User:Zero Linden/Office Hours/2008 September 23

From Second Life Wiki
Jump to: navigation, search
  • [13:03] Morgaine Dinova: 'Afternoon, Zero
  • [13:03] Whump Linden: hello
  • [13:03] Zha Ewry: Afternoon all
  • [13:03] Zero Linden: hello hello
  • [13:03] Dale Glass: hi :-)
  • [13:03] Morgaine Dinova: Hiya Whump
  • [13:04] Teravus Ousley: Zero, my old question about specific region in a region domain teleporting was answered...
  • [13:04] Teravus Ousley: not necessary to bring it up as a topic.
  • [13:04] Zero Linden: oh?
  • [13:04] Zero Linden: well... er... woot!
  • [13:05] Goldie Katsu: actually if I'm dotless it is because my USB subsystem likes to crash more with voice on. Until I can fix the hardware I try to prevent panics where I can.
  • [13:05] Whump Linden: Yes, last Friday Tervaus, Leyla, and I worked out a way to deal with that
  • [13:05] Zha Ewry: debates sending Goldie to wall street. We could use some panic preventin there.
  • [13:05] Teravus Ousley: yep. turns out that the region seed.. returns the address to rez_avatar/request.. and I can use that to feed it state data based on the exact URL used to GET the region seed.
  • [13:06] Whump Linden: so targeting a specific region on an OpenSim instance will be availble with today's AD, RD, and Viewer deploy
  • [13:06] Zero Linden: ah - is this so that several regions can all be handled by the same system?
  • [13:06] Zha Ewry: Very nice, Whump, Ter
  • [13:06] Goldie Katsu: chuckles realizing that her statement could be read as "otherwise I promote panics"
  • [13:07] Teravus Ousley: yep.. and the user can pick a specific region in the region domain to teleport to
  • [13:07] Morgaine Dinova: Normal political procedure to promote panics
  • [13:07] FWord Utorid: is it possible to modify SL so the sky is falling?
  • [13:08] Rex Cronon: hello everybody
  • [13:08] Zero Linden: and I'll probably only muddy the waters here if I point out that you *could* put that information in the cap URL itself.... if you either encrypt it or sign it....
  • [13:08] Morgaine Dinova: Hi Rex
  • [13:08] Rex Cronon: hi
  • [13:08] Teravus Ousley: yep :D
  • [13:08] Dahlia Trimble: Hi :)
  • [13:08] Zero Linden: ...but putting that info in the private data stored with the cap translation is probably safer and easier
  • [13:08] Zha Ewry: Much safer, Zero
  • [13:08] Zero Linden: Well - don't tell the Waterkin (sp?) guys that...
  • [13:09] Zha Ewry: The more predictable that sort of thing is, the easier to attack
  • [13:09] Zero Linden: Of course - i think they were putting an entire continuation stack, signed, in the URL!
  • [13:09] Teravus Ousley: Lets say there's a region 'Teravus Test2' in a region domain. the seed is https://somedomain.com:9001/ .. if you wanted to teleport to it directly.. it's https://somedomain.com:9001/Teravus%20Test2
  • [13:10] Xugu Madison: I haven't caused chaos recently, so; is there any scope for handling one region being hosted in multiple identical copes (for example, if one copy becomes too crowded people are teleported onto a second copy)?
  • [13:10] Xugu Madison: and therefore having to possibly address sub-instances of a region
  • [13:10] Zero Linden: Xugu - I think a region domain could do that without anyone knowing...
  • [13:11] Teravus Ousley: Xugu: there's a module by some people in 3DI that does exactly that.
  • [13:11] Xugu Madison: Fantastic!
  • [13:11] Zero Linden: basically - my viewer presents the well known cap to the region: and gets back a cap for further access
  • [13:11] Infinity Linden: right... the issue is less about how it's handled internally, but how messages flow to the public instance of the sim
  • [13:11] Zero Linden: nothing says that the cap I get need be the same one you get
  • [13:11] Zero Linden: well - they are alwyas different - but they could even be on different hosts, and map to different experiences....
  • [13:12] Zero Linden: though certain assumptions about regions would have to be handled by the region domain
  • [13:12] Zero Linden: like - our presence info would show up as the same place, presumably....
