[sldev] OpenID & SSL certificates

[Ryan McDougall]

On Mon, 2007-10-01 at 21:38 -0500, Argent Stonecutter wrote:

> 
> If you have a compromised SL viewer you don't have to attack  
> anything. You already have the golden ring, you've won. The goal here  
> is not protecting the cryptosystem, it's protecting the viewer. The  
> big sloppy viewer that's using a couple of dozen big sloppy shared  
> libraries. Once the bad guy has ANY compromised software on your  
> computer, the viewer is dead meat.

In case I havent been clear:

I assume that the issue here is allowing Open Sourced viewers, which
could contain any kind of code, to connect to LL servers. I assume that
the largest issue with a compromised viewer is that it allows a
nefarious 3rd party to access your on-server assets.

I propose that an out of process PKI library be used to transfer an
temporary authorization token to the client viewer. Once the token has
been handed to the viewer, then the viewer can do anything to the user's
account. We rely on the server and the PKI system to only hand the token
off when the Private Key, located on the user's machine, matches the
Public Key stored on the LL server (given over SSL during registration).

The security of the system would rely on the assumption that a
compromised viewer cannot break the OS's security, and access the
Private Key.

This assumption is not rock solid, as we all know, but it does put the
blame where it belongs, on the OS to provide a secure system. It is my
belief that this is better than what I've heard so far.

Also, this is not entirely unlike many other PKI systems in use,
including the one my wife uses to work from home at one of the worlds
largest investment banks.

Cheers,