[sldev] OpenID vs. current proposal vis a vis security
Matthew Dowd
matthew.dowd at hotmail.co.uk
Sun Sep 30 01:02:58 PDT 2007
This is one of the reasons I divided the critique into three areas. You are trying to do three things (at least) with the new authentication system, and in some cases the solutions are different in the three areas.
OpenID addresses the flexibility issue - to quote from the original wiki page - it talks of allowing linking your SL account to blogs, etc. not the security issue
OpenID also opens up some interesting possibilities in verification. One of the things we are looking at in the UK (with some government interest) is the use of "brokers" (such as banks, mobile phoe companies) to verify aspects of the identity behind the OpenID (not unlike a digital notary service). So my OpenID may come with an assertation from Barclays Bank that the I am over 18 (use of PKI for example could enable people to validate the assertion). So age verfication in this model would happen if LL trusted Barclays Bank (or whoever), and no personal information would need to be given by me to LL. This is quite an active area in digital identity management at the moment.
That said there are similar issues with OpenID as for Shibolleth when attempting to use it outside a pure web browser environment. SL isn't the only scenario. So there needs to be some work and thought here (some aspects of OpenID may need to change). However, I think it is worth seriously considering and discussing even though it is not a quick drop in.
Matthew
Date: Sat, 29 Sep 2007 23:15:36 -0700From: labrat.hb at gmail.comTo: robla at lindenlab.comSubject: Re: [sldev] OpenID vs. current proposal vis a vis securityCC: sldev at lists.secondlife.com
You're right. OpenID will not be any better then what LL's proposed. You still have a login and password that will have to be entered somewhere. And by all rights OpenID can be a greater security risk then the Authentication Method proposed as you may have many other sites tied to that OpenID.
On 9/29/07, Rob Lanphier <robla at lindenlab.com> wrote:
Hi all,Thanks for posting this;https://wiki.secondlife.com/wiki/Viewer_Authentication_CritiqueThe proposal raises, among other things, OpenID as a possible solution.This is something that has been kicked around at Linden Lab, and we may well get around to implementing it one of these days.Let's say we did implement an OpenID Identity Provider, and switched theviewer to instead require OpenID (making the viewer act as both arelying party and a user agent). Would that be more secure than the current proposal? If so, why? It seems to me many of the criticismsassociated with this current proposal would also apply to moving to OpenID.Rob_______________________________________________ Click here to unsubscribe or manage your list subscription:/index.html
_________________________________________________________________
100’s of Music vouchers to be won with MSN Music
https://www.musicmashup.co.uk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.secondlife.com/pipermail/sldev/attachments/20070930/acaaa026/attachment.htm
More information about the SLDev
mailing list