Some thoughts on how to go about inventory security
These thoughts pertain to the problem of inventory security only, not to the other issue of potential property piracy after a sale.
The very first decision point is whether we want to continue to be compatible with Linden Lab's official viewer or whether we should start looking for alternative viewers that are more in sync with where OpenSim is going. Here's why.
Technically, the viewer plays a leading role in this story. Linden Lab's architecture has the viewer always contact the regions for inventory asset downloads. I'm not sure why they did this, but that's how things are. By doing this, there is implicitly a trust relation between the viewer and the region with respect to assets: the viewer requests the inventory assets to the region which, in turn, fetches them from the asset server and then sends them to the viewer; the user trusts that the region is not going to steal or delete or infect those inventory assets. This works well in closed systems like Linden Lab's, but it's terrible for open systems, where different regions are controlled by different people. We really can't trust the regions in general!
The obvious alternative to that is to have the viewer contact the inventory/asset server(s) directly for all operations related to inventory manipulation, without having the region in between. This would solve *all* the inventory security issues we face by abiding to LL's architecture. Granted, this is a radical architectural change, and I'm not even sure I can foresee all the consequences. It's just makes a lot of sense to me, intuitively. Regions should never be trusted with the users' confidential data, and the viewer should be a hub for interaction with lots of servers that the user needs to interact with. The region should stay out of it.
- This solution makes two unjustified assumptions. (1) All regions are on a grid with a separate asset server. (2) Grid assets servers are trustworthy. The first assumption ignores the proliferation of standalone sims with built-in asset servers, unconnected to any grid. That the metaverse will come more and more to resemble the anarchy of websites may disturb some. But that is what is happening, like it or not. The second assumption is also false, as demonstrated by Linden Labs. I, like many former SL users, was ripped off by Linden Lab's policy changes depriving me of paid-up (openspace) land and months of construction labor without even refunding my initial fee. Never again will I or others like me trust anyone else with the fruits of my labor. My assets will always remain in my possession on my own asset server. As the Scots put it, "Fool me once, shame on you, fool me twice...." Frank W Sweet 17:51, 3 February 2009 (UTC)
- It doesn't make any of the assumptions you mention. (1) Standalones are here to stay and in fact, are they the base case of OpenSim. (2) You should always be careful with whom you trust your data with. The question we're debating here is who has access to your inventory (standalone or grided) when you are out and about in other grids. If your answer is that you don't want to be out and about in other grids, then you have nothing to add to this discussion. If you do want to be out and about and access your standalone inventory then think about what architecture would make sense. The current one, with the regions proxying access, is the worst possible architecture. The right thing to do is to have your viewer access your inventory directly, wherever your inventory is (standalone service included, which is already working in the HG) Diva
Back to Reality
OK, so that probably won't happen any time soon, not in the official LL viewer, and not in all the other derivative viewers out there (anyone wants to prove me wrong? I would love that! :-). What's the next best thing?
- An extra flag in the item's Properties indicating that the item is to be shared with foreign regions. In this case the inventory server can selectively send the user's inventory to the foreign regions, sending only those item marked with that flag. This requires a small change in the viewer to add that extra flag and send out the corresponding bit in a message to the inventory server. However, we need to figure out a way to coerce the viewer to make that contact to the inventory server directly without going through the region, otherwise the region may just flip the bit; we're not sure how to do this.
- A coarse-grained selection via the concept of Suitcase (explained here). This is the simplest thing to do, it doesn't require any changes to the viewer.
Moving Away from Local vs. Foreign
I think this is making too many assumptions about "local" vs. "foreign". An inventory or asset server should be an independent concept from a simulator or grid of simulators. Requiring that I define one grid as my local grid if I go into the content storage/distribution business places a lot of burden on the Akamai's and AmazonS3's of the metaverse. If an inventory server is an independent service, every grid becomes foreign. Maybe my ACL looks like this:
RW: http://grid.uci.edu/users/diva RW: http://osgrid.org/users/* R: *
And a second level of checks would further restrict read access. Everyone can grab a texture if they know the UUID (in this particular config), but only the owner of a script can access it unless someone owns an inventory item giving them read access. Maybe someone is trying to setup a walled garden grid, and the ACL looks like this:
The only hurdle left is how to delegate trust so simulators can access the content they need without compromising identity or additional assets/inventory. One solution could be Google's recently released spec on combining OpenID+OAuth. OAuth was designed for exactly this purpose; to delegate limited trust to an automated service without having to give away your login credentials.
One big plus with this approach is that it should be feasible without rewriting the Linden Lab viewer. The LL viewer already makes heavy use of capabilities, which is just another way of using access tokens to talk to services. Inventory is supposed to be switched over to all CAPS in the near future (libOpenMetaverse and OpenSim devs are surely cringing) which means OAuth tokens could be mangled into CAPS URLs and handed to the client to make things work seamlessly.
