[sldev] OpenID & SSL certificates

[Argent Stonecutter]

On 01-Oct-2007, at 22:05, Ryan McDougall wrote:
> On Mon, 2007-10-01 at 21:38 -0500, Argent Stonecutter wrote:
>> If you have a compromised SL viewer you don't have to attack
>> anything. You already have the golden ring, you've won.

> Actually I thought the goal was to protect the user's valuables,
> specifically L$, but also his in game assets.

Which is what a compromised SL viewer gives you. The whole "oh no, it  
can steal your password" schtick is a red herring.

> Only if you care if your users get told that they may be running an
> unknown viewer.

OK, let me get this straight.

If my viewer is legitimate but I haven't got a certificate, the LL  
server will send the viewer a message to tell the user that the  
viewer may not be legitimate, which being legitimate, I'll pass on to  
them.

If my viewer is crocked, the LL server will still send the viewer a  
message, but the crocked viewer will hide it, and thus it will appear  
more legitimate than the legitimate viewer that hasn't jumped through  
the certificate hoops.

> If you care and have a large user base, you download GPG
> and create a key, then publish it -- that simple.

That doesn't do anything more to help Linden Labs "track me down"  
unless I need to do more than that. If the viewer on my website is  
crocked, they've got me. If the viewer is crocked and signed by a  
private key, and I've put the public key on my website, well... the  
only thing they've got is what they started with... it was  
distributed from my website. This would protect people from getting a  
package from Joe's BBS that claimed to be from Linden Labs, sure, but  
we don't distribute software that way on the Internet... you don't go  
to Joe's BBS to download the SL client, you go to secondlife.com.

> All the linux distros' package security currently works like this.

Ah, that's right, Linux does have half a dozen crack-brained  
packaging schemes that involve trusting third-party repositories,  
harking back to the days when Linus was using well-known FTP servers  
like BBSes instead of running his own site, and because Linux doesn't  
actually have a core OS... it's thousands of packages flying in close  
formation. That doesn't apply here, because that's not how software  
gets distributed outside the Linux world.

Unless Linden Labs does the signing, this wouldn't provide any more  
assurance for Joe's Viewer than the fact that it was downloaded from  
the website where joe published his public key.