[Opensim-dev] Proposal for using OpenID in OpenSim

Michael Wright michaelwri22 at yahoo.co.uk
Fri Mar 28 11:07:03 UTC 2008 

correction:
"So yes OpenID should be a option, but to me it should be that...a option and the only authentication system. " should have been:

"So yes OpenID should be a option, but to me it should be that...a option and not the only authentication system." 

Michael Wright <michaelwri22 at yahoo.co.uk> wrote: Authentication is already quite modular , but in time hopefully it will be even more so. Its quite easy to write new login services that use the login and authentication method of your choice. We (TribalMedia) do this all the time for various different applications.

And yes opensim should always support walled 3d appplications. Its not about trying to create one single metaverse that all use the same databases/methods/whatever. It is about creating a platform that can be used for lots of different things. The idea of a single shared metaverse is one application, but separate 3d applications are just as important (and my main focus).

So yes OpenID should be a option, but to me it should be that...a option and the only authentication system. 

There is never going to (or at least should never)  be one "distribution" of opensim that mights all needs. We have tried to make opensim modular, so we should use that. And not try to add thousands of flags to  the ini file, but instead have the core and then the modules. With a ini file (or whatever) defining what modules are to be used. Different distributions of opensim could come with different modules and a default ini file that loads those modules. So we could have a OpenID based distribution that includes the relevant modules. 

Ryan McDougall <ryan at 3di.jp> wrote: 
On Thu, 2008-03-27 at 23:01 -0400, The Burnman wrote:
> My concern, much like what Melanie stated, is that I do not want to be
> forced to use a 3rd party service to use OpenSim.  If OpenID is not an
> optional module, I will drop OpenSim from my toolset and move on to
> something else.

Well, this is open source, so in a very strict manner of speaking, _all_
modules are optional, so it kinda like asking if you can have your
hamburger  without a side of ice water.

As for being _easily_ configurable to run without OpenID, I'm sure that
just a matter of:

// in OpenSim.ini
flag = false

// in UserServer.cs
if (flag)
  do_fancy_open_id_junk();
else
  ask_for_a_ridiculously_simple_name_and_password();

So I don't think its remotely clear that anyone would be _forced_ to use
3rd party stuff.

> Aside from the idea of being forced to use 3rd party services, two
> concerns I have about using OpenID are:
> 
> 1) Data security and integrity - With no control over authentication
> or storage of related data, what's to say data won't be stolen or
> corrupted, thus causing my clients/users distress and thus causing me
> a nightmare?

Many issues here:

1. OpenID is a method of authentication, and optionally passing identity
preferences. It can enable portability, but in no stretch of the
imagination  _requires_ it.

2. Anyone who can read your data can copy or modify it. There is no such
thing as "data security" (ie DRM) in practice. If you don't want anyone
to read your assets, don't put them on a publicly accessible server.
Simple as that.

3. If your concern is integrity or authorization There are things such
things as trust networks, digital signing, and whatnot, but thats not
what OpenID is about and is a related but separate discussion.

> 2) Service perpetuality (I might have made that word up) - What
> guarantees OpenID will remain in business in a year, considering how
> volatile the Internet business world is?  How much downtime do I have
> to deal with because of maintenance or hardware failure?

What guarantees _any_ website will remain up in a year? 

OpenID isn't a business, its a protocol with some implementations.
OpenID disappearing is about as likely as HTTP or Apache  disappearing.

> In fact, I don't know why people think OpenID is a good idea at all.
> The whole concept is based on trusting a 3rd party to remain up 100%
> of the time, completely secure, and functioning efficiently.  Using
> OpenID takes any control of those variables out of my hands, and if
> they have an issue, my service is offline.

If you don't trust a 3rd party, you're able to run your own OpenID
server with your own rules. That one will only ever go down if you die
or the internet quits working. That's the Open part.

> Sure, it allows some level of interoperability, but I don't consider
> it worth the risk for my projects.  Just do a Google search for
> "OpenID security" (or similar search parameters) and read about the
> concerns a lot of people have about OpenID.

I'm sure OpenID isn't a panacea, but as has been said repeatedly, no one
is suggesting it be required for all people  using OpenSim.

Cheers,

> On Thu, Mar 27, 2008 at 9:33 PM, Ryan McDougall  wrote:
>         My understanding is that, like OpenID is currently used on the
>         web,
>         which is you could use OpenID if you have one, or the
>         old-fashion type
>         if you don't.
>         
>         However, with OpenID > 1.0, it is possible to add attributes,
>         so OpenID
>         in OpenSim is a means of avatar portability, since one of the
>         attributes
>         would be a URL to where your avatar can be found.
>         
>         That can't be done the old fashioned way.
>         
>         What specifically is your concern about OpenID?
>         
>         Cheers,
>         
>         On Wed, 2008-03-26 at 23:57 -0400, The Burnman wrote:
>         > And I take it we are still on the "optional  module" page in
>         reference
>         > to OpenID, yes?
>         
>         > _______________________________________________
>         > Opensim-dev mailing list
>         > Opensim-dev at lists.berlios.de
>         > https://lists.berlios.de/mailman/listinfo/opensim-dev
>         --
>         Software Engineer
>         http://www.3di.jp
>         
>         The opinions expressed herein represent those of the
>         individual, and do
>         not constitute company policy unless expressly stated.
>         
>         _______________________________________________
>         Opensim-dev mailing list
>         Opensim-dev at lists.berlios.de
>         https://lists.berlios.de/mailman/listinfo/opensim-dev
> 
> _______________________________________________
> Opensim-dev mailing list
>  Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
-- 
Software Engineer
http://www.3di.jp

The opinions expressed herein represent those of the individual, and do
not constitute company policy unless expressly stated.

_______________________________________________
Opensim-dev mailing list
Opensim-dev at lists.berlios.de
https://lists.berlios.de/mailman/listinfo/opensim-dev

        

---------------------------------
 Sent from Yahoo! Mail. 
 A Smarter Inbox._______________________________________________
Opensim-dev mailing list
Opensim-dev at lists.berlios.de
https://lists.berlios.de/mailman/listinfo/opensim-dev


       
---------------------------------
Sent from Yahoo! Mail.
More Ways to Keep in Touch.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://opensimulator.org/pipermail/opensim-dev/attachments/20080328/a6d26bbd/attachment-0001.html>

More information about the Opensim-dev mailing list