In practice, the simulator never needs access to inventory (except in the current scenario where inventory is proxied through the simulator, which is going away soon). It does need access to some assets. An additional CAPS URL could be generated that is stored on the simulator side and handed around with HyperGrid teleports that allows limited access. In a tightly coupled grid approach, logging in to the user server alleviates the need to do a direct OpenID login to an asset server, which gives you the entire security model without the client ever understanding what OpenID or OAuth are. However, you can still use your third party tools to communicate directly with the inventory/asset server using OpenID (and optionally OAuth).
The downside is that this still requires some notion of tight coupling to make the backward compatible paths work (logging into the user server pings a local asset/inventory server to prevent the need for a second login). However, this is no different from today's setup and it provides a roadmap to completely decentralizing grid services.
- I like this vision of independent services in abstract, but I'm not sure it's realistic to think of OpenSim without the bundle UGAIM in the near future, for a number of reasons, the most important being this one: I'm having a hard time envisioning people choosing organization A as the storage service, but organization U for their identity. Could you explain more about the users' motivation to do that if they have the option of choosing all of those services in a bundle. Also the companies' motivation -- why would a company interested in storage miss out on grabbing users and their eyeballs Diva
- OK, I thought a little bit harder about this, and I can see a scenario where I would possibly want to access several inventory servers under one single identity. This: most of the time I use my UCI Grid identity, and I access my inventory stored in the UCI grid. However I also have my own personal standalone at home; I can imagine having more personal items in that OpenSim. It would be nice to be able to access my personal OpenSim inventory while I'm under the UCI Grid identity. In that case, using your examples, I would simply specify on my home inventory service: RW: http://grid.uci.edu/users/diva. Nice. This brings about a lot of questions, not just about the infrastructure but also about user interaction. I'm going to have to think a lot more about this. But I think that you and others who have been working on the distributed asset server idea need to explain a lot more about the motivation scenarios, to make it more accessible. Diva
My Vision for Asset/Inventory Servers
This is a really interesting subject that I think is really important to get it right to really enable the supply chain of content providers and content consumers to expand beyond what even Second Life is able to do. To me Second Life has lots of limitations in the management of content that makes it more expensive to develop, maintain and deliver which make developing content for people more expensive and difficult to get updates.
I break this problem down into four use cases. Content Creators, Content Distributors, Contents Consumers/Users, Content Viewers
1. Content Creators People that make content for sell. Things I believe content creators want.
A. Access to the asset server for their own assets to update them. If anyone has made content they know they will upload hundreds of copies of textures that they throw away. To me it would be better if I could just overwrite the old one. It would also save me time because all the places that use that texture would get updated. There may be some caching issues related to that but we have this on web pages now so I am sure it could be addressed.
B. Be able to update content without having to send out copies to everyone. In Second Life if I need to fix something and send out an update we have to go through sending tons of copies to everyone, which then they open. If just proliferates tones of copies. If I could fix something and then it is available to everyone with a cache refresh that would save tones of overhead for distributing updates. Also to me how will updates work on a multi-grid system, if I make an update how will people get to it, how will I send it to them if they aren't on my grid right now.
C. As a content creator I don't see how it will be possible to go around to hundreds of grids and setup stores and update stores. I will need to have one central location that I can license my content to avatars, to regions or to grids.
D. There are some content models that Second Life doesn't support. Like Dynamic textures. Each time we get a texture we can't assume that it is a disk file; it could be a URL to a web site that is making the texture on the fly. Also, people may want to buy a service from me that will make updates to the content every month like a picture viewer. If the content was a URL I could each month distribute new textures without the overhead of scripting totally controlled from my server. Or I could deliver different textures based on the time of the day. I could have changes in the look of my builds all controlled from a server. Someone goes to my website and selects a new look for their house as soon as their textures refresh their house would have a new look.
E. Textures or assets that are paid for monthly or some other time period and are only available while the service is being paid for. If I make textures I could sell based on a monthly fee to use any of my textures. If they decide to stop paying then I will be able to block their access to use them.
F. If I have my assets on my own server I would like to be able to assign the URL to the asset to the prim or avatar and not have to upload it into the grid asset server. I will also probably have to register in the grid something so that the region can serve that asset to people that come to the region to view it on my behalf.
2. Content Distributors A person that resells, distributes or host other people's content. XStreetSL could be this, but also Renderosity, RuntimeDNA some day and many new ones that will be coming like XRGrid.com. Also Avatar hosting services where you login to start your avatar and start running around on various grids.
A. I see content distributors very similar to content creators. I see these guys as avatar login providers or asset/inventory servers that content creators can use. If they are avatar servers then as I buy stuff and have it in inventory it will need to maintain copies of them and serve them as well as references to other asset servers and inventory servers that I have license use of content from.
B. Be able to sell or delivery content from other content providers. An example of this would be a mall. The purchase of the content may go through my region services but end need to either be deliveryed to the consumer by this point of contact or be delivery by a grid hosting the assets that are being purchased.
3. Content Consumers/Users These are people that have purchased content, or possibly developed their own and have implemented into a region or are wearing the content.