  • [13:12] Zero Linden: which might lead to a misleading experience if a friend comes to TP near us.... and ends up in a different shard
  • [13:13] Xugu Madison: That's kind of what I was thinking
  • [13:13] Zero Linden: So - all - Welcome to my office hours
  • [13:13] Graph Weymann: TP-to-my-friend should be handled as the friend giving out a reference (cap) to "where I am now", i.e. the same shard
  • [13:13] Zero Linden: Agenda items....
  • [13:13] Zha Ewry: Sharding, is always problematic that way
  • [13:13] Zero Linden: while we're waiting a bit of administrivia:
  • [13:13] Morgaine Dinova: Hardly a misleading experience. It's by design that SL isn't going to design regions for scalability.
  • [13:13] FWord Utorid: hi zero. welcome to my monitor!
  • [13:13] Graph Weymann: i.e. I ask the region to let someone else in and they give me the link to pass to my friend
  • [13:14] Zero Linden: Next week I'll be out --- I'm hoping one of the other OGP enabled Lindens will fill in
  • [13:14] Zha Ewry: Sharing leads to such discusoins as "Come see me in ironfogre, on Arathor"
  • [13:14] Whump Linden: Zero: Tess, Infinity, and I would like to talk a bit about agent domain messages for login, etc.
  • [13:14] Zha Ewry: *sharding
  • [13:15] Goldie Katsu: wonders what CAPS OGP enabled Lindens support at this point.
  • [13:15] Zero Linden: 1) Agent Domain messages
  • [13:16] Whump Linden: Goldie: the give_coffee cap is a good one to implement.
  • [13:17] Zero Linden: "TP, TP! Sharding is such sweet sorrow, That I shall say TP till it be morrow."
  • [13:17] Teravus Ousley: would prefer the give_rocket_fuel cap
  • [13:17] Zha Ewry: notes, that the shard would have to have a URL, which could be passed in some places
  • [13:18] Morgaine Dinova: I like the tune "Shards Are So Yesterday"
  • [13:18] Zha Ewry: prefers "when the shards go clonning on"
  • [13:18] Zero Linden: okay- having no other items.......
  • [13:18] Zero Linden: .....take it away Whump!
  • [13:18] Whump Linden: Okay, thanks Zero.
  • [13:19] Beware Hax: hi
  • [13:19] Whump Linden: So there are messages you want to be able to send from the viewer to the agent domain, that related to your prescence.
  • [13:19] Whump Linden: Obviously, signing into the AD
  • [13:19] Beware Hax: can i still do "the gridnaut tp"?
  • [13:19] Rex Cronon: hi
  • [13:20] Whump Linden: and placing yourself after you've logged in
  • [13:20] Whump Linden: and removing your prescence, but remaining logged in to the AD
  • [13:20] Whump Linden: and finally logging out
  • [13:21] Whump Linden: at the moment, we have rez_avatar/place, which the agent domain calls once you've authenticated
  • [13:21] Whump Linden: however, it may be nicer to have a suite of agent/* messages.
  • [13:22] Zha Ewry: If the resource is the agent, then clearly ;-)
  • [13:23] Whump Linden: Zha, these are messages from the viewer to the AD, so agent may not be the best term
  • [13:23] Zha Ewry: and that is the questoin we should be remebering to ask, as good RESTadarians
  • [13:23] Zha Ewry: What is the resource, the name, and the action shoudl reflect that
  • [13:23] Whump Linden: yes, in St. Roy's name, amen.
  • [13:23] Dahlia Trimble: restadarians?
  • [13:23] Whump Linden: er Ray even
  • [13:24] Morgaine Dinova: Right first time I think
  • [13:24] Zha Ewry: *RESTafarians
  • [13:24] Zha Ewry: Roy
  • [13:24] Whump Linden: so the suite we were thinking of was:
  • [13:24] Zha Ewry: Blessed be St. Fielding, his state transfered intact
  • [13:24] Teravus Ousley: Rick Rolled?
