On Mon, Apr 13, 2009 at 7:37 PM, Diva Canto <d...@metaverseink.com> wrote: > I've been debating with myself and with some ppl in IRC about whether > OpenSim should support many security schemes or shoot for the most > generic one. Advice appreciated. Here's the situation. > > There are already 3 different authentication schemes on the pipeline for > Teleports, one of them being the current one, and two being on my local > non-committed changes. These 3 schemes are: (a) no authentication; (b) > session authentication; and (c) key authentication (keys being unique, > one-time strings for each client-server pair). > > (a) is what is currently in place -- hence my nagging about the lack of > security in non-VPN'ed grids. But for VPN'ed grids this is perfectly fine. > (b) is a weak form of authentication that prevents spoofing from the > outside of a grid, but that doesn't prevent spoofing from inside. That > is, regions can find out the sessionID of users when they're logged in, > and impersonate them. In open grids this is highly unsafe; but in > walled-garden grids, this is perfectly fine. > (c) is the strongest form, as it allows clients to have a lot more > control -- not the raw Linden client, which doesn't quite do that, but > others. (c) can also be implemented in the current setup, with the raw > Linden client, and with server-side teleports. It's kind of meaningless > in this case, but it's no worse than (b) for open grids. > > So, back to the original question. Should OpenSim support all of these > and more, or should we shoot for (c) only?
(c) is the most important; there is a very well established pattern using SSL, there should also be many libraries for this > > _______________________________________________ > Opensim-dev mailing list > Opensim-dev@lists.berlios.de > https://lists.berlios.de/mailman/listinfo/opensim-dev > _______________________________________________ Opensim-dev mailing list Opensim-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/opensim-dev