Difference between revisions of "User:Infinity Linden/OGP Trust Model"

From Second Life Wiki
Jump to navigation Jump to search
Line 1: Line 1:
{{Quote|Computers should do exactly what you tell them, and no more.|John Steven (noted internet security expert)}}
=Introduction=
=Introduction=


=Security Objectives=
=Security Objectives=
==secret things stay secret (confidentiality)==
==you should know who you're talking to (origin integrity)==
==you should be able to spot message tampering (message integrity)==
==accessing the grid shouldn't make your system or network unduely vulnerable (system integrity)==
==you should be able to spot atypical events in the logs (adjudicated forensic evidence)==
==the permission system should be suitably expressive (expressive permissions)==


=Stakeholders and their Interests=
=Stakeholders and their Interests=


; End User : This is the traditional user of the system. They may be a casual user of Second Life or a corporate user, come to the grid to collaborate on "work" projects. In either case, their interests include:
== End User==
 
This is the traditional user of the system. They may be a casual user of Second Life or a corporate user, come to the grid to collaborate on "work" projects. In either case, their interests include:
 
* '''credential integrity''' - "bad guys" shouldn't be able to steal their online identity
* '''credential integrity''' - "bad guys" shouldn't be able to steal their online identity
* '''inventory integrity''' - the system should protect against inventory theft, loss, or usability problems
* '''inventory integrity''' - the system should protect against inventory theft, loss, or usability problems
* '''specie integrity''' - the system should protect against loss of Linden Dollars
* '''specie integrity''' - the system should protect against loss of Linden Dollars
* '''system security''' - use of the Second Life viewer should not place the user's system at greater risk to successful attack


; Content Creator : These are users who derive an income stream from Second Life. In addition to interests of traditional End Users, Content Creators also have these interests:
== Content Creator==
 
These are users who derive an income stream from Second Life. In addition to interests of traditional End Users, Content Creators also have these interests:
 
* '''content integrity''' - content creators want to know that content they create cannot be illicitly duplicated, lost or stolen
* '''content integrity''' - content creators want to know that content they create cannot be illicitly duplicated, lost or stolen


; Corporate IT and ISP Operations : These are the people who maintain networks connecting the client's machine to the network, and in the case of corporate IT operations. they likely manage the user's systems as well.
==Corporate IT and ISP Operations==
 
These are the people who maintain networks connecting the client's machine to the network, and in the case of corporate IT operations. they likely manage the user's systems as well.
 
* '''network security'' - no system component (client software, agent domain software, region domain software, third party web service) should decrease the general availability, reliability or security of the network
* '''network security'' - no system component (client software, agent domain software, region domain software, third party web service) should decrease the general availability, reliability or security of the network
* '''peer system security''' - no system component (client software, agent domain software, region domain software, third party web service) should increase the risk of successful attack
* '''peer system security''' - no system component (client software, agent domain software, region domain software, third party web service) should increase the risk of successful attack versus other systems in the network on which they operate
 
==Client Software==
 
This is the actual software running on the client machine; usually a viewer, but could be a web application using standard published APIs into the Agent or Region domains.
 
* '''system security''' - use of the Second Life viewer or other client software should not place the user's system at greater risk of successful attack
* '''flexible peer authentication''' - the system ''should'' be flexible enough to support multiple legacy peer authentication schemes
 
==Agent Domain Administrator or Region Domain Administrator==
 
This is the organization that operates an agent and/or region domain.
 
* '''peer authentication''' - the system should support strong authentication techniques to ensure the identity of peer systems
* '''flexible agent authentication''' - the system ''should'' be flexible enough to support domain-specific user authentication
* '''forward security''' - for the purpose of third party the system interoperability, the system '''should''' provide authentication tokens usable ONLY for the explicit purpose described
 
==Agent Domain Software / Systems or Region Domain Software / Systems==
 
This is the software that implements agent and/or region domain services.
 
