[Changing the subject; long email full of technical and historical
details; should perhaps cross-list to vwrap, but the chair there doesn't
like cross-postings, understandably; I don't know how to solve that, so
goes here only for now...]
OGP was a nice demo, and certainly had a lot of impact because it
pointed towards what people wanted. It was incomplete, and the agent
domain part was never made available for people to use on their own
grids. But those weren't the only problems, they weren't even the major
problems... The only reason why that demo worked at all was because
OpenSim, at the time, was a _complete_security_hole_! :D
Basically, if you had a modified client that would make a certain remote
call into any OpenSim out there, it would create an agent on the sim,
without asking any questions. In other words, you could enter any grid
bypassing credential checks altogether. That's how logins and TPs worked
when I started playing with OpenSim. A couple of people noticed this at
some point or another, and sent us private bug reports. I'm saying this
now, because this affects very old versions of OpenSim that probably no
one is running anymore -- I hope!
The very first version of HG1.0 exploited the same vulnerability. Later,
I added a session check across the board, which would at least verify
that there was some sort of authority on the sending side, and that such
authority would confirm the existence of that session. I'm not sure
people were still using OGP at this point, but OGP would have stopped
working with this session check, because I didn't have access to the
agent domain code in order to add this check to it.
The Hypergrid progressed empirically by me identifying all these
security holes and, basically, fix them. The holes were the path to the
solutions -- I didn't have to make anything up!
I think the people who did OGP had conscience of how broken that
SL/OpenSim demo was, and knew it needed a whole lot more. Documents out
there explain what they were thinking about (e.g.
http://wiki.secondlife.com/wiki/Structural_Design).
There are many similarities between what they were thinking and HG1.5.
What that extended protocol is missing is the authentication between the
multiple parties involved: what they call the Region domain (similar to
the Gatekeeper), what they call the Agent domain (similar to the user
agent service), the region itself, and the viewer. *And authentication
is the critical piece for making this secure.*
Since they didn't seem to have any solution for the multi-party
authentication problem, that led to the initial idea that interop could
never be true S4S, but would have to have some sort of real-world
authority that would establish and enforce the rules of engagement in a
federation of VWs -- that would make the nasty problem of authentication
go away with the addition of lawyers!
Melanie and I figured out how to make the multi-party authentication
work. It's basically a series of data flows and verifications that rely
100% on the basic Internet architecture -- DNS and TCP/IP addresses --
and on the social organization that we can expect on top of this
architecture. Nothing fancy, really, just back to the basics. And it
works. This is not the only way to solve the multi-party authentication
problem, but it's probably the simplest.
HG1.5 is fairly secure, there's only a couple of obscure corner cases.
It's more complicated and unsafe than it needs to be, if we had a client
that would cooperate and do the right things. The LL client is a major
fixed-point in this, it restricts a lot what we can do.
But I've started to like the LL client like it is. Call it Stockholm
syndrome! :D
There's an interesting thing about the LL architecture: the client talks
only to the server(s) that it connects to, and not to the resource
servers directly. We hate this, of course. But this is how web browsers
work too -- or at least how they are forced to work by web servers. When
you get a page from a site, the resources you are allowed to get via the
dynamic connections are only from that site, and not others (the origin
restriction). So if someone would ever do a Web-browser-based rendering
engine (something I would love to see!) we would be dealing with
essentially the same situation that we are dealing now. Think about it!
Justin Clark-Casey wrote:
On 01/09/10 14:56, Mike Dickson wrote:
More on OGP below.
Like Diva, I also think that good standards very often only come out
of working implementations. Hence, though I've
been following the VWRAP lists (and OGP before that) I haven't been
participating since there's been a lot of
hard-to-follow discussion without much real-world consequence. And as
a working developer I don't have the luxury of
sitting on my tush and contemplating the Platonic world of future
standards all day ;) (joking).
This is really the issue that has always bothered me. There's been an
assertion that working code was more important than "standards". Truth
is, standards are hard work, its more fun to hack code. And there *was*
an existing implementation. LL and IBM demonstrated some limited cross
grid functionality (hence the OGP work). And asserting politics was an
issue is just lame. Linden Labs put forward a *working* system as a
starting point along with some jointly developed code demonstrating
limited interoperability. The code was even available to the OpenSim
team. So if there was a "political agenda" it was on both sides. LL
wanting to preserve some compatibility with their existing system (but
willing to consider changes) and on the HyperGrid side a desire to
explore and research ideas.
What still remains is the hard work of creating a standard that defines
interoperability. It would be great to see that progress, along with the
code.
I certainly agree that standards are hard work, which is why creating
them without reference to any working examples seems an almost
impossible task to me. But that's just my own opinion which is not
burdened by decades of experience :)
I also have to echo what Dahlia said earlier. OGP was extremely
limited, afaik being nothing beyond transporting an avatar name to a
'default' avatar on another grid. There was no other identity or
appearance preservation, let alone access to inventory - all extremely
tough problems to address in any scalable or secure manner.
Dahlia's phrase "OpenSim community" rather than "OpenSim team"
illuminates very well the structures in play here. In terms of the core
group, I wouldn't say that we were a team as such but more a community
of people with a reasonably common set of interests who agree to abide
by certain norms and a few rules. There was never really an "OpenSim
team" to respond to OGP proposals. Rather, some people were interested
in it and implemented the required bits and pieces and other people were
ambivalent or more interested in alternative architectures.
_______________________________________________
Opensim-dev mailing list
[email protected]
https://lists.berlios.de/mailman/listinfo/opensim-dev
