[sldev] OpenID & SSL certificates

[Dzonatas]

Rob Lanphier wrote:
> Hi all,
>
> Thanks for posting this;
> https://wiki.secondlife.com/wiki/Viewer_Authentication_Critique
>
> The proposal raises, among other things, OpenID as a possible solution. 
>   

OpenID is a practical way to augment security on automated 
public/private keys and certificates, but it can be completely bypassed 
with just proper SSL certificates.

For example, when the user first logs in, they access the certification 
through an login with the OpenID. Once the certification scheme 
generates and propagates authorities andkeys, the user no longer need to 
use OpenID to re-establish sessions.

One of the users certificate may expire. In this case, the user logs 
into the OpenID system again to lease/create a new certificate. The 
system re-propagates as needed.

If a user requires a temporary certificate (say for travel), they can 
log into the OpenID system and create extra certificates that expire but 
can be stored on a USB drive or likewise. A temporary passphrase bound 
certificate can be generate for completely random access. The benefit 
here is that the user can completely avoid the need to address the 
OpenID login while in potentially insecure access locations.

In this scheme, access retains increased security by the certification 
process and does not rely on passwords being seen each session. Also, 
the management and propagation of such security is automated through the 
affiliation of the OpenID system. Each affiliate may have local security 
customizations.

If a user wants to invalidate all their current certificates, that 
option can be available through a OpenID login. The user can immediate 
re-lease/re-create new certificates.

Most arguments I've seen against OpenID is when people solely rely on 
OpenID for access. As stated above, it can be completely bypassed with 
augmented security schemes.

- Dz

-- 
Power to Change the Void