User talk:Infinity Linden/OGP Trust Phase 0
Is there a page or something on how OGP uses / may use capabilities somewhere?
I notice the word "capability" or "cap" used casually in discussion and on some of these Wiki pages, but there are lots of different ways to use capabilities, and different people may be making different assumptions. Do we have a definition of capabilities and how we expect to use them in OGP written down somewhere? (Note that I'm not asking for a generic pointer to capability use; I'm asking how we're doing to be using them in OGP.) --Dale
hmm... lemme look and see if we have something written up already... --Infinity
Note: dropping the requirement for no wildcards in the cert SN
after discussion, it turns out that while "wild-cards in server certificate Subject Names are considered harmful," they are actually useful to some of our stakeholders. it's probably not the place of the protocol or even LL's interop guidelines to say you can or can't use them, but rather your own conscience should guide you in this regard. in other words.. you shouldn't not use wildcards in SN's cause i tell you not to, you should not use wild-cards in SN's cause it's the right thing to do. --infinity
Note: dropping the requirement for client side certificates
after discussion, it turns out that if sensitive resources on the region domain are provided exclusively via region host issued caps, we can assume that possession of the cap implies trust. ergo, we don't need to have agent hosts use client side certs.
I'm finding this rather confusing now; the old method was removed, but it wasn't replaced with anything. (Again I'm suspicious that caps are being used as magic dust here, and would like to see more details.) In particular, if the AD doesn't have a client certificate, how does it prove to the RD that it really *is* AD17, so that the RD will be willing to give it the cap in the first place? -- Dale Innis 12:27, 24 September 2008 (PDT)