  • [13:24] Whump Linden: agent/authenticate
  • [13:24] Whump Linden: agent/place
  • [13:24] Whump Linden: agent/unplace
  • [13:25] Whump Linden: agent/deauthenticate
  • [13:25] Zha Ewry: Are these placing the afgent, tho?
  • [13:25] Whump Linden: so the first is sending your credentials in one of the methods described in the Teleport spec
  • [13:26] Whump Linden: the second is what rez_avatar/place does in Draft 3.
  • [13:26] Zha Ewry: Authenticate, is an agent task
  • [13:26] Zha Ewry: place, is an avatar task isn' it?
  • [13:27] Tess Linden: yep
  • [13:27] Zero Linden: well - this raises the question if a suite needs to be named for the full sequence, or from the stance
  • [13:27] Whump Linden: agent/unplace derezzes you but keeps you logged into the AD so you still have access to any services the AD provides
  • [13:27] Zero Linden: in other words all the rez_avatar/* messages have to do with the act of teleporting
  • [13:27] Zero Linden: even though some are V -> A, some A - > R
  • [13:28] Zha Ewry: nods
  • [13:29] Zero Linden: still thinks they should be called teleport/*
  • [13:29] Zha Ewry: I'd argue, with some firmness, that the resource matters more than the action
  • [13:29] Whump Linden: Yes, but thinking of how to separate out "authenticate" me from "now that I'm authenticated," put me somewhere
  • [13:30] Zha Ewry: Whump: Is it put me (the agent) or put me (my avatar) ?
  • [13:30] Zero Linden: wonders if agent/unplace is just agent/place with an empty URL for the destination....
  • [13:31] Whump Linden: Zha, the agent
  • [13:31] Zha Ewry: Does it?
  • [13:31] Zha Ewry: My agent is in the agent domain, and has a URL there
  • [13:32] Zha Ewry: does it get a URL in the region domain?
  • [13:32] Zha Ewry: is trying to be painfully precise here
  • [13:32] Whump Linden: precise is good
  • [13:33] Zha Ewry: In general I'm wrestlign with what's the URL addressable entity in these stories
  • [13:34] Infinity Linden: in the agent/* calls, the URL addressable entity is the loginuri
  • [13:34] Whump Linden: you know, let me do some diagraming and put some stuff on a texture
  • [13:34] Infinity Linden: or rather... in the agent_login, it's the loginuri
  • [13:34] Zha Ewry: nods
  • [13:35] Zha Ewry: I'm thinkg of what I should get back from the place, and what I can do to it, and how I am asking to what. This is, I think the agent domain hosted resource being assked to create a resource in the region domain
  • [13:36] Infinity Linden: nods at zha
  • [13:36] Zha Ewry: So, the place, is on the agent, but.. it gets an avattar placed, not the agent, if that makes any sense
  • [13:36] Zero Linden: yes
  • [13:36] Zero Linden: hence - the name rez_avatar/place
  • [13:36] Zha Ewry: if I need to talk to that new resource, that's clearly goign to have a URL which reflects, the regoin it is in, not the agent domain, or I am going to ask the AD to do it for me, if I wish to keep it hidden
  • [13:37] Infinity Linden: there are a couple of perspectives, zha
  • [13:38] Zha Ewry: At least ;-)
  • [13:38] Infinity Linden: from the viewer, it all looks like it's on the ad
  • [13:38] Infinity Linden: to the ad, it looks like its on teh region
  • [13:38] Zha Ewry: If we never let anyone talk directly to the region resource
  • [13:38] Infinity Linden: yup. not for teleportin'
  • [13:38] Zha Ewry: we need to be painfully carfeful we get all the bits even internal ones, enmuerated, and named
  • [13:39] Zha Ewry: espeically if, down the road we want to be able to refactor things a bit
  • [13:39] Infinity Linden: there may be things like "public region info" that the viewer can get directly
  • [13:39] Infinity Linden: but one of the things we're trying to limit is the damage an untrustworthy RD can do directly to a viewer
  • [13:40] Zha Ewry: chuckles
  • [13:40] Zha Ewry: an RD can't *do* it to the viewer, so much as let the viewer do it to itself, but yes, granted.
