Difference between revisions of "User:Infinity Linden/OGP Trust Model"
Line 1: | Line 1: | ||
{{Quote|Computers should do exactly what you tell them, and no more.|John Steven (noted internet security expert)}} | |||
=Introduction= | =Introduction= | ||
=Security Objectives= | =Security Objectives= | ||
==secret things stay secret (confidentiality)== | |||
==you should know who you're talking to (origin integrity)== | |||
==you should be able to spot message tampering (message integrity)== | |||
==accessing the grid shouldn't make your system or network unduely vulnerable (system integrity)== | |||
==you should be able to spot atypical events in the logs (adjudicated forensic evidence)== | |||
==the permission system should be suitably expressive (expressive permissions)== | |||
=Stakeholders and their Interests= | =Stakeholders and their Interests= | ||
== End User== | |||
This is the traditional user of the system. They may be a casual user of Second Life or a corporate user, come to the grid to collaborate on "work" projects. In either case, their interests include: | |||
* '''credential integrity''' - "bad guys" shouldn't be able to steal their online identity | * '''credential integrity''' - "bad guys" shouldn't be able to steal their online identity | ||
* '''inventory integrity''' - the system should protect against inventory theft, loss, or usability problems | * '''inventory integrity''' - the system should protect against inventory theft, loss, or usability problems | ||
* '''specie integrity''' - the system should protect against loss of Linden Dollars | * '''specie integrity''' - the system should protect against loss of Linden Dollars | ||
== Content Creator== | |||
These are users who derive an income stream from Second Life. In addition to interests of traditional End Users, Content Creators also have these interests: | |||
* '''content integrity''' - content creators want to know that content they create cannot be illicitly duplicated, lost or stolen | * '''content integrity''' - content creators want to know that content they create cannot be illicitly duplicated, lost or stolen | ||
==Corporate IT and ISP Operations== | |||
These are the people who maintain networks connecting the client's machine to the network, and in the case of corporate IT operations. they likely manage the user's systems as well. | |||
* '''network security'' - no system component (client software, agent domain software, region domain software, third party web service) should decrease the general availability, reliability or security of the network | * '''network security'' - no system component (client software, agent domain software, region domain software, third party web service) should decrease the general availability, reliability or security of the network | ||
* '''peer system security''' - no system component (client software, agent domain software, region domain software, third party web service) should increase the risk of successful attack | * '''peer system security''' - no system component (client software, agent domain software, region domain software, third party web service) should increase the risk of successful attack versus other systems in the network on which they operate | ||
==Client Software== | |||
This is the actual software running on the client machine; usually a viewer, but could be a web application using standard published APIs into the Agent or Region domains. | |||
* '''system security''' - use of the Second Life viewer or other client software should not place the user's system at greater risk of successful attack | |||
* '''flexible peer authentication''' - the system ''should'' be flexible enough to support multiple legacy peer authentication schemes | |||
==Agent Domain Administrator or Region Domain Administrator== | |||
This is the organization that operates an agent and/or region domain. | |||
* '''peer authentication''' - the system should support strong authentication techniques to ensure the identity of peer systems | |||
* '''flexible agent authentication''' - the system ''should'' be flexible enough to support domain-specific user authentication | |||
* '''forward security''' - for the purpose of third party the system interoperability, the system '''should''' provide authentication tokens usable ONLY for the explicit purpose described | |||
==Agent Domain Software / Systems or Region Domain Software / Systems== | |||
This is the software that implements agent and/or region domain services. | |||
* '''flexible peer authentication''' - the system ''should'' be flexible enough to support multiple legacy peer authentication schemes | |||
==Third Party Web Service Operators== | |||
These are systems operated by third parties for the benefit of Second Life users, Agent or Region Domain operators. | |||
* '''limitation of sensitive data''' - the system should not REQUIRE third parties to handle sensitive information | |||
=Trust "Layers"= | |||
==System Layer== | |||
==Network Layer== | |||
==Application Layer== | |||
==Political Layer== | |||
Revision as of 15:12, 11 August 2008
Computers should do exactly what you tell them, and no more. John Steven (noted internet security expert)
Introduction
Security Objectives
secret things stay secret (confidentiality)
you should know who you're talking to (origin integrity)
you should be able to spot message tampering (message integrity)
accessing the grid shouldn't make your system or network unduely vulnerable (system integrity)
you should be able to spot atypical events in the logs (adjudicated forensic evidence)
the permission system should be suitably expressive (expressive permissions)
Stakeholders and their Interests
End User
This is the traditional user of the system. They may be a casual user of Second Life or a corporate user, come to the grid to collaborate on "work" projects. In either case, their interests include:
- credential integrity - "bad guys" shouldn't be able to steal their online identity
- inventory integrity - the system should protect against inventory theft, loss, or usability problems
- specie integrity - the system should protect against loss of Linden Dollars
Content Creator
These are users who derive an income stream from Second Life. In addition to interests of traditional End Users, Content Creators also have these interests:
- content integrity - content creators want to know that content they create cannot be illicitly duplicated, lost or stolen
Corporate IT and ISP Operations
These are the people who maintain networks connecting the client's machine to the network, and in the case of corporate IT operations. they likely manage the user's systems as well.
- 'network security - no system component (client software, agent domain software, region domain software, third party web service) should decrease the general availability, reliability or security of the network
- peer system security - no system component (client software, agent domain software, region domain software, third party web service) should increase the risk of successful attack versus other systems in the network on which they operate
Client Software
This is the actual software running on the client machine; usually a viewer, but could be a web application using standard published APIs into the Agent or Region domains.
- system security - use of the Second Life viewer or other client software should not place the user's system at greater risk of successful attack
- flexible peer authentication - the system should be flexible enough to support multiple legacy peer authentication schemes
Agent Domain Administrator or Region Domain Administrator
This is the organization that operates an agent and/or region domain.
- peer authentication - the system should support strong authentication techniques to ensure the identity of peer systems
- flexible agent authentication - the system should be flexible enough to support domain-specific user authentication
- forward security - for the purpose of third party the system interoperability, the system should provide authentication tokens usable ONLY for the explicit purpose described
Agent Domain Software / Systems or Region Domain Software / Systems
This is the software that implements agent and/or region domain services.
- flexible peer authentication - the system should be flexible enough to support multiple legacy peer authentication schemes
Third Party Web Service Operators
These are systems operated by third parties for the benefit of Second Life users, Agent or Region Domain operators.
- limitation of sensitive data - the system should not REQUIRE third parties to handle sensitive information