[Opensim-dev] Proposal for using OpenID in OpenSim

Ryan McDougall ryan at 3di.jp
Fri Mar 28 07:42:21 UTC 2008 

On Thu, 2008-03-27 at 23:01 -0400, The Burnman wrote:
> My concern, much like what Melanie stated, is that I do not want to be
> forced to use a 3rd party service to use OpenSim.  If OpenID is not an
> optional module, I will drop OpenSim from my toolset and move on to
> something else.

Well, this is open source, so in a very strict manner of speaking, _all_
modules are optional, so it kinda like asking if you can have your
hamburger without a side of ice water.

As for being _easily_ configurable to run without OpenID, I'm sure that
just a matter of:

// in OpenSim.ini
flag = false

// in UserServer.cs
if (flag)
  do_fancy_open_id_junk();
else
  ask_for_a_ridiculously_simple_name_and_password();

So I don't think its remotely clear that anyone would be _forced_ to use
3rd party stuff.

> Aside from the idea of being forced to use 3rd party services, two
> concerns I have about using OpenID are:
> 
> 1) Data security and integrity - With no control over authentication
> or storage of related data, what's to say data won't be stolen or
> corrupted, thus causing my clients/users distress and thus causing me
> a nightmare?

Many issues here:

1. OpenID is a method of authentication, and optionally passing identity
preferences. It can enable portability, but in no stretch of the
imagination _requires_ it.

2. Anyone who can read your data can copy or modify it. There is no such
thing as "data security" (ie DRM) in practice. If you don't want anyone
to read your assets, don't put them on a publicly accessible server.
Simple as that.

3. If your concern is integrity or authorization There are things such
things as trust networks, digital signing, and whatnot, but thats not
what OpenID is about and is a related but separate discussion.

> 2) Service perpetuality (I might have made that word up) - What
> guarantees OpenID will remain in business in a year, considering how
> volatile the Internet business world is?  How much downtime do I have
> to deal with because of maintenance or hardware failure?

What guarantees _any_ website will remain up in a year? 

OpenID isn't a business, its a protocol with some implementations.
OpenID disappearing is about as likely as HTTP or Apache disappearing.

> In fact, I don't know why people think OpenID is a good idea at all.
> The whole concept is based on trusting a 3rd party to remain up 100%
> of the time, completely secure, and functioning efficiently.  Using
> OpenID takes any control of those variables out of my hands, and if
> they have an issue, my service is offline.

If you don't trust a 3rd party, you're able to run your own OpenID
server with your own rules. That one will only ever go down if you die
or the internet quits working. That's the Open part.

> Sure, it allows some level of interoperability, but I don't consider
> it worth the risk for my projects.  Just do a Google search for
> "OpenID security" (or similar search parameters) and read about the
> concerns a lot of people have about OpenID.

I'm sure OpenID isn't a panacea, but as has been said repeatedly, no one
is suggesting it be required for all people using OpenSim.

Cheers,

> On Thu, Mar 27, 2008 at 9:33 PM, Ryan McDougall <ryan at 3di.jp> wrote:
>         My understanding is that, like OpenID is currently used on the
>         web,
>         which is you could use OpenID if you have one, or the
>         old-fashion type
>         if you don't.
>         
>         However, with OpenID > 1.0, it is possible to add attributes,
>         so OpenID
>         in OpenSim is a means of avatar portability, since one of the
>         attributes
>         would be a URL to where your avatar can be found.
>         
>         That can't be done the old fashioned way.
>         
>         What specifically is your concern about OpenID?
>         
>         Cheers,
>         
>         On Wed, 2008-03-26 at 23:57 -0400, The Burnman wrote:
>         > And I take it we are still on the "optional module" page in
>         reference
>         > to OpenID, yes?
>         
>         > _______________________________________________
>         > Opensim-dev mailing list
>         > Opensim-dev at lists.berlios.de
>         > https://lists.berlios.de/mailman/listinfo/opensim-dev
>         --
>         Software Engineer
>         http://www.3di.jp
>         
>         The opinions expressed herein represent those of the
>         individual, and do
>         not constitute company policy unless expressly stated.
>         
>         _______________________________________________
>         Opensim-dev mailing list
>         Opensim-dev at lists.berlios.de
>         https://lists.berlios.de/mailman/listinfo/opensim-dev
> 
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
-- 
Software Engineer
http://www.3di.jp

The opinions expressed herein represent those of the individual, and do
not constitute company policy unless expressly stated.

More information about the Opensim-dev mailing list