Auth token (Re: [sldev] [Viewer Auth] Office hour high points)

[Rob Lanphier]

Hi Dale,

There seems to be a disconnect here:

On 10/19/07 4:33 AM, Dale Glass wrote:
> On Wed, Oct 17, 2007 at 05:17:22PM -0700, David Kaprielian (Sabin) wrote:
>   
>> 3) Why ignore industry best practices like challenge-reponse?
>>
>> Challenge-response is only used to make sure a secret doesn't cross the 
>> network unencrypted.  Since we're using an SSL connection to pass the 
>> token, it stays encrypted in transit.  Challenge-response also requires 
>> the user has an engine to compute the response, and we prefer using 
>> standard web technology for this.
>>     
> The problem is that it seems it's been implemented half way. Encryption
> solves part of the problem. Verifying that the auth server is good fixes
> the remaining issue: that the viewer will happily hand out your
> cleartext password to whatever server it connects to.
>
>
> Note that I'm talking about the standard LL viewer here, but third party
> viewers don't really matter. In the current situation if you let a third
> party viewer login at all you're already implicitly trusting it. That it
> might get your password is about the last thing to worry about.
>   

I'm confused.  The servers won't be passing your password back. My
understanding is the servers will be passing a one-time token passed
over SSL to an authenticated viewer, which the viewer will presumably
use right away.  Once that token is used once, it can't be used again,
so it shares very little in common with a "password" in the traditional
sense.

Rob


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
Url : http://lists.secondlife.com/pipermail/sldev/attachments/20071019/bf58ee7f/signature.pgp