AW Groupies/Chat Logs/AWGroupies-2008-08-05

From Second Life Wiki
Jump to: navigation, search
  • [9:31] Saijanai Kuhn: hey all
  • [9:31] Pixel Gausman: hi guys
  • [9:32] Pixel Gausman: i liked this SL thing a lot more before it meant more meetings. :-)
  • [9:32] Dahlia Trimble: lol
  • [9:33] Bartholomew Kleiber: Hi all
  • [9:33] Zha Ewry: looks around for squirerls
  • [9:33] Angelo Biondi: hello
  • [9:33] Zha Ewry: Hello, everyone
  • [9:33] Dahlia Trimble: nibbles on a seed
  • [9:34] Pixel Gausman: looks squirrley and plots an attack on a birdfeeder
  • [9:34] Zha Ewry: takes a note to speak to the gardners about weeds
  • [9:36] Zha Ewry: So... I think, several of the people I see here have actually spun up patched regoins and run then, yes?
  • [9:36] Bartholomew Kleiber: yup
  • [9:36] Dahlia Trimble: yep
  • [9:36] Dahlia Trimble: flying squirrls?
  • [9:36] Zha Ewry: Not sure if I should be horrified, or happy, that it mostly seems to work
  • [9:37] Pixel Gausman: 5756 seems to be getting a warm reception in #gridnauts...once people change defaults.xml to use their dotted ip addr instead of hostname
  • [9:37] Zha Ewry: I'm currently looking at two major, and one minor issue
  • [9:37] Zha Ewry: The major, major, is the ghosting
  • [9:38] Movies1963 Beck: if we were in China now that dog that just barked might've been our lunch
  • [9:38] Zha Ewry: We're failing to clear state fully on logout,and I'm looking at that
  • [9:38] Zha Ewry: The second, less serious, but anoying, is the "banned" message we sometimes trigger
  • [9:39] Dahlia Trimble: you mean ban lines?
  • [9:39] Zha Ewry: And.. everyone should be aware that, for *some* cases, using the numeric form of your host is necessary.(That's intermitent)
  • [9:39] Zha Ewry: The "You are not permitted to this destination" but if you clear the message you TP anyway
  • [9:39] Pixel Gausman: Zha: is ghosting a core OpenSim issue that is being shown by OGP?
  • [9:40] Zha Ewry: I can't decide
  • [9:40] Pixel Gausman: me either
  • [9:40] Zha Ewry: There has been some ghosting on openSim TP
  • [9:40] Pixel Gausman: seems awefully possible
  • [9:40] Zha Ewry: We don't TP tho, we "logout"
  • [9:40] Dahlia Trimble: I havent seen that kind of ghosting in other opensim applications
  • [9:40] Pixel Gausman: might be the same bug being poked from a different angle
  • [9:41] Zha Ewry: The obvious interesting hint is that the the final logout (quit) of the sim finds the logged in agnts
  • [9:41] Pixel Gausman: anyway, might be good to collab with the OpenSim core devs on that one to see if you can poke it together
  • [9:41] Dahlia Trimble: if it could be repro'd without interop
  • [9:41] JB Kraft: fwiw, i have seen ghosting enough in opensim to think it as a real bug
  • [9:42] Pixel Gausman: JB: yeah, it's been showing up more recently in OpenSim trunk
  • [9:42] Dahlia Trimble: JB can you repro it?
  • [9:42] JB Kraft: no, thats the trouble, i cant find something to cause it
  • [9:43] Zha Ewry: What's odd, is that you see what looks like complete logout processing
  • [9:43] Pixel Gausman: i do know there has been some pondering on the ghosting by OpenSim devs recently
  • [9:43] Zha Ewry: So.. that's the patch
  • [9:44] Dahlia Trimble: there is a different kind of ghosting that is a bug
  • [9:44] Dahlia Trimble: totaly different
  • [9:44] Zha Ewry: I think so too.
  • [9:44] Pixel Gausman: "totally"? perhaps related.
  • [9:44] JB Kraft: where you appear on mutliple regions?
  • [9:44] Dahlia Trimble: it's not a logout issue
  • [9:44] Zha Ewry: This, to mee feels like "We havent' closed the scene presence properly"
  • [9:44] BlueWall Slade: the region renders child avatars
  • [9:44] Dahlia Trimble: whe you appear in the center of a neighboring sim
  • [9:45] Zha Ewry: This, isn't that, I don't think.
  • [9:45] Zha Ewry: So.. that's the patch. On other topics
  • [9:46] Zha Ewry: I'm going to do something really freaky, strarting this weekend. Called Vacation.
  • [9:46] JB Kraft: explain pls ;)
  • [9:46] Dahlia Trimble: lol
  • [9:46] Zha Ewry: I'll be largely off grid for about three weeks
  • [9:46] Bartholomew Kleiber: what a concept ...
