Correct me if I'm wrong, please. X.509 is based on Certificates (and Certification Authorities, and so on), so instead of having central servers for authentication, will be created a "ring of trust": I have a certificate from a trusted authority, I can use some services from the "trusted domain"...
OAuth is quite similar, so the concepts are "trusted domains" and "certification authorities", isn't it? Anyway, it's just another way of authentication: I send a certificate instead of an user/password pair. The "central servers" (users, inventories, grid...) won't dissappear, only the way they talk each other for sharing "services", I think Greetings 2009/11/25 Infinity Linden (Meadhbh Hamrick) <[email protected]> > this is what we're thinking we're going to do in VWRAP. > > we're going to define an authentication service that's run by the agent > domain. (for peeps new to VWRAP, a "domain" is a collection of network hosts > with the same "administrative authority." the "agent domain" is a domain > that provides mostly "agent related" services, including the authentication > service.) > > individual users will authenticate against this authentication service. > then some magic happens and the user's avatar is placed in a region in a > region domain. > > the "magic" that happens after user authentication and before the user's > avatar gets placed is that the agent domain has to figure out the service > URL of the region to place the avatar, and that region has to figure out if > it trusts that agent domain. > > so the current expectation is that we'll probably have a couple large agent > domains like secondlife, OSGrid, etc. and maybe even a few managed by large > companies for the benefit of their employees. once the user's client > application is authenticated to the agent domain, the client application may > request that the agent domain place the user's avatar in a region. (note! > with VWRAP, you can be authenticated to an agent domain for the purpose of > participating in group chat or inventory manipulation without being rezzed > in world.) > > and here's where it gets mildly funky. the agent domain and the region > domain need to have _some_ level of trust with each other, or they have to > be explicit about the fact that they trust everyone. agent domain > authorities may not want to rez an avatar in an untrusted region. the > canonical example of this is second life not wanting to rez an avatar and > all it's attachments in the "pirate bay" region. some regions may not trust > all agent domains. consider a series of regions administered by IBM, for the > purpose of transacting IBM business. i'm not an IBM employee, but it seems > reasonable they would like to know who's rezzing in their regions, so they > may establish a policy of only allowing people with accounts on IBM's agent > domain to be able to rez in their region domain. > > there are currently two proposals for managing this trust. the first > utilizes PKIX (which is a subset of X.509) to define semantics for > interpreting the subject name of client side certificates in transactions > carried over HTTPS. the other is the use of OAuth for one domain to > explicitly grant access to another domain's systems for a particular > purpose. both systems look like they're going to be fully specified, giving > deployers a choice as to which auth scheme they want to use. > > -cheers > -meadhbh > > -- > infinity linden (aka meadhbh hamrick) * it's pronounced "maeve" > http://wiki.secondlife.com/wiki/User:Infinity_Linden > > > On Tue, Nov 24, 2009 at 06:59, Impalah Shenzhou <[email protected]> wrote: > >> Ok, maybe it's a misunderstood. I will try to explain what I wanted to >> know: >> >> Imagine 100000 region servers pretending to be a grid. >> >> What I understood from Morgaine comment: >> >> Opensim needs decentralized / distributed mechanisms for * >> identity, >> >> * was >> >> "I have entered that grid, my authentication was managed by one region >> server. When I try to jump to another region in the same grid I have to >> authenticate again in the region server and that region server must contain >> my data to authenticate me again". >> >> Nowadays is like: Enter in a grid, being authenticated by a common user >> server, when I want to jump to another region in the grid, I don't need to >> authenticate me again. >> >> What I understand with "descentralized" is: each opensim servers has the >> mechanisms to authenticate an user even when it is part of a grid. >> >> And that is what I don't understand: why? why not to surrogate the >> authentications to specialized and centralized servers. >> >> And that was the reason for my question about OpenID, maybe this is a >> system considered "decentralized". >> >> >> Anyway I can't see anything bad on centralized servers. If anyone wants to >> enter in my server he/she have to follow my rules; if I have 1000 servers, I >> provide you with a common auth mechanism for accessing all of them. >> >> Or maybe I am completelly wrong. >> >> >> Greetings >> >> >> >> >> >> 2009/11/24 Robert A. Knop Jr. <[email protected]> >> >>> I don't know that this really *is* offtopic, unless it's already a >>> settled issue amongs the OpenSim devs. >>> >>> On Tue, Nov 24, 2009 at 02:19:20PM +0100, Impalah Shenzhou wrote: >>> > I could trust in you, but you need to tell me "you are really you" with >>> a >>> > local login (i.e. email headers can be altered to impersonate as >>> another >>> > person) or someone I trust should tell it to me (i.e. OpenID). >>> >>> Do you have any personal web pages anywhere? Do you run any CGI or any >>> PHP there? Do you identify everybody who comes there? That's the >>> analogy we should think about. Yes, we need a secure infrastructure so >>> that only the small number of people you *really* trust can do scary >>> things. But at the level of running regions -- well, you may be using a >>> hosting provider, or you may be hosting yourself, but you don't need >>> full and complete trust that everybody is who they claim to be just to >>> connect to the world. >>> >>> -- >>> --Rob Knop >>> E-mail: [email protected] >>> Home Page: http://www.pobox.com/~rknop/<http://www.pobox.com/%7Erknop/> >>> Blog: >>> http://www.sonic.net/~rknop/blog/<http://www.sonic.net/%7Erknop/blog/> >>> >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v1.4.9 (GNU/Linux) >>> >>> iD8DBQFLC+pcfEn1oMJSrdsRApVqAKCGz8o5gt7vEqvl3HJK07jftpLi5wCg56g+ >>> oq1mcfGvljoH5K0Y6X/WX9M= >>> =bh/M >>> -----END PGP SIGNATURE----- >>> >>> _______________________________________________ >>> Opensim-dev mailing list >>> [email protected] >>> https://lists.berlios.de/mailman/listinfo/opensim-dev >>> >>> >> >> _______________________________________________ >> Opensim-dev mailing list >> [email protected] >> https://lists.berlios.de/mailman/listinfo/opensim-dev >> >> > > _______________________________________________ > Opensim-dev mailing list > [email protected] > https://lists.berlios.de/mailman/listinfo/opensim-dev > >
_______________________________________________ Opensim-dev mailing list [email protected] https://lists.berlios.de/mailman/listinfo/opensim-dev