* '''flexible peer authentication''' - the system ''should'' be flexible enough to support multiple legacy peer authentication schemes


; Client Software :
==Third Party Web Service Operators==


; Agent Domain Administrator :
These are systems operated by third parties for the benefit of Second Life users, Agent or Region Domain operators.


; Agent Domain Software / Systems :
* '''limitation of sensitive data''' - the system should not REQUIRE third parties to handle sensitive information


; Region Domain Administrator :
=Trust "Layers"=


; Region Domain Software / Systems :
==System Layer==


; Third Party Web Service Operators :
==Network Layer==


# Client
==Application Layer==
# Agent Domain
# Region Domain
# Region Host


# Second Life User - let me use my object; don't take or copy my object without my permission; don't cause me to break my promises ; don't lose or delete my object; let me examine and modify my object
==Political Layer==
# Content Creator - preserve my restrictions; let me be paid for content; let me give content away ; let my content propagate widely (or don't) ; tag my objects with a universal and comprehensible ID linked to the real me; let me have some idea how many of my creations exist out there in the world;
# Agent Domain Operator - don't break asset perms; don't spoof me; don't access somebody else's inventory ; don't store unlawful stuff in me
# Region Domain Operator

Revision as of 15:12, 11 August 2008

Computers should do exactly what you tell them, and no more.
John Steven (noted internet security expert)

Introduction

Security Objectives

secret things stay secret (confidentiality)

you should know who you're talking to (origin integrity)

you should be able to spot message tampering (message integrity)

accessing the grid shouldn't make your system or network unduely vulnerable (system integrity)

you should be able to spot atypical events in the logs (adjudicated forensic evidence)

the permission system should be suitably expressive (expressive permissions)

Stakeholders and their Interests

End User

This is the traditional user of the system. They may be a casual user of Second Life or a corporate user, come to the grid to collaborate on "work" projects. In either case, their interests include:

  • credential integrity - "bad guys" shouldn't be able to steal their online identity
  • inventory integrity - the system should protect against inventory theft, loss, or usability problems
  • specie integrity - the system should protect against loss of Linden Dollars

Content Creator

These are users who derive an income stream from Second Life. In addition to interests of traditional End Users, Content Creators also have these interests:

  • content integrity - content creators want to know that content they create cannot be illicitly duplicated, lost or stolen

Corporate IT and ISP Operations

These are the people who maintain networks connecting the client's machine to the network, and in the case of corporate IT operations. they likely manage the user's systems as well.

  • 'network security - no system component (client software, agent domain software, region domain software, third party web service) should decrease the general availability, reliability or security of the network
  • peer system security - no system component (client software, agent domain software, region domain software, third party web service) should increase the risk of successful attack versus other systems in the network on which they operate

Client Software

This is the actual software running on the client machine; usually a viewer, but could be a web application using standard published APIs into the Agent or Region domains.

  • system security - use of the Second Life viewer or other client software should not place the user's system at greater risk of successful attack
  • flexible peer authentication - the system should be flexible enough to support multiple legacy peer authentication schemes

Agent Domain Administrator or Region Domain Administrator

This is the organization that operates an agent and/or region domain.

  • peer authentication - the system should support strong authentication techniques to ensure the identity of peer systems
  • flexible agent authentication - the system should be flexible enough to support domain-specific user authentication
  • forward security - for the purpose of third party the system interoperability, the system should provide authentication tokens usable ONLY for the explicit purpose described

Agent Domain Software / Systems or Region Domain Software / Systems

This is the software that implements agent and/or region domain services.

  • flexible peer authentication - the system should be flexible enough to support multiple legacy peer authentication schemes

Third Party Web Service Operators

These are systems operated by third parties for the benefit of Second Life users, Agent or Region Domain operators.

  • limitation of sensitive data - the system should not REQUIRE third parties to handle sensitive information

Trust "Layers"

System Layer

Network Layer

Application Layer

Political Layer

Retrieved from "https://wiki.secondlife.com/w/index.php?title=User:Infinity_Linden/OGP_Trust_Model&oldid=85253"