Perhaps the user just wants to 
browse the virtual world just like anybody can browse the web.

Does that mean they get complete access to browse the entire world?

Again... simple solution... no... require access verification at that 
time when it is actually needed. It is not really needed just to get in 
the world.

When it is actually needed is when we should augment security.

Flame away!

-- 
Power to Change the Void
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.secondlife.com/pipermail/sldev/attachments/20071001/ccfd03d8/attachment.htm