  • [9:46] Zha Ewry: Will have the laptop in tow, but not making any promisses
  • [9:46] Twa Hinkle: what region are you going for vacation?
  • [9:46] Zha Ewry: Dr. Scofield, in SL (who you've seen on openSim dev, most likely)
  • [9:47] Pixel Gausman: gets jealous
  • [9:47] Zha Ewry: will be kindly keeping an eye on things while I'm away
  • [9:47] Dahlia Trimble: is Dr up to speed on the patch?
  • [9:47] Zha Ewry: In particular, expect to see the patch kept in sycn with trunk several times a week, and anythign heart stopping looked at
  • [9:47] Zha Ewry: I'm expecting Dr to be by the time I head out
  • [9:47] Zha Ewry: I'll also be posting my notes on the basic code
  • [9:47] Pixel Gausman: Zha: maybe some notes on the patch before you go MIA?
  • [9:48] Pixel Gausman: oh, nice
  • [9:48] Zha Ewry: Its mostly in three spots, I'll enumerate those, and we'll have them on forge
  • [9:48] Zha Ewry: I'll be in Europe, so, 9 hours off sync from SLT
  • [9:49] Zha Ewry: The most reliable way to get my attention will be to my gmail account
  • [9:49] Zha Ewry: (zha. ewry@gmail.com, it's on my profile)
  • [9:49] Zha Ewry: While I'm off hopefully recharging the mental batteries.. I have a think/write challange for people
  • [9:50] Zha Ewry: I've been blythly, asserting, we can do basic proof that Component X, is part of Region Y, and can be trusted, suing certificates, in an SSH or PKIish fashoin
  • [9:51] Zha Ewry: wherre the basic assertion is we can issue Region Domain "D" a cert "CertD" which it can use to provde to other partners, that it is Region Fomain D, and that Box "Box1" can handshake as well
  • [9:51] Tao Takashi: Hi cloudy people
  • [9:53] Zha Ewry: Soo.. what I'd love to see
  • [9:53] Zha Ewry: is a walk through
  • [9:54] Pixel Gausman: give an example of "Component X"?
  • [9:54] Zha Ewry: "Service provider Lumpy Labs, issues a Cert, with the followinf properties to Grid Hoster MurkyBusinessModelVW Hosting, MBVWH signs requests.."
  • [9:55] Tao Takashi: yeah, I would like to write down some scenario using XRDS and OAuth to connect services
  • [9:55] Tao Takashi: given that I have some time :)
  • [9:55] Zha Ewry: So..I'm goign to argue the overall design pattern is "Domains" are the basis of trust, "Agent Domain, Regoina Domain, Service Domain" for example
  • [9:55] Zha Ewry: Where you give a domain a Cert to use as the acnhor of the process
  • [9:56] Latha Serevi:  :-) murkyBusinessModel
  • [9:56] Zha Ewry: (You have a not for public consumtpion protocol between the Region Domain and the memebers, which lets them get handed temp certs to prove they are part of the Domain
  • [9:57] Zha Ewry: So.... when you want to find out if software compoennt X, (say an asset store on a regoin) is part of MBMVWH, it says "I am, and gets atag from the domain, which is can use, short term to prove it is)
  • [9:57] Tao Takashi: would like a model where there actually aren't "big" domains but more individual services which are easy to replace
  • [9:57] Tao Takashi: like where the development of the web is going
  • [9:57] Zha Ewry: That's exactly what this is Tao
  • [9:57] Zha Ewry: The trust is vested in the collection
  • [9:57] Zha Ewry: becuase you don't want to try to manage every compeonent in the picture
  • [9:58] Zha Ewry: You group them, into a domain, which says "all my memebrs are known only to me, you cana sk me about them"
  • [9:59] Pixel Gausman: ponders performance
  • [9:59] Zha Ewry: (You deperartlye don't want to have a constant update stream "Zha's Region Domain is adding Host1287" to the Domain
  • [9:59] Tao Takashi: yeah, I guess something like this is needed to keep it manageable
  • [9:59] Tao Takashi: so that in the end you can point to some trusted node which has contracts with all the other services in order to delegate this decision to it
  • [9:59] Zha Ewry: "Tao's Turtonic Hosting has rmeoved Data Portability Portal 5"
  • [10:00] Tao Takashi: I am wondering if something like this could be an extension to OAuth
  • [10:00] Latha Serevi: I always just imagine these protocols would be the domain cryptographically signing a message of a particular sort, "I authorize MBMVW, public key X, with a temporary permission to do X." It seems straightfoward that once we agree on everybody's pubkey-to-identity mapping, we can use short chains of these signed permission-slips to get various stuff done. How does that mental model fit with y'all?
