I believe one key contextual component we have, that most 'web' scenarios don't have, is that we can base our authentication on 'pushing' authentication.
I believe that it should be very possible to create a scheme where you always start your session with logging onto your home registration grid, then establish a viewer session with each region in turn. Now of course, something like openId could probably be used intra-session. My only beef is that it should never be considered main provided 'entry' authentication scheme, for what I consider obvious reasons. So, if we can let 3D Web resources be so portable (continue down the separation and distribution path started upon by hypergrid) that you only ever need to register one account for your OpenSim experience, and if there can be third-party providers that provide openId entry authentication that lets me use openId for that (me knowing the risks involved, but trusting this particular party) I think that would solve the whole thing. Best regards, Stefan Andersson Tribal Media AB > Date: Tue, 3 Mar 2009 16:43:00 -0800 > From: d...@metaverseink.com > To: opensim-dev@lists.berlios.de > Subject: Re: [Opensim-dev] OpenID > > Sean Dague wrote: > > I guess the question is whether or not this is better or worse than > > requiring new user account registration for systems, which inevitably is > > people typing in the same passwords as they've used elsewhere. > > > I can't say I have the answer to that question, although I have a hunch > about it. All I can say is that it is extremely irresponsible on the > part of these corporations to deploy this scheme out there without > finding the answer to that question, given all the literature pointing > to how oblivious people are wrt security in practice. > > > Those are general statements on the tech. How it fits in the opensim > > space, I'll leave to others, because it may not be appropriate. But > > make sure that if you are going to hold up openid to such a high > > standard of social engineering, that you hold other methods to that as we= > > ll. > > > Let's put it this way: if I had the low standards and ethics that the > people who wrote the OpenID spec have I would say that the Hypergrid is > 1.0 and that the security problems "can be prevented in multiple ways" > and "are outside the scope of this document." Then I would charge > $5000/day to do consulting work with > the people who want to use the Hypergrid for added convenience, without > ever mentioning the security problems that it currently has. [That seems > to be the game with OpenID, as far as all I can tell; to the credit of > OAuth, in comparison, they, at least, acknowledge the phishing problem > explicitly] > > I really don't know if we can secure the Hypergrid the right way (well, > I think we can, but it will take some work including client-side :-), > but I do know that anything that is based on random components asking > people for their passwords is out of the question, at least for any > security schemes I will be involved with. > > Having said that, it's clear to me that, should we use the OpenID > protocol as a basis for Hypergrid identity, it doesn't necessarily need > to be used in the irresponsible manner it is being used on the Web. As I > said, the mechanism is fine. And there is something of value to having > OpenID and OAuth together. My main technical issue is the existence of > multiple calls and the complexity of the solution in terms of the code, > because of model mismatch. > > I haven't finished my study on this yet. I have been distracted > (distraught?) by what I'm seeing of OpenID out there on Webland... > > Crista > > _______________________________________________ > Opensim-dev mailing list > Opensim-dev@lists.berlios.de > https://lists.berlios.de/mailman/listinfo/opensim-dev
_______________________________________________ Opensim-dev mailing list Opensim-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/opensim-dev