A. As a content consumer I will want to be able to view my inventory by source which may be in different grids. I will need to know what is licensed to use where.
B. I would like to be able to view a listing of my rezzed objects and on what sims they are in, possibly even update them without having to go around to all of these places to do it.
C. I will need a way to open the profile, or support site of the content that I have license to use that may be sourced on another grid or asset/inventory server provider even if they do not have an avatar account in my current grid.
A. As a content viewer I may want to get information on the source of the asset so I can go there and look at the assets to buy them. Talk to the creator even if they so not have an account in the grid I am looking at the content in.
So I know I am presenting more than I am solving but mostly trying to expand the vision of what asset/inventory servers can be. Technically I know there are lots of issues to doing this. To me SL will not progress their viewer fast enough so I believe that there needs to be a new viewer that will support these concepts and capabilities.
First time I have posted something on the site. Hope you guys find this interesting and helpful. --Ktweedy1 04:48, 4 February 2009 (UTC)
Ai Austin says:
Federated Virtual Worlds with Different Properties
The Hypergrid concept seems to be very well placed to allow for the wide range of types of topology, security management and asset exchange or mappings that will be needed in future for virtual worlds to be practically management and evolved.
It would be interesting to explore if the following could all be sported by the proposed architecture and mechanism:
- Ability to move between grids managed and served by separate communities (as now);
- Ability to limit regions open or closed to hypergrid travellers not authenticated directly on the visited grid (others preferably just seeing void space/water);
- Ability to go into Grid with different capabilities (e.g. concierge supported meeting zones optimized for larger groups/conferences, etc.);
- Ability to enter a RexServer (rich 3D mesh) supported region from a standard region;
- Ability to move between Linden Grid and such Hypergrids via an OGP portal perhaps.
Can I also suggest we try to adopt a community name and perhaps even visual representation for the object in-world which can act as a portal to move between grids... I suggest "Hypergate" and I am using an object that looks and is coloured like the portals used at UCI Gateways 3000 and Gateway 7000.
We are preparing our own Hypergrid accessible grid, but it does need more thought on how to mange the areas we want open and those we want to remain limited. The group management framework within Opensim needs to mature before we can set that up better, and prevent accidental (or deliberate) loss or messing up of builds.
A fresh blog comment on this subject: http://opensim.cybertechnews.org/?p=167
However, since i am not an developer (any more), i just want to bring in two aspects from the view of: - system architecture (bandwith and things like that) - maybe legal aspects - aspects of RL business
i guess wich system is touched by the asstes (e.g. region or not) is not a security question, as long as i can still "copybot" inworld stuff. that maybe reduced by things like modrex. however, as long as it is possible to grab assets there will be the discussion why to trust the asset server provider and so on.
so, if the caching in the region brings us improvement in terms of higher speed, lower bandwith needs, better compatibility to legacy SL i would like to have this advantages.
the assets itsself have to be protected. and if its not possible in the short run, i don´t mind but would not invest time in soulutions people can break quite easylie.
i highly appriciate the discussion we now have, because it shows the awareness and competence - what is the best point in security questions.
i like, however, the idea like the cable beach asset server, a seperated server. maybe we see specialiced providers running asset server in a trusted (IOS 2700x, ISO900x) datacenter in some time as we do with other services. so one could decide its own level of wanted security and services.
however, if something like rights management is only possible in the mid term - great. better take the time needed to investigate some frameworks.
Hypergrid allows two important elements that do not exist at the present time.
A viable shopping mall implemented via the V$ monetary system, available to all regardless of grid.
A performance oriented set of regions where grid asset servers and neighbor regions influence can be totally eliminated.
The grid storage presently for asset management favors a lots of data flowing in every direction for the viewability of a wandering Avatar, The associated lag is very difficult to balance but a HG enabled 'cloud' can better suit heavy loaded situations such as a mall or a sailing regatta.
So to me, Opensim should never consider elimination of instance asset storage and HG should be promoted.
A Different Use Case: Organic Hypergrid Growth Based on Business and Individuals
Another potential use of hypergrid-enabled grids is that of the hyperlink-enabled Website -- to allow businesses, organizations, and individuals to set up sites that others can visit.
At first -- just as on the early Internet -- visitors will be limited to invited guests because they have the address of the grid, or instructed on how to arrive on the company's Website. Then some of the more interesting destinations will be written up in blogs or magazines, or listed in directories, or have hypergates pointing to them on other grids.
Directories are important during this early stage because there are too few sites for search engines to work yet -- and few enough to organize in a directory.
Finally, we'll see the rise of search engines that index sites by tracking inbound links -- either from the Web itself, or from other grids. It may also be possible to track traffic through browser-plugins or other tools that travelers would bring with them as they traverse the hypergrid.
Before any of this happens, though, we'll need to fix the 4096-teleportation bug -- it does more to hurt hypergridding than anything else out there, even though it's actually a hypergrid problem.