[9:37] Zha Ewry: I want o chew a little on what we might mean by "regoin domain" and tie it to trust management, some of the ban list discussion at Which's office hours last week, and then onto the question of how we establish trust for things like rez_avatar
[9:38] Tao Takashi: there was not much sympathy for a general ban list idea when I asked this question on seesmic ;-)
[9:38] Zha Ewry: All of which, falls into the bigger rubric of "how do we manage relationships between chunks of "grid"
[9:39] Zha Ewry: Ban list is mildly toxic, but.. . the reality is a significant set of the players are likely to want to have a scheme for exchanging them
[9:40] Zha Ewry: One of the minor side effetcs of playing in code and making things work has been to make me think hard about how we're going to manage the
[9:45] Zha Ewry: The routing, is seperable from the trust, I think, tho possibly related
[9:45] Zha Ewry: So.. if we want to make "region domain" have some meat
[9:45] Zha Ewry: I think it has to become a named thing in the story
[9:45] Zha Ewry: and.. I'd argue that the region domain, is hwere we establish trust for the ims
[9:45] Rex Cronon: i think it should be similar to adding pages to a site
[9:46] Tao Takashi: I basically see this as a bunch of services which manage the list of regions in that domain, a map of them and probably some trust related services
[9:46] Zha Ewry: Not quite a ssimple as that Rex, because, they don't share an IP address
[9:47] Sheet Spotter: Given the address of a destination sim (or perhaps some magicaly key/token from it), I should be able to query the region domain to comfirm it's trusted.
[9:47] Tao Takashi: as it only contains sims right now
[9:52] Zha Ewry: delivered out of band when you set up the relationship
[9:52] Rex Cronon: ok, so now we have/neeed a trust server(s)
[9:52] Saijanai Kuhn: ah, OK so not even a login issue per se
[9:53] Lazarus Longstaff: is there any way we could potentially have peer region domains vouch for the trustworthiness of a joining region/region domain as a result of a request for trust?
[9:53] Zha Ewry: I don't see how we can avoid them, idf we want to be able to say "This sim, is part of the trusted cloud"
[9:53] Zha Ewry: And.. i think it becomes memberhsip
[9:54] Lazarus Longstaff: the whole notion of trust is wrapped around the concept that *everyone* is intially untrusted
[9:54] Lillie Yifu: we don't need trust servers, this can be doen peer ro peer, but any region domains will want trust serers. Just like we don't use secure http for everything, or ask for certificates for everything.
[9:54] Tao Takashi: so if we start with the LL grid as a big AD and RD then they might setup trust relationships with other RDs
[9:54] Zha Ewry: At the protocol level, I'm happy to define the path for sealing trust between aprtners
[9:54] Zha Ewry: and. then we need to make sure you can create a "provable" trust relationship
[9:54] Zha Ewry: In practice, I expect this will anchor in people actually doint certs out of band
[9:54] Zha Ewry: So, you sign your cntract with "Zha's trust authority" and
[9:55] Goldie Katsu: The challenge is defining the parameters for trust.
[9:55] Zha Ewry: I issue you a cert for signing your region
[9:55] Sheet Spotter: A weak analogy...I can choose which SL groups to join. Should the decision on which Region Domains to join/trust also be a personal choice?
[9:55] Goldie Katsu: As in what does that signature mean?
[9:55] Lazarus Longstaff: so really trust comes down to an out-of-band contractual arrangement
[9:58] Zha Ewry: "Here's the TOS to enter my trust cloud"
[9:58] Goldie Katsu: You could use various trust systems - but you need a clear way to know you are talking to region/domain x and not someone else posing as region/domain x
[9:58] Saijanai Kuhn: cloud is right, because of the overlapping trust possibilities
[9:58] Sheet Spotter: Then it's both a corporate and a personal decision who to trust? I don't need to trust a Region, even if they signed a trust agreement with a company I do trust?
