[Opensim-dev] Authentication and oAuth

Sun Mar 1 20:59:02 UTC 2009

Heho,

To me - (spead riding this old docs, which I found quite interesting for
historical reasons)  it seems, that the concept is resulting in claim based
and role based (information right) systems in nower days.

However - ACLS are becoming legacy in the next years, even modern standards
for auditing firms (at least Cobit and the 2008 european rules) are
requesting governance over systems and informations. So, not using ACLs for
access on information, this concept true for the future.  ACLs make the
administrator the good, even if he should not have any access - like covered
in the pdf.

Information ownership must be only delegated based on roles (what am I able
to do with it) and claims (wich information from the whole dataset). It must
be revocable, as outlined in the pdf. 

Cheers,
Ralf

------------------------------

Message: 2
Date: Sun, 01 Mar 2009 10:27:14 -0800
From: Diva Canto <diva at metaverseink.com>
Subject: Re: [Opensim-dev] Authentication and oAuth
To: opensim-dev at lists.berlios.de
Message-ID: <49AAD382.9090603 at metaverseink.com>
Content-Type: text/plain; charset="iso-8859-1"

Just to keep the record straight, the Capabilities concept is about 50 
years old. It was devised at about the same time as ACLs. For a number 
of reasons, ACLs have dominated the field. See here for a nice 
historical perspective: 
http://www.nabble.com/On-the-Spread-of-the-Capability-Approach-to5608409.htm
l

Tommi Laukkanen wrote:
> Hi Diva
>  
> Thanks for the analysis. I have to admit I have only fastly scanned 
> the oAuth spec. They advertise that it works for desktop applications 
> so I assume it should not necessarily be too complex for the end 
> user and not too hard to implement either. Someone would need to 
> study / poc it or get a statement from the oAuth team. If the viewer 
> acts as users and regions are consumers it could be that it can be 
> nicely automated and hidden from the user. This would allow us to use 
> all those identity providers who have adopted oAuth. Personally I 
> think identity management, authentication and authorisation are so 
> well known fields that it would be odd if we had to invent it from 
> scratch. That said we should not try bend a standard to something 
> which is not suitable for.
>  
> In the end it is important to realise that this is not just about 
> virtual worlds but all identity management in the net. No user wants 
> to upkeep separate credentials just for virtual worlds. Besides web 
> and vws will become more and more entangled in the long run. If we 
> want to have a system which will fly in the near future we should 
> stick our identity eggs to same basket with the rest of the internet 
> crowd.
>  
> regards,
> Tommi
> ------------------------------------------------------------------------