[sldev] OpenID & SSL certificates

Tao Takashi tao.takashi at googlemail.com
Sun Sep 30 15:53:39 PDT 2007
Previous message: [sldev] OpenID & SSL certificates
Next message: [sldev] OpenID & SSL certificates
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
2007/9/30, Argent Stonecutter <secret.argent at gmail.com>:
>
> On 30-Sep-2007, at 14:20, Tao Takashi wrote:
> > Well, you are of course still free to use different open id
> > accounts for different type of "personalities",
> > like you can use the Open ID of your company for more business like
> > stuff and some other for e.g.
> > role playing stuff.
>
> My experience with *browsers* and multiple sources that use the same
> account family has been that in practice, you can only use one
> account in a browser at a time. To log on with multiple accounts you
> need to use multiple different browsers - Safari here, Firefox there,
> Opera elsewhere. Luckily the web is structured so that different
> communities don't get access to you even if you're technically logged
> in unless you visit them. That is, the only reason this isn't a
> problem on the web is that it's not world-like. I can log on to
> Sourceforge or Bugzilla or Jira without showing up on Google Talk or
> YIM... and OpenID wouldn't change that situation much... on the web.




In SL, though, once you're logged in everyone can tell you're in
> world. I've griped about that before. The point is that it creates a
> need for multiple accounts even in the same context. I've got two
> extra accounts just for testing scripts and permissions... that's all
> SL-business-related... there's no "role playing" involved. And that's
> aside from my real job, where I suppose I'll find I'll need an OpenID
> ID at some point.



Well, this is maybe more a question of how good the controls in SL are to
protect
your privacy (and I am not sure the once done enhancement to visibility etc.
is
really an enhancement to me. I need more a chance to switch it off
completely
instead of a by-person basis).
If we look at the new SL architecture where agent and identity are more
separate concepts it should be possible to group your alts together under
one identity. Thus you login via OpenID and choose which agent/avatar to
use. This might enable also inventory handling between alts in a better way.
I see the problem here more in the SL implementation instead of choosing the
right authentication mechanism.
This mechanism might even be used on the SL website to post under different
agents
in forum, Jira, Wiki etc.



So I'd have to have a separate OpenID for each "Argent"?



As said, this depends on the implementation. If agent and identity
are separate things then it could be grouped. But this should be possible
with
every authentication used, even the existing one right now.

Can you answer the question I asked Dzonatas, in this context? Can
> this be reduced to the point that there's no more yak shaving than
> there is now?
>
> "What I need to know is... can this be handled entirely in the viewer
> application, from start to finish, without involving any third
> parties and without involving any applications other than the viewer
> at any point (including web browsers, whether embedded in the viewer
> or otherwise), including generating any certificates required using
> only such authentication information that I am able to easily carry
> in my head, even if SL's design doesn't work this way."



I am not sure I understood correctly what Dzonatas was talking about as I
quickly glanced over the thread this evening. But wasn't it more something
about using OpenID just as first authentication scheme and afterwards
attaching
some certificate to your viewer so that OpenID is only used in the first
step.

As OpenID relies (I think) on some redirection magic between provider and
client this of course only works on the web. The existing SL splash screen
is
a web enabled already though and it should be possible to implement it that
way.
But I guess it's not very practical to use this as browser for all sorts of
different
ID providers.
If this certificate is attached though then you'd need to use the web once
for
linking the OpenID account to that certificate which in turn is given to the
client.
Afterwards no web should be needed anymore.

But it's quite late and I really need to read it again and maybe Dzonatas
can also
shed some light onto this. While glancing over it it looked ok but I am also
not
the best expert in security ;-)

I know though that having all those accounts on the web gets a bit annoying
and
I am trying to talk every startup guy I meet into using OpenID as chances
are higher
to use their service again. Beside that OpenID seems to have some
chicken-egg problem
in general and I hope that this will grow out at some point because it
really enables
quite a lot of nice things.


-- Tao

-- 
taotakashi at gmail.com
http://taotakashi.wordpress.com
http://worldofsl.com

RL: Christian Scholz, cs at comlounge.net
http://mrtopf.de

http://comlounge.net
http://comlounge.tv
http://mrtopf.tv
http://dev.comlounge.net
IRC: MrTopf/Tao_T
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.secondlife.com/pipermail/sldev/attachments/20071001/52fd9cf6/attachment-0001.htm
Previous message: [sldev] OpenID & SSL certificates
Next message: [sldev] OpenID & SSL certificates
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the SLDev mailing list