[sldev] OpenID & SSL certificates

[Ryan McDougall]

First a word of advice: your style of communication is very flippant. Im 
not sure if you intend it so, but it comes across as off-putting, to put 
it mildly. You might consider how this helps or hurts your causes.

Argent Stonecutter wrote:
> On 01-Oct-2007, at 22:18, Ryan McDougall wrote:
>> I propose that an out of process PKI library be used to transfer an
>> temporary authorization token to the client viewer. Once the token has
>> been handed to the viewer, then the viewer can do anything to the user's
>> account. We rely on the server and the PKI system to only hand the token
>> off when the Private Key, located on the user's machine, matches the
>> Public Key stored on the LL server (given over SSL during registration).
> 
>> The security of the system would rely on the assumption that a
>> compromised viewer cannot break the OS's security, and access the
>> Private Key.
> 
> If the user has downloaded the viewer (voluntarily, by his choice) then 
> why would the user prevent the viewer he downloaded from getting to the 
> private key he created? The viewer is expected to be able to read this 
> key. It doesn't matter whether the viewer is from Linden Labs or J 
> Random hacker, the user's GOT to be able to grant it the rights to get 
> whatever information it needs to log in to Second Life, otherwise why is 
> he downloading it? It doesn't matter whether those rights are granted by 
> typing in his password or by right-clicking on an icon and selecting 
> "Allow this program to access my keychain" or by responding to a dialog 
> from teh OS when it asks to access the keychain. The user has downloaded 
> and installed the package, because the user wants to use it to play 
> Second Life.

The case I was thinking of if was one where the compromised viewer would 
harvest your account information to give to a 3rd party for later use. 
In that case it would fail because the 3rd party would lack your private 
key.

You are right about a compromised viewer would just immediately transfer 
your money to another account while it holds a valid token. Thats why 
the viewer should be signed.

> This isn't like your wife's Chase bank account, because your wife isn't 
> downloading a third party Chase Bank Account Viewer.

I don't know what youre talking about.

My wife, as a programmer for mission critical trading systems for an 
investment bank that is as yet unnamed, worked from home using a Java 
applet + Terminal Server. I don't know how it all worked exactly, but Im 
pretty sure it was the RSA dongle she used that made it secure, not the 
fact that the applet was closed source.