  • [13:40] Morgaine Dinova: Interesting way of putting it ... ie. zero trust in either direction :P
  • [13:41] Infinity Linden: no... the viewer and the region domain trust teh agent domain (and vice versa)
  • [13:41] Zha Ewry: We are stuck with as little trust as we can stand, unless (and even) when we add some trust proofs
  • [13:41] Infinity Linden: but there's transitive trust between the viewer and the region domain (throught hte agent domain)
  • [13:41] Zha Ewry: You have to trust theAD, since you logged into it
  • [13:42] Zha Ewry: The rest, is up for debate, depending on where you go
  • [13:42] Latha Serevi: I don't really understand why the viewer needs "protecting" from anybody. Is it a particularly broken piece of code?
  • [13:42] Zha Ewry: (not trustign your AD< is pretty hopeless)
  • [13:42] Morgaine Dinova: Latha: hahahahaha
  • [13:43] Infinity Linden: not so much broken code as we have a user constituency that is interested in maintaining positive control over their digital assets
  • [13:43] Zero Linden: hmmm... this reminds me - at some point I think on a whiteboard,- we came up with a case that showed tht no AD worth it's salt would pass the RD seed cap it gets from rez_avatar/place
  • [13:43] Zero Linden: directly on to the viewer
  • [13:43] Zero Linden: it would wrap it, and only let the viewer request certain caps from the RD... but I can' remember why now
  • [13:44] Teravus Ousley: a rd that passes 'rm -rf /'?
  • [13:44] Latha Serevi: Wouldn't they want to control their viewer, then, for maximum control? The people who delegate control to their AD are getting less control, I would think, in exchange for convenience. But not, surely, for protection? Or maybe it's the AD that needs protecting from the user, by controlling their actions a bit?
  • [13:45] Infinity Linden: @Zero... 'cause access control to the RD is bound to the cap, and the trust between teh AD and the RD is different than the trust between the V and the AD
  • [13:45] Morgaine Dinova: Latha: in case your question wasn't a joke ... the client is large, hugely variable, evolving, dependent on lots of 3rd party code, open source, buggy like all large programs, and will probably be dynamically variable through plugins. So while it's not totally broken, it will never be treatable as secure, safe and stable either.
  • [13:46] Zha Ewry: Not only that, the client, is not assuyred to be a client we control at all
  • [13:46] Morgaine Dinova: Indeed
  • [13:46] Whump Linden: yes, a case of a viewer that attempts to do something copybot-ish?
  • [13:46] Zha Ewry: It may be any bit of code which conforms to the protocol
  • [13:46] Infinity Linden: i think the prevailing belief in the content creation community is that once you give an item to a viewer so the viewer can decide waht to do with it, it's a little late to make an access control decision
  • [13:46] Morgaine Dinova: Yep
  • [13:46] Dale Glass: yep
  • [13:46] Latha Serevi: So, we're mostly protecting the rest of the world "from" a viewer via a more reliable proxy.
  • [13:47] Whump Linden: so the AD may ask the RD about an item's permissions, and proxy that to the viewer
  • [13:47] Infinity Linden: @Latha.. yup
  • [13:47] Morgaine Dinova: It's mutual distrust, for the benefit of all.
  • [13:47] Teravus Ousley: well, ultimately.. you could control the system more that way.. because you could ensure, from the region.. that the AD has an SSL Cert by an approved signing authority.. and from the AD.. that the RD has a SSL Cert signed by an approved signing authority.. and the viewer can stay out of it.. (well.. except for regular region caps.. like Save Notecard.. EventQueueGet.. and those)
  • [13:47] Whump Linden: but the rd would never want the viewer to ask that
  • [13:47] Zero Linden: well - I'm not sure.... remember, once authenticated, the AD trusts that the particular V to be under control of the user (or their poxy)
  • [13:49] Xugu Madison: Sorry, must run, and can't make tomorrow's meeting, but I'll see you all Thursday
  • [13:49] Rex Cronon: tc
  • [13:49] Whump Linden: later, Xugu
  • [13:49] Morgaine Dinova: Cya Xugu
  • [13:49] Zha Ewry: TC X
  • [13:49] Teravus Ousley: tc
  • [13:49] Dahlia Trimble: bye :)
  • [13:50] Zha Ewry: does some idle math, replacing xugu with f(ugu) and promptly passes out from poisoning
  • [13:50] Zha Ewry: So.....