  • [10:01] Tao Takashi: as you might already face the same problem on the web if you you e.g. want to read data from 10 services during the signup to one new service. you might not want to tell every single service that it's ok separately. Then on another thought this might be a different problem ;-)
  • [10:01] Zha Ewry: That's the ballpark I'm thking of
  • [10:01] Tao Takashi: because it's user centric while the domain thing is service centric
  • [10:01] Zha Ewry: There has been some fairly cogent concern tha PKI isn't fully up to it
  • [10:01] Zha Ewry: This is 90% aimed at the server side
  • [10:02] Goldie Katsu: PKI is rather messy
  • [10:02] Tao Takashi: Latha: sounds like the OAuth model basically (the temp. permission bit)
  • [10:02] Zha Ewry: I think.. it feels like the problem people are trying to solve with tokens OAuth style
  • [10:02] Goldie Katsu: kerberos?
  • [10:02] Zha Ewry: So.. I am really hoping you'll colletcively, bang out a walk through
  • [10:02] Tao Takashi: I need to dig into the OAuth spec again
  • [10:03] Zha Ewry: "Cert comes from here, gets held here, we sign with it, in this spot, we get temp tokens from it, and use the like X"
  • [10:03] Goldie Katsu: URL for OAuth spec?
  • [10:03] Tao Takashi: maybe even implement something on top of it :)
  • [10:03] Twa Hinkle: i still wonder about all this.. this all assumes there are untrusted domains..
  • [10:03] Tao Takashi: oauth.net
  • [10:03] Tao Takashi: [1]
  • [10:03] Goldie Katsu: thank you
  • [10:03] Zha Ewry: We'r enot looking at doing sigbning for most messages, so we're not trying to bite off all of PKI
  • [10:03] Latha Serevi: So far, we have two bases to start from -- my first-principles PK auth approach, and OAuth. Are there any others I should be aware of?
  • [10:03] Zha Ewry: We can assume CAPS and TLI for the security once we've established trust
  • [10:04] Zha Ewry: TLS
  • [10:04] Tao Takashi: Goldie: I am not sure it fits but it would be great if it could be made to fit e.g. by some extension because this is where the web is heading and it would make sense to use such protocols if possible
  • [10:04] Goldie Katsu: I'll take a look. (I'm assuming you're talking OAuth)
  • [10:04] Tao Takashi: yep
  • [10:05] Zha Ewry: So.. I'll peek at transciprts, and *may* even peek in world from the old world, but no promises
  • [10:05] Goldie Katsu: probably something I should be looking for my web 2.0 stuff too.
  • [10:06] Zha Ewry: I need to dash, because, RL i spiling up and someone keeps asking for patches which work
  • [10:06] Goldie Katsu: See ya! Have fun.
  • [10:06] Tao Takashi: I might be one of them but actually I need to test again ;-)
  • [10:06] Tao Takashi: cya Zha! :)
  • [10:07] Zha Ewry: tao, try to tap me later today.
  • [10:07] Zha Ewry: Did you try yesterday's patch, with the nuymeric IPs?
  • [10:07] Tao Takashi: no, not yet, I was busy with a website launch
  • [10:07] Tao Takashi: and still am a little
  • [10:07] Zha Ewry: That seemed to sort out several people's problems
  • [10:07] Tao Takashi: cool, I will give it a try!
  • [10:07] Tao Takashi: hopefully later today
  • [10:07] Zha Ewry: Todays will add some more deubgging
  • [10:08] Latha Serevi: I think it woudln't hurt to have more than one model of the underlying identity system, and let the participants (domains/sims/users) be able to choose what list of supported methods they'll handle. L$ banking may go fully crypto-signed-only; most will be happy faster-and-looser, say, any SSL connection to someone on my friendly-hosts list is fine. Will need to beware of this flexibility creating security holes, but it seems "in the spirit" of supporting various approaches.
  • [10:10] Tao Takashi: Latha: to have different ways of authenticating is already thought about in the spec I think
  • [10:11] Tao Takashi: as for different ways of authorizing services to do things maybe OAuth can really help
  • [10:11] Latha Serevi: Which is the relevant spec, by the way?
  • [10:11] Tao Takashi: as you establish a temporary permission on the consumer side basically like flickr or youtube does these days
  • [10:11] Tao Takashi: [2]
  • [10:11] Tao Takashi: [3]
  • [10:13] Tao Takashi: it's sort of a joint venture of popular players on the web, like Google, twitter etc.
  • [10:13] Tao Takashi: the goal was to replace all those proprietary auth protocols Google, Yahoo and other have in place and have a common standard
  • [10:13] Tao Takashi: as nobody wanted to use their competitors standard ;_)
  • [10:13] Latha Serevi: Thanks, I'll read over the OAuth info.
  • [10:14] Tao Takashi: well, standard=solution in the last sentence
  • [10:14] Tao Takashi: but I am also off, work is calling again
  • [10:14] Tao Takashi: cya later!
  • [10:14] Latha Serevi: Bye Tao
  • [10:14] Bartholomew Kleiber: gotta run too, later
  • [10:15] Latha Serevi: I suggest adjourning now
  • [10:15] Goldie Katsu: Sounds wise.