[9:58] Tao Takashi: so basically what an RD needs is some way to have a list of trusted ADs. there might be several lists for several sets of permissions maybe and "public"
[9:58] Zha Ewry: and you sign off on that, and if need be, payt for the access.. and then you get a public certi for signing as that trusted party
[9:58] Goldie Katsu: Dynamic trust systems might be better than the hierarchy of certs used on web sites.
[9:58] Tao Takashi: and I guess we also need it the other way round
[9:59] Saijanai Kuhn: Sheet, trust is for where you can rez things made in another region domain. Where you can spend Lindens as opposed to x-dins
[9:59] Goldie Katsu: I think there are two pieces here.
[9:59] Latha Serevi: Trust is really not binary. Seems misleading to think of trust as a single thing. L$ most stringent, "guest login as Ruth" almost unrestricted, "rez object" and "transfer inventory" in between. Does anyone have a decent list of these?
[9:59] Zha Ewry: I think that the graph of trust is going to be overlapping
[9:59] Goldie Katsu: I think we have one piece which is verifiable identity of region domain
[9:59] Zha Ewry: The anchor is proving membership, and trust
[10:00] Zha Ewry: and then permisinos anchored on that
[10:00] Goldie Katsu: Tao I think that is backwards.
[10:00] Saijanai Kuhn: which is why I assume that you need to go with the AD for trust. you can't trust the region to claim trust, you need the AD to verify it
[10:03] Goldie Katsu: yes, there needs to be a way to protect the reputation system - it just may be different than the I have a contract with x mechanism.
[10:03] Lazarus Longstaff: the cert system could be used to validate the root of the trust mechanism
[10:03] Zha Ewry: its going to lead to a way of my sim, at the moment, asking "is this a trusted counterpart" and ways of maaging that
[10:03] Lazarus Longstaff: reputation could be built over that dynamically
[10:04] Tao Takashi: but that's another discussion
[10:04] Goldie Katsu: I see the 3 layer model you are talking about.
[10:04] Zha Ewry: Tao, that falls into the category, of lets enable it, and find out
[10:04] Lillie Yifu: No there can't be. ALl trust systems sooner or later accept some kind of failure, or have some kind of backer as last resort.
[10:05] Lillie Yifu: In either case failure tolerance is built in.
[10:05] Zha Ewry: nods, and revocation, and such is important when you build these
[10:05] Lazarus Longstaff: I think there def needs to be a distinction in quality of trust between certified vs. reputation
[10:05] Goldie Katsu: 1) Identity trust 2) way that sim says it trusts 3) API ish piece that lets you plug in various trust mechanisms that will speak to standard specified in 2 that allows whitelist, reputation system, cert system or whatever mechanism to define their trust rules.
[10:05] Tao Takashi: I still think everything can be gamed so I doubt that you should trust reputation systems
[10:07] Goldie Katsu: Hackprotection of rating systems is an important part.
[10:07] Zha Ewry: Well, lazarus, we design the protocols, if people desicde to deploy schemes lke that, I think that's not ours to fix, they'll discover why it's a bad idea soon enough
[10:09] Latha Serevi: When you hear the phrase "a trusted region" don't alarm bells go off for you? They do for me. Not a binary thing, so that phrase is misleading or meaningless to me.
[10:09] Zha Ewry: the bototm laters suport a bunch of possible ways of doing it
[10:09] Tao Takashi: Latha: the same is: what does +4 actually mean?
[10:09] Saijanai Kuhn: well "trusted" for certain thigns in certain ways
[10:09] Rex Cronon: i think that ratings done by users can be helpfull as they show what they think about your system
[10:09] Zha Ewry: Well, it depends how your define "trusted"
[10:10] Tao Takashi: the bottom line is: Don't trust anything even if it says so
[10:10] BlueWall Slade: suspects that trust will buil down to operating agreements among grid owners
[10:10] Goldie Katsu: is all for configurable options having written a program that handled pulling info out of a database that seemed to change its structure weekly
[10:10] Lazarus Longstaff: Rex: feedback is good - but we're essentially taling about something entirely different here
[10:10] Latha Serevi: And I'm suggesting that if you're not saying what kind of trust, you're not actually saykng anything non-obfuscatory
[10:11] Goldie Katsu: Trust is an overloaded word. Nothing is 100% trusted, but two systems may have agreed that they can exchange info.