  • [13:51] Zha Ewry: Where were we. Do we have an actual rezzed avatar yet?
  • [13:51] Teravus Ousley: well, if you want to limit access to assets.. one way to do it would be to ensure that you don't sign their SSL Certificate signing request without a contract
  • [13:51] Zha Ewry: So we want a SSL cert on every asset?
  • [13:51] Whump Linden: no, we were at agent/place vs. rez_avatar/place and Zero had made the argument for rez_avatar/place
  • [13:51] Zero Linden: well... we've lead a long path from WHump's original question
  • [13:52] Zero Linden: Zha: That sounds like a good design for Verisign.... not so good for the rest of us! :-)
  • [13:52] Zero Linden: heh
  • [13:52] Zha Ewry: Rather my point
  • [13:53] Morgaine Dinova: Wow, excellent way of removing all 99% of commercial objects from SL ... getting them all signed. Neat.
  • [13:53] Morgaine Dinova: chuckles
  • [13:54] Bartholomew Kleiber: it always boils down to Verisign ... I guess they DO have a business model.
  • [13:54] Zha Ewry: In general, unless we can't avoid it, I really, really, want to limit certs to a few spots
  • [13:54] Teravus Ousley: heh, nah.. it would only have to be the Agent Domain<-----> Region Domain that would need to be 'Trust signed'
  • [13:54] Rex Cronon: how does signing an object, remove it from sl?
  • [13:54] Whump Linden: reads scrollback
  • [13:54] Teravus Ousley: .. I suppose parhaps.. any Agent Domain <----> Asset Service?
  • [13:55] Zha Ewry: That too, Ter
  • [13:55] Zha Ewry: but. that should be it
  • [13:55] Zha Ewry: We can build shared secrets from those anchors
  • [13:55] Zha Ewry: caps, handed around over SSL, and such
  • [13:55] Dale Glass: I don't really understand what the SSL certs would be for
  • [13:55] Teravus Ousley: Encryption.. and implementing a protocol level trust
  • [13:56] Morgaine Dinova: My experience of Verisign's business model is: Me: "I telnetted to your webserver's port 80 and found you have bug XX." Versign: "What is telnet?"
  • [13:56] Zero Linden: Dale - the SSL cert is mostly to ensure the each party is certain they are talking to who they think they are
  • [13:56] Teravus Ousley: the protocol level trust would be in the 'approved Signer of a Certificate Signing Request'
  • [13:56] Beware Hax: its called outsourcing tech support to people in india, who were supporting laundry powder yesterday
  • [13:56] Dale Glass: encryption of what? You need to be able to know what's on the grid, so you decrypt the object to show it. At that moment you can apply your own cert and recreate your copy on the grid
  • [13:56] Zero Linden: that is all
  • [13:56] Beware Hax: and potted plants tomorrow
  • [13:57] Zha Ewry: Not to do deep DRM
  • [13:57] Infinity Linden: explodes at the mention of DRM
  • [13:57] Zha Ewry: i think we're all clear on that
  • [13:57] Infinity Linden: no. this is not about DRM
  • [13:57] Dale Glass: hmm, ok, I need to catch up on stuff I see. Anybody got a link on the cert stuff?
  • [13:57] Zha Ewry: To know that the sim/asset server pair is trusted
  • [13:57] Beware Hax: is the SL asset permissions system DRM?
  • [13:57] Infinity Linden: it is about ensuring that protocol messages come from and to trusted protocol actors
  • [13:58] Zha Ewry: and no, it isn't beware
  • [13:58] Zha Ewry: shares a legal agreement
  • [13:58] Beware Hax: i wonder why, because people around me call it that
  • [13:58] Whump Linden: Dale, that's Infinity's wiki page on on trust.
