Forgot to clarify this point. Tommi Laukkanen wrote: > As conclusion CAPS URLs we talk here seem to be a kind of caching > mechanism where we do authentication and authorisation on client login > and store the authorisation information to CAPS URLs which client can > access directly and we do not need to authenticate&authorize anymore. CAPs URLs are generated everytime the client moves into a new region. Look at Scene.AddNewUser, which is run everytime an agent comes on the way of the region, and then CloseConnection, which is run everytime the client goes away.
You are right in implying that right now, we use CAPs only because the Linden viewer forces us to. Yes, that is correct. And we use them in a completely security-defying manner, even for the Linden client that we are already supporting -- as I described a few emails ago. > As such CAPS URL is not a competitor to either OpenId nor oAuth. > OpenId is authentication mechanism and oAuth is authorization > mechanism for consuming services from remote interfaces. They are competitors for the security scheme that doesn't exist yet concerning the authentication & authorization between user agents and regions. Right now, that is totally unprotected, security doesn't exist, the process relies on mutual trust - that's what I'm going to change, because it needs to be made safe for decentralized VWs like the Hypergrid. A bit of OpenSim history here. Sometime ago, someone tried to add an authorization step into inventory access, checking the session id (again this would have been extremely weak security, but it would have been better than nothing; at least it would secure the inventory server from web clients and from regions after the client had logged out). The authorization step, however, involved an extra call to the User server to verify the session id. Some people found that the performance penalty was way too high to be worth the trouble, so the effort was abandoned. (Right now, the inventory access code is a big mess, impossible to explain.) Any authentication & authorization mechanism that avoids separating these two things into separate messages is a major plus. Crista _______________________________________________ Opensim-dev mailing list [email protected] https://lists.berlios.de/mailman/listinfo/opensim-dev