[10:11] Zha Ewry: I might define a regoin as set of sims, all sharing the same trust attribues
[10:11] Rex Cronon: i have to disagree, is not etirely different
[10:11] Goldie Katsu: whether this is good enough for the avs.
[10:11] Latha Serevi: Does anybody have a list of "kinds of trust" they can share? Or did we want to just focus on mechanisms for (1) certificate authority and (2) saying what permissions a region will propagate?
[10:11] Zha Ewry: So, it's perfectly reaosnable to say "This set of sims all follow this trus pattern"
[10:11] Tao Takashi: trust is maybe the wrong word here anyway. I think what you need is simply a list of domains which might might be allowed to do certain things like rez something
[10:11] Lillie Yifu: hmmmmm the division is trusted identity, and trusted capacity.
[10:12] Zha Ewry: Trust is a term of the art, for certs and such
[10:12] Lazarus Longstaff: it is in the sense that, what's being trusted is not that the region is safe to sortie in with your av, but that a region is trusted to communicate and negotiate permission to participate in the region domain
[10:15] Zha Ewry: As we write this, which is common in secuirty dsicussions
[10:15] Zha Ewry: we need to be very careful not to use words which people will make assumptions about
[10:15] Sheet Spotter: The cert needs to be specific about what levels of trust exist. In Zha's example the cert only validates the trust that Region X is part of a specific RD.
[10:15] Zha Ewry: (which leads to such horribel phrases as "signed identity tokens"
[10:15] Tao Takashi: it's some sort of proven identity and you can then layer things on top of it like permissions
[10:16] Zha Ewry: right and. note the danger of gettign sucked into the semnatic web, or general permissions languages problem space
[10:16] Zha Ewry: What does it mean "can rez objects"
[10:16] Tao Takashi: and for the general public maybe mostly the layers are interesting. That there is a problem that sites can falsely state who they are is maybe not so clear to many
[10:16] Zha Ewry: if you want to have fun, look at the OMG's discussion on permissinos from the late 90s
[10:17] Lazarus Longstaff: build? drop? wear? all are potentially under rthat umbrella
[10:17] Zha Ewry: Whole complex set of object hierarchies for describing permissions
[10:17] Latha Serevi: There seems to be a strong hope that there can be a single notion of "verifiable identity" that all reasonable sims could subscribe to. Such a notion must be rather open -- more like "has a registered key" than "is reputable".
[10:17] Zha Ewry: "Can I rez, can I drop, can I copy, can I transfer, can i modify"
[10:18] Saijanai Kuhn: was looking at a "RIghts Expression Language" to describe thesethings officially
[10:18] Tao Takashi: for an AD it might also mean "do I send objects over to that domain?"
[10:18] Zha Ewry: At the protoocl level, a lto of that turns into opaque strings, which humans tie to contracts and language which defines them in many schemes
[10:18] Saijanai Kuhn: and then that gets boiled down to a binary thing concerning which regions get trusted by which regions
[10:18] Tao Takashi: and domain might be an AD or RD actually
[10:19] Zha Ewry: (ahh, this also leads to the fun question: is an asset server in an Agent or Regoin Domain, or is it in a service domain, seperable)
[10:19] Tao Takashi: so an AD also needs to know about other ADs, not just RDs
[10:19] Zha Ewry: Personally, I think Asset Servers aren't in AD or RDs at all
[10:29] Lazarus Longstaff: in fact, work is currently in progress on OpenSim to support multiple inventory servers
[10:29] Zha Ewry: you want some way of having nested sets of them,a nd stuff
[10:30] Tao Takashi: I think I want my stuff simply to be on my server when I run an AD ;-)
[10:30] Zha Ewry: So.... I may have in my "root" inventory
[10:30] Saijanai Kuhn: you could see a generic asset server maintained by GNU people with lots of openscource scripts available to all avatars anywhere
[10:30] Zha Ewry: a entry which is "This inventory is hosted outside this AD"
[10:30] Sheet Spotter: It seems reasonable to support an asset server that is accessible from multiple ADs.
[10:32] Zha Ewry: and I want to be able to express that properly in thewhole permissions/trrust scheme
[10:32] Zha Ewry: In general, I want to enable by refrrence when I can
[10:32] Zha Ewry: The web is much more about "here's a URL" than "her's a bag of bits"
[10:32] Bartholomew Kleiber: ayes but big copr want to have some sort of aproval process for the assets.
[10:32] Zha Ewry: Sure, I need to copy and store stuff at times
[10:32] Tao Takashi: I wonder if that cannot simply be left for implementation in the AD. I don't care where it does get stuff from as long as it knows how to get it.
[10:32] Sheet Spotter: Tao, my email adress isn't tied to my Internet Service Provider. Why should my asset server be tied to my AD?
[10:32] Lazarus Longstaff: Assets is another word that gets us in a lot of trouble
[10:32] Zha Ewry: but a ot of the time, i just need the hndle
[10:32] BlueWall Slade: in the future, asset hosting might even be included in a person's basic internet service - like email
[10:35] Saijanai Kuhn: what if the AD is a man in the middle thing that poses forever after as your avatar and requests admission back to your original AD?
[10:36] Zha Ewry: You don't download the assets when youy load your inventory
[10:36] Tao Takashi: Zha: yes, but then those handles at least need to contain, name, permissions and such
[10:36] Zha Ewry: AAnd. if you have nested ones which point off to several servers
[10:37] Bartholomew Kleiber: IMHO the company has to aprove all assets beforehand - I cant just show up there and have links to assets in my inventory that are copied to corps asset server.
[10:37] Zha Ewry: and, if they are done right, they cbeomce a tree
[10:37] Tao Takashi: so on the protocol level I might say agentdomain.com/inventory/TaoTakashi/ and get back some list of metadata (handles) ?
[10:37] Zha Ewry: so, right now, the list is pretty much flat, all the leags always point to a linden hosted UUID
[10:38] Zha Ewry: but.. in the future ther eis no reason a folder oculdn't be "asset list hosted in agent domain owned by pandacorp"
[10:38] Zha Ewry: Having the handles doesn't move the assets, mind you
[10:39] Saijanai Kuhn: or would each asset maintain the link?
[10:39] Zha Ewry: and I try to rez the object on my coerproate server?
[10:39] Tao Takashi: so the only difference I see here is that in my case you ask the AD to give the actual object to you, in the other case you ask the other server directly
[10:39] Zha Ewry: it may say "No, I won't fetch objects from the stallman zone"
[10:39] Bartholomew Kleiber: big corp will not give a card blanche tu GNU assets.
[10:39] Tao Takashi: ok, so I copy this asset over to another asset server and can rez it ;-)
[10:39] Zha Ewry: One is where the list of handles comes from
[10:39] Zha Ewry: and the other, is where the assets are stored
[10:39] Saijanai Kuhn: I would think you would keep a local link to the asset server in the item, and the folder would resove that link to update to the proper asset server.
[10:40] Lazarus Longstaff: Bart: "Big Corp" and "GNU" are variable from one installation to the next, depending on use case
[10:40] Saijanai Kuhn: though, folder hierachies would need to be kept around in the Agent Domain if the same concepts are kept
[10:41] Latha Serevi: thinks this is all too complicated for us to "plan into existence". There must be some simple intermediate steps or we just lose.
[10:41] Zha Ewry: leaf inventory tree says "Hey, fetch this sub tree from AD X"
[10:41] Zha Ewry: Well, Latha, the protocol is really simple
[10:41] Tao Takashi: so while I get a list of handles from /inventory/tao/ I can then look inside a handle and find an URL where to actually retrieve that, might be /inventory/tao/8272872872 or some other server. Is that about right?
[10:41] Saijanai Kuhn: local link that refers to the hosting asset server. If you have multiple asset servers, you need some way to refer back to tha sset server the UUID/inventory item is referring to
[10:41] Zha Ewry: just dediing handles, and how to fetch them
[10:41] Lazarus Longstaff: it's what goes into and comes out of the protocol that's complex
[10:43] Tao Takashi: well, it's clear that you don't give out complete objects when you request a list of your inventory for displaying it as a text list
[10:43] Zha Ewry: I assume that for 90% of the use cases you start with one AD which owns yoru Ave
[10:43] BlueWall Slade: so do the regions still hold the explicit object descriptions, or a handle pointing to the asset host?
[10:43] Saijanai Kuhn: OK, so it maintains a plain vanilla folder structure and the inventory items, which tehmselves contain the links back to the hosting asset server
[10:44] Zha Ewry: And some of those folders are indirtection links
[10:51] Sheet Spotter: I believer you defined an inventory entry as: {UUID, AssetServerID, IsThisAFolder}
[10:51] Lazarus Longstaff: Rex: if it's no copy, the handle goes out of inv when you rez it
[10:51] Zha Ewry: When you get a new asset, where does it default get stored?
[10:51] Bartholomew Kleiber: still . companies usually have list of softwares that they aprove, it is not only the license but also the certifictaion of a distinct version.
[10:51] Tao Takashi: I would like to be stored on my agent domain
[10:51] Bartholomew Kleiber: my point is that it has to be checked beforehand
[10:51] Zha Ewry: In the default asset server for that domain
[10:52] Zha Ewry: Interesting question if it's in a folder hosted by another AD
[10:52] Zha Ewry: I'd arguye then by default, it would go to that AD's default asset store, btu I could be had on that
[10:52] Lillie Yifu: hmmm if there is one thing that should be addressed it is the no copy paradigm conflation of several diferent license consepts into one thing
[10:52] Lazarus Longstaff: Bart: that will depend on the policy of in question. And that policy will be expressed in terms of packets in the protocol we are presntly hypothesizing
[10:53] Lillie Yifu: there is the question of transfering a license, the quesiton of how many instances of a license, and the question of what rights are transferable with the license
[10:53] Lillie Yifu: and they are not the same thing.
[10:53] Latha Serevi: (1) how long are y'all staying today? (2) I'm a little distressed that we're trying to have this discussion without at least one document writing down some basic assumptions, or trying to. Does anyone else see a need for a bit less fuzziness w.r.t. the starting point of discussion?
[10:53] BlueWall Slade: if it is a copy enabled item, you should be able to decide where it resides
[10:53] Tao Takashi: one of the principles of dataportability is that the users control their data, not the services (as most social networks do today) and that means to me that I want to decide where objects are stored which I own
[10:53] Lazarus Longstaff: Lillie: again, that is a matter of incoding the local policy
[10:53] Zha Ewry: I think that as a mnater of pratcice
[10:56] Zha Ewry: "I don't giveout copies to objects because of my license"
[10:57] Tao Takashi: well, the question is who has control over an object if it's no-copy. If you move it around in trusted domains then this should IMHO be possible
[10:57] Zha Ewry: If two servers know how to transfer a no-copy object between them it will work, tao
[10:57] Lillie Yifu: it gets back to trust. Trust needs to be based on compliance with implementing some level of license enforcement.
[10:57] Zha Ewry: Thge server can say "I only copy this object using thr trusted copy-procool"
[10:58] Tao Takashi: well, at some point it might be rezzed, so two servers in any case need to know what to do with it