  • [13:58] Infinity Linden: looks around to see if she can go into god mode and kick the next person who mentions DRM into the cornfield
  • [13:58] Zha Ewry: the C/M/T is nothing more than a agreement by linden to play nice
  • [13:58] Zha Ewry: The legal issues are totally based on the TOS
  • [13:58] Infinity Linden: +1 Zha
  • [13:58] Zha Ewry: That said...
  • [13:58] Zha Ewry: if we want to do more
  • [13:58] Dale Glass: [1] ?
  • [13:59] Infinity Linden: and the SSL is there to ensure that we're talking to whom we thing we are talking to
  • [13:59] Zha Ewry: we have to do it betwen people how can be proven to have agreements between them
  • [13:59] Zha Ewry: +1 Infinity
  • [13:59] Beware Hax: i find the whole concept of logging in with key pairs interesting, but its hardly done in practice
  • [13:59] Infinity Linden: you use a key pair every time you log in to Second Life
  • [14:00] Teravus Ousley: yep
  • [14:00] Infinity Linden: the login request goes over HTTPS
  • [14:00] Beware Hax: what i mean is that instead of giving LL a password, i give them a public key
  • [14:00] Beware Hax: and to log in, i sign a nonce sent to me
  • [14:00] Infinity Linden: that just means that you are in posession of the private key
  • [14:00] Teravus Ousley: .. your banking website uses a key to ensure you know it's the bank..
  • [14:00] Infinity Linden: i could generate a key pair and then claim to be you
  • [14:00] Beware Hax: but how does the bank know it's me;)
  • [14:00] Zha Ewry: It offers youy a challange
  • [14:00] Beware Hax: so one has to establish the trust that the key pair is really mine first
  • [14:01] Morgaine Dinova: People are mixing up authentication keys and certs with session keys for session encryption.
  • [14:01] Teravus Ousley: some banks have a private key option :D.
  • [14:01] Beware Hax: my internet banking has a little device i have to put my bank card into, which generates codes
  • [14:01] Infinity Linden: (in theory) you were supposed to appear at the bank in person, produce a government issued id
  • [14:01] Infinity Linden: and select a password
  • [14:01] Teravus Ousley: And.. If you've ever done payment processing.. most require a merchant key as well.
  • [14:01] Infinity Linden: oh oh.. .for acquiring / merchant bank CC clearing?
  • [14:01] Teravus Ousley: nod nods
  • [14:02] Infinity Linden: eek
  • [14:02] Infinity Linden: i think we used up the hour
  • [14:02] Whump Linden: okay, having run out of time, I will go back and think
  • [14:02] Beware Hax: i suspect openID is an implementation of "logging in with a keypair", i should look at it more
  • [14:02] Zha Ewry: and OAuth, is deeply intrusive
  • [14:02] Whump Linden: a couple of OGP Beta announcments, there will be updated viewers and AD deploy today
  • [14:03] Whump Linden: if you're running an OGP enabled OpenSim, please update from trunk
  • [14:03] Whump Linden: and you'll need the new viewers
  • [14:03] Bartholomew Kleiber: ah ok
  • [14:03] Teravus Ousley: yep.. you'll also need to update your OpenSimulator. as only the very most recent supports revision 3 of the OGP draft
  • [14:03] Zha Ewry: runs off to the next meeting
  • [14:03] Whump Linden: second, OGP Beta office hours have been moved this week to Thursday at 1:30
  • [14:03] Whump Linden: they will be held on Dahlia's region on OS Grid
  • [14:04] Bartholomew Kleiber: btw that was a cool idea.
  • [14:04] Teravus Ousley: it's a public OGP region.. from the wiki.
  • [14:04] Whump Linden: so you need to put [2] in the Region URL field
  • [14:04] Infinity Linden: cheers all... i have to run
  • [14:05] Rex Cronon: bye everybody
  • [14:05] Teravus Ousley: take care
  • [14:05] Zero Linden: eeek
  • [14:05] Zero Linden: now I"m late too...
  • [14:05] Zero Linden: okay all
  • [14:05] Zero Linden: thanks for comign
  • [14:05] Whump Linden: kk, thanks for hosting Zero
  • [14:05] Zero Linden: I gotta run
  • [14:05] Zero Linden: till next time...
  • [14:05] Whump Linden: I need to use my get_coffee cap