[sldev] [AWG] realXtend login process for distributed virtual worlds

Argent Stonecutter secret.argent at gmail.com
Tue Mar 18 06:44:04 PDT 2008

Previous message: [sldev] [AWG] realXtend login process for distributed virtual worlds
Next message: [sldev] Re: [Opensim-dev] Violating the GPL by looking (Re: Voice Module)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2008-03-18, at 05:27, Matti Reijonen wrote:
> I think there's problem here even if the hash is not replayable,  
> the exampleworld.com could use the hash it gets in the first place  
> from the client, to login with users account to expensiveworld,  
> expensiveworld would then use that hash to authenticate and get  
> second hash from authentication server and know nothing about  
> exampleworld. Problem is with the second phase authentication.

But then exampleworld could not use the same hash to authenticate the  
user. The user would get to exampleworld but wouldn't have access to  
their user profile or other resources... exampleworld would have to  
cache those resources and hope that the user wouldn't notice anything  
was stale. Which would probably work, so, OK, you need to include  
some kind of world-dependent token in the process.
> I'm not familiar with the term "time dependent nonce", would that  
> be a lightweight alternative solution for SSL?
>

It's what your disposable hash is.

Previous message: [sldev] [AWG] realXtend login process for distributed virtual worlds
Next message: [sldev] Re: [Opensim-dev] Violating the GPL by looking (Re: Voice Module)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the SLDev mailing list