[2008/07/15 9:33] Zha Ewry: So.. we're going to hopeflly chew on the stuff needed to do trust in the large
[2008/07/15 9:33] Goldie Katsu: I trust that will work :)
[2008/07/15 9:33] Zha Ewry: And.. fair warning... if you talk about this stuff, you will probably find loud noisy comments posted on your blogs, and your name in other people's blogs
[2008/07/15 9:34] Zha Ewry: I tossed some roadmap thoughts for this space out on my blog.. and it got, ahm.. noisy
[2008/07/15 9:35] Tao Takashi: sorry, need to head over to the pyogp meeting again
[2008/07/15 9:48] A group: member named Mankind Tracer gave you Mankind Tracer in Amsterdam - Sim Notice on Stream.
[2008/07/15 9:48] Goldie Katsu: Does this mean that there could be a region domain that has no associated agent domain, and it just has a trust relationship with other agent domains to provide assets?
[2008/07/15 9:48] Zha Ewry: In fact.. I think, long term..
[2008/07/15 9:49] Zha Ewry: it breaks up even more totally
[2008/07/15 9:49] Zha Ewry: No reason we can't have asset servers which serve up to lots of grids
[2008/07/15 9:49] Zha Ewry: All in trust relationships
[2008/07/15 9:49] Zha Ewry: I'm far from convinced that the current utility services need to live inside an agent or region domain, tho.. i can be had on it
[2008/07/15 9:50] Goldie Katsu: So it isn't just a "sim is who they say they are" but a region is who it says it is, and an agent domain is who it says it is.
[2008/07/15 10:00] Shamir Katsu: TLS is just the more generic name as it can be used with other protocols, e.g., SIP
[2008/07/15 10:00] Goldie Katsu: (PKI exchange occurs that sets up symmetric key for communications before passing HTTP messages.)
[2008/07/15 10:01] Sea Urchin: beanbags: Going to next texture.
[2008/07/15 10:01] Goldie Katsu: I can translate what I said into more englishy if anyone needs.
[2008/07/15 10:01] Zha Ewry: So, with TLS, and caps and certs, I think we have a pretty nice set of building blocks
[2008/07/15 10:01] Zha Ewry: I don't think we have a complete story tho
[2008/07/15 10:02] Latha Serevi: (I'm behind today) it's hopeless to seek a "verified client" isn't it? don't we have to expect that the (authenticated, un-spoofed) user will run whatever code they want?
[2008/07/15 10:02] Goldie Katsu: No, because the TLS lets me know it's Joe's Diner but it doesn't tell me what I can do with Joe's Diner or trust Joe's diner to do.
[2008/07/15 10:02] Zha Ewry: We have to assume the client is totally malicious
[2008/07/15 10:02] Zha Ewry: Always the case on the web, really
[2008/07/15 10:02] Dahlia Trimble: or some portion of clients are malicious
[2008/07/15 10:02] Goldie Katsu: If the user has it on their machine we can't trust its veracity
[2008/07/15 10:03] Goldie Katsu: or trustworthyness
[2008/07/15 10:03] Shamir Katsu: well from the perspective of the Agent Domain you assume that it is untrusted until proven otherwise, no?
[2008/07/15 10:03] Goldie Katsu: You can't prove something outside of controlled domain is trustable, you can only limit what you trust it to do.
[2008/07/15 10:04] Rex Cronon: with the code for the viewer being opensource, i don't think u can ever assume that the viewer can be trusted
[2008/07/15 10:04] Saijanai Kuhn: given the existence of several viewers anyway...
[2008/07/15 10:04] Zha Ewry: You can't anyway, Rex, since. someone can just right C++ to the pipe and be untrusted
[2008/07/15 10:05] Zha Ewry: when you think of the client, as just a set of service/caps which happen to result in rndering of the world
[2008/07/15 10:05] Saijanai Kuhn: Maya-OpenSim plugin for builders
[2008/07/15 10:06] Zha Ewry: then.. we have to asume, it might, for example, be a videa stream generating client. No user at all, just a view bot, and a quicktime stream out the backend
[2008/07/15 10:06] Latha Serevi: The client is maybe a "set of interests" having to do with gathering the relevant info to a particular avatar in the world.
[2008/07/15 10:07] A group: member named Kira Ahn gave you New Releases 150708 (please unpack).
[2008/07/15 10:07] Zha Ewry: I think, that, at the moment, it's about that, youcould imaine re-factroring even further
[2008/07/15 10:07] Goldie Katsu: Actually it breaks down even further
[2008/07/15 10:07] Zha Ewry: just for fun.. contemplate.. a client wh's only purpose is to grab the chat here, for a web page view o fit, and an archive
[2008/07/15 10:08] Saijanai Kuhn: camera bots already exist and there's that nice meta-microphone thing that metanomics uses
[2008/07/15 10:08] Latha Serevi: I was describing the common case of "avatar-representing client" I guess.
[2008/07/15 10:08] Zha Ewry: So... imagine those as first class clients (or more specfically)
[2008/07/15 10:09] Saijanai Kuhn: I think he showed up a few minutes after everyone else left
[2008/07/15 10:09] Goldie Katsu: However, I think in the current model the client authenticates to the agent domain to a particular agent which maps to one or more avatars (is that right) and then a particular avatar identity would be connected to a region (whether it would rez or just grab a stream is an implementation detail.)
[2008/07/15 10:09] Zha Ewry: I agree Latha, that's the most common use case
[2008/07/15 10:10] Zha Ewry: just. .as we peel the onion here, a bit, we want to cover the full range
[2008/07/15 10:11] Goldie Katsu: Oops correction: , I think in the current model the client authenticates to the agent domain to a particular account which maps to one or more agents (is that right) and then a particular agent identity would be connected to a region (whether it would rez or just grab a stream is an implementation detail.)
[2008/07/15 10:12] Goldie Katsu: so the agent would connect to a region in any case, whether it just gathers text, video or sends data.
[2008/07/15 10:13] ZHAO Ninja: AO set: Could not find animation 'ninjya-run'
[2008/07/15 10:13] Zha Ewry: I am increasinly, seeingf this as a