[sldev] OpenID & SSL certificates
Argent Stonecutter
secret.argent at gmail.com
Sun Sep 30 10:22:28 PDT 2007
On 30-Sep-2007, at 11:54, Dzonatas wrote:
> Argent Stonecutter wrote:
>> On 30-Sep-2007, at 10:54, Dzonatas wrote:
>>>> Does this require my using the same identity with SL as with
>>>> other OpenID services?
>>
>>> I'm not sure by "other" you mean affiliated or non-affiliated
>>> OpenID servers.
>>
>> By "other" I mean "any company other than Linden Labs".
>
> Ok. That doesn't change my answer.
Can you clarify it, then?
>>>> Can the authentication be handled entirely within SL?
>>>
>>> Since SL can be partially in-world and part web, as it now
>>> exists, yes.
>> By "handled" I mean "the entire process, including creating the
>> certificate".
>> By "entirely within SL" I mean both "with no other application
>> involved, including a web browser", and "without any company other
>> than Linden Labs being involved".
>> Otherwise, if it comes to OpenID or something like LL's original
>> proposal *except* with a client that handled the login entirely
>> within the application, using web services (or a hardcoded form
>> response) over HTTPS, I would prefer the latter.
> That would all depend on final implementation. It is possible
> either way.
If LL implements it any other way that doesn't satisfy the
requirements I listed above, would it be possible for a third party
to create a client that restored the status quo, by implementing the
whole process in the client, without doing some kind of screen
scraping from some J Random Website's HTML login page?
> Keep in mind that an authoritative (3rd) party needs to sign more
> permanent and secure certificates, but certificates can still be
> made on a standalone basis.
I don't understand what party would be more authoritative regarding
my SL account than LL, or how bringing in a third party makes this
more secure, FOR THE SPECIFIC CASE OF LOGGING IN TO THE SL SERVICE
FROM THE SL CLIENT.
> Being that this is a new proposal and that OpenID already exists,
> can we make LL's proposal better than OpenID?
Being that there's no clear requirement for this proposal, what does
OpenID provide that makes it a better option than doing nothing? If
it doesn't bring anything to THAT table, it's just muddying the
waters. If it just implements the LL proposal as originally stated,
all the existing objections stand. If it brings in additional third
parties then that is an advantage for the original proposal. If it
can't be bypassed in the client of it's implemented in a way that
requires logging in from a browser, then tat is an advantage for the
original proposal.
Which is why I asked. What I need to know is... can this be handled
entirely in the viewer application, from start to finish, without
involving any third parties and without involving any applications
other than the viewer at any point (including web browsers, whether
embedded in the viewer or otherwise), including generating any
certificates required using only such authentication information that
I am able to easily carry in my head, even if SL's design doesn't
work this way.
> Or, should we just resolve to OpenID?
>
> Given the option of SSL certificates, I believe OpenID or LL's
> proposal both also become optional.
You have to have a mechanism to generate the certificates. SSL
certificates are like hydrogen in "the hydrogen economy"... they are
not the source of authentication, they are part of the distribution
system.
More information about the SLDev
mailing list