[sldev] [Auth] [OpenID] OpenID as SL Authentication Solution

[Kamilion]

On 10/6/07, Jason Giglio <gigstaggart at gmail.com> wrote:
> Kamilion wrote:
> > I've been doing some surfing on OpenID, and found out a lot about it.
>
> So I set up gigstaggart.com/openid as my own provider.  I claim to be
> Bill Clinton.  Second Life has no way of knowing I'm not Bill Clinton,
> since my provider (me) doesn't do any strong authentication of who I am.

A OpenID provider is only responsible for proving identity, not trust.

> Replace Bill Clinton with "over 18", if you want the age verification angle.

No, but LL's provider & data storage should tie this in with the age
verification so that other OpenID consumers being authenticated
against LLOpenID get a IsAnAdult bool.

Of course, in doing this, it also opens up other problems:
Little 16 year old Bobby Jr could borrow Bobby Sr.'s ID once,
AgeVerify through SL, and leverage his SL account believing he is over
21 to other sites by using his LLOpenID externally.

> Basically, OpenID is only as strong as the provider in terms of real
> authentication.  The only OpenID provider that would be acceptable for
> Second Life would be Linden Lab.  Back to square 1.

Yes, exactly.
The only OpenID provider that would be acceptable for Second Life
would be Linden Lab.

Hence the proxy OpenID support. You log in to the SL website. Somehow.
Then while there, you add an existing OpenID by entering it's URL.

It connects to your provider, which asks you to log in.
You log into your Open ID Provider, and select a persona.

That Persona now has access to the account.

OpenID supports Delegation.

For a given page to act as a OpenID provider, you only need to add two
tags to your HTML source:

<link rel="openid.server" href="https://www.myopenid.com/server">
<link rel="openid.delegate" href="http://Kamilion.myopenid.com">

If I added this to http://www.sllabs.com/kamilion/index.php, when I
use http://www.sllabs.com/kamilion/
as an OpenID URL, it will be delegated to myopenid.

Likewise, Linden Labs could allow you to delegate to another provider.

Linden Labs is now no longer responsible for keeping a password for you;
The authentication scheme is separate from the application but still tied to it.

On 10/6/07, Argent Stonecutter <secret.argent at gmail.com> wrote:
> > Yes, you can pick your alt (Personas are an integral feature of
> > OpenID, handled by the provider)
>
> *concurrently*? Using different OpenIDs? Without sharing any
> information with anyone but Linden Labs? Even if I visit someone's
> web page in their profile and it's on LiveJournal?

Concurrently, yes. Every instance of login should bring you to the
Persona selection.
It's also possible to change personas on the fly.
You're free to use as many OpenID providers, personas & URLs as you want.
Most browsers will remember entries to webforums, so adding a OpenID
URL box to the SL website simply allows you to dropdown a list of
OpenIDs to authenticate against.

> I don't *want* to have one ID that logs me into livejournal,
> sixapart, and Second Life. I don't *want* the possibility of
> someone's blog site having access to information about my SL
> identity, through any possible chain of events.

You're free to keep them seperate. Should you choose to use them like
I've mentioned, you're free to do that as well. OpenID works fine as a
chained system, and you can delegate and hand off through as many
layers of security as you wish for your account.

For instance, you may wish to use the Three-point authentication mechanism:
Something you Have
Something you Know
Something you Are

Something you Are refers to biometrics, in this case, a fingerprint
from a fingerprint reader.
Something you Know refers to a password or passphrase, in this case an
AES-256 class passphrase.
Something you Have refers to a hardware token, in this case the
fingerprint reader with a specific serial number, UUID, or PKI/SSL
certificate on Flash.

Your provider is only proving identity, not trust.

So, here is how a chained login would work:
You go to SLExchange.com. You log in with your LLOpenID, say
http://openid.secondlife.com/Stonecutter/Argent/
>From there, SLExchange redirects you to openid.secondlife.com.
Openid.secondlife.com checks it's database and locates your provider
on file there.
Let's say that's http://argentstonecutter.com/
openid.secondlife.com redirects to the OpenID provider delegated at
argentstonecutter.com.
That OpenID is further delegated off to secretargent.myopenid.com.
And that OpenID is delegated to a linux box running in your basement,
locally networked to your PC that you can access only from your
subnet, not the internet. That box talks to a shared USB fingerprint
device with built in flash memory plugged into your desktop.
You plug the USB fingerprint device in, and it's autorun opens up the
SSL client key stored on the flash. You swipe your finger. It's
correct. It supplies the passphrase to the SSL Client key. The SSL
client key is decrypted, and used to authenticate to the linux box.
The linux box decides you are who you say you are, and accepts the
login. It sends it's default persona of Your Linux Box to
secretargent.myopenid.com. You're now authenticated there.
secretargent.myopenid.com then requests you to select a persona there.
You choose your Non-Business persona, which then authenticates you
against openid.secondlife.com through argentstonecutter.com, allowing
you to select which persona you have associated with that SL account,
which will then be passed to slexchange.

You've just replaced your authentication with strong biometric verification.

Ow, my fingers.


That's a little bit of an extreme case. But it becomes possible.
An OpenID is basically as strong and rooted or as weak and lonely as you want.
All it allows you to do is defer authentication to a provider YOU
choose to trust.
If you choose to trust Google to be your primary provider, that's
fine. Or Yahoo through idproxy.net. Or MyOpenID. Or LL. It ceases to
matter, as long as YOU are convinced that they are properly managing
your identity. If you stop trusting them, you can change providers.
This is covered quite well in the 30 minute video I linked in the
original email.
Simon proposes that the creators of livejournal become evil. Hilarity ensues.

In your case, you would use completely different OpenIDs for all the services.
In ORDER for an OpenID to function, you MUST willfully give something
the URL to your OpenID.
If you go to Joe Schmoe's blog, just don't log with your LLOpenID. Use
one of the links higher up the chain, with a different persona. Or a
TypePad OpenID from your own blog.
Or an AIM account with http://openid.aol.com/screenname
Or a Yahoo account through idproxy.net.

Anyway, OpenID allows you to be as paranoid as you want, as it's just
a different way to store and verify a password.

OpenID, Like SSH, uses strong crypto, including Diffie-Hellman key
exchange, full end to end SSL, requiring verified SSL server
certificates for domains involved, which is it's own little identity
proving hoops to jump through, usually providing a StateID or passport
ID to prove identity, and ownership of a domain. SSL protects us from
man-in-the-middle attacks for the most part.

Read the specifications...
They even list how OpenID can protect against a couple of common attacks.
Some known bad browser UserAgents can be barred from being used, for instance.

http://openid.net/specs/openid-authentication-2_0-11.html