[sldev] OpenID & SSL certificates

[Argent Stonecutter]

On 30-Sep-2007, at 11:54, Dzonatas wrote:
> Argent Stonecutter wrote:
>> On 30-Sep-2007, at 10:54, Dzonatas wrote:
>>>> Does this require my using the same identity with SL as with  
>>>> other OpenID services?
>>
>>> I'm not sure by "other" you mean affiliated or non-affiliated  
>>> OpenID servers.
>>
>> By "other" I mean "any company other than Linden Labs".
>
> Ok. That doesn't change my answer.

Can you clarify it, then?

>>>> Can the authentication be handled entirely within SL?
>>>

>>> Since SL can be partially in-world and part web, as it now  
>>> exists, yes.

>> By "handled" I mean "the entire process, including creating the  
>> certificate".

>> By "entirely within SL" I mean both "with no other application  
>> involved, including a web browser", and "without any company other  
>> than Linden Labs being involved".

>> Otherwise, if it comes to OpenID or something like LL's original  
>> proposal *except* with a client that handled the login entirely  
>> within the application, using web services (or a hardcoded form  
>> response) over HTTPS, I would prefer the latter.

> That would all depend on final implementation. It is possible  
> either way.

If LL implements it any other way that doesn't satisfy the  
requirements I listed above, would it be possible for a third party  
to create a client that restored the status quo, by implementing the  
whole process in the client, without doing some kind of screen  
scraping from some J Random Website's HTML login page?

> Keep in mind that an authoritative (3rd) party needs to sign more  
> permanent and secure certificates, but certificates can still be  
> made on a standalone basis.

I don't understand what party would be more authoritative regarding  
my SL account than LL, or how bringing in a third party makes this  
more secure, FOR THE SPECIFIC CASE OF LOGGING IN TO THE SL SERVICE  
FROM THE SL CLIENT.

> Being that this is a new proposal and that OpenID already exists,  
> can we make LL's proposal better than OpenID?

Being that there's no clear requirement for this proposal, what does  
OpenID provide that makes it a better option than doing nothing? If  
it doesn't bring anything to THAT table, it's just muddying the  
waters. If it just implements the LL proposal as originally stated,  
all the existing objections stand. If it brings in additional third  
parties then that is an advantage for the original proposal. If it  
can't be bypassed in the client of it's implemented in a way that  
requires logging in from a browser, then tat is an advantage for the  
original proposal.

Which is why I asked. What I need to know is... can this be handled  
entirely in the viewer application, from start to finish, without  
involving any third parties and without involving any applications  
other than the viewer at any point (including web browsers, whether  
embedded in the viewer or otherwise), including generating any  
certificates required using only such authentication information that  
I am able to easily carry in my head, even if SL's design doesn't  
work this way.

> Or, should we just resolve to OpenID?
>
> Given the option of SSL certificates, I believe OpenID or LL's  
> proposal both also become optional.

You have to have a mechanism to generate the certificates. SSL  
certificates are like hydrogen in "the hydrogen economy"... they are  
not the source of authentication, they are part of the distribution  
system.