[sldev] OpenID & SSL certificates

[Ryan McDougall]

Argent Stonecutter wrote:
> On 01-Oct-2007, at 22:05, Ryan McDougall wrote:
>> On Mon, 2007-10-01 at 21:38 -0500, Argent Stonecutter wrote:
>>> If you have a compromised SL viewer you don't have to attack
>>> anything. You already have the golden ring, you've won.
> 
>> Actually I thought the goal was to protect the user's valuables,
>> specifically L$, but also his in game assets.
> 
> Which is what a compromised SL viewer gives you. The whole "oh no, it 
> can steal your password" schtick is a red herring.
> 
>> Only if you care if your users get told that they may be running an
>> unknown viewer.
> 
> OK, let me get this straight.

You don't have it straight. I suspect you're not making much effort to.

> If my viewer is legitimate but I haven't got a certificate, the LL 
> server will send the viewer a message to tell the user that the viewer 
> may not be legitimate, which being legitimate, I'll pass on to them.

Yes, and you presumedly won't care, because you didnt bother to take 5 
minutes to sign your own "legit" viewer.

> If my viewer is crocked, the LL server will still send the viewer a 
> message, but the crocked viewer will hide it, and thus it will appear 
> more legitimate than the legitimate viewer that hasn't jumped through 
> the certificate hoops.

As has been said, there is more than one way besides the naive method. 
You could print a warning on the SL website, or put it in-world.

While neither method is perfection-on-wheels, its better than nothing.

>> If you care and have a large user base, you download GPG
>> and create a key, then publish it -- that simple.
> 
> That doesn't do anything more to help Linden Labs "track me down" unless 
> I need to do more than that. If the viewer on my website is crocked, 
> they've got me. If the viewer is crocked and signed by a private key, 
> and I've put the public key on my website, well... the only thing 
> they've got is what they started with... it was distributed from my 
> website. This would protect people from getting a package from Joe's BBS 
> that claimed to be from Linden Labs, sure, but we don't distribute 
> software that way on the Internet... you don't go to Joe's BBS to 
> download the SL client, you go to secondlife.com.

The purpose isnt to verify the physical whereabouts of an individual in 
geographical space in the case of viewer corruption. The purpose is to 
your identity as a legitimate viewer maker. People who don't sign their 
viewer arent corrupt, but people who can have their identity vouched 
for, at least in the long term.

Identity in the real world works the same. If I say my name is Ryan 
McDougall, and I am unknown to you, its meaningless to identify myself. 
But if I am a good person, and garner a reputation as such, in time, 
identifying myself as Ryan McDougall would eventually lead people to 
trust me on identity alone.

>> All the linux distros' package security currently works like this.
> 
> Ah, that's right, Linux does have half a dozen crack-brained packaging 
> schemes that involve trusting third-party repositories, harking back to 
> the days when Linus was using well-known FTP servers like BBSes instead 
> of running his own site, and because Linux doesn't actually have a core 
> OS... it's thousands of packages flying in close formation. That doesn't 
> apply here, because that's not how software gets distributed outside the 
> Linux world.
> 
> Unless Linden Labs does the signing, this wouldn't provide any more 
> assurance for Joe's Viewer than the fact that it was downloaded from the 
> website where joe published his public key.

I don't believe you are actually making the required attempt to 
understand the positions of the people you are talking at, so I dont 
believe it is productive to continue this conversation.