User:Infinity Linden/OGP Trust Model UseCases

From Second Life Wiki
Revision as of 12:49, 12 August 2008 by Dale Innis (talk | contribs) (start fillingin considerations)
Jump to navigation Jump to search

We are gathering use-cases here, starting at the high "what the user actually does" level.

  • User from one grid teleports to another, and her inventory comes along

The user wants as much of her stuff as possible to be accessible on the new grid, working and appearing just as it did on the old one, except that any (meta-)information in the inventory that should not be accessible to the new grid should not move. (Should it be replaced by generic 'blank' information, or just not arrive at all? Or should information that is restricted in this way always or optionally include a pointer to "what to show instead" information to substitute?) Similarly content creators may want to prevent certain of the objects that they create from getting to the new grid. (Or do content creators only care at the point where the object is actually rezzed on the new grid, or copied, or modified, or given/sold/loaned to someone else?)

None of this can happen at all unless there is some common way of representing inventory items. Are we going to attempt to design a common representation? At the very least there should be a negotiation phase where the grids determine that they do in fact share some common representation (or that they don't, in which case inventory won't be able to travel).

  • User from one grid teleports to another, and her attachments come along

As for inventory, plus the fact that attachments are rezzed at TP arrival time. Things should work as in the old grid, except that any metainformation or actual information (including textures, prims, etc) that is forbidden to the new grid via access control should not move (see note above on substitution questions). Content creators may, again, want to prevent their objects from being rezzed in the new grid (this is (even) more likely a concern than with inventory).

Representing attachments (or rezzable items in general) is more complex than representing inventory items. Again, there needs to be a negotiation phase to make sure that the two grids / domains have some representation in common.

  • User from one grid teleports to another, and rezzes an object from inventory there

Any differences here from the attachments case? The destination grid does of course have to make sure that the agent is allowed to rez things there according to its own local policies, but that's a local decision.

  • User from one grid teleports to another, and gives something from her inventory to another user there
  • User from one grid teleports to another, and sells something from her inventory to another user there
  • User from one grid teleports to another, and rezzes a vendor that another user then buys from

Some threat-model cases:

  • Attacker contacts RD1, attempts to masquerade as AD1
  • Attacker contacts RD1, authenticates as an otherwise-unknown ADz (what should an unknown AD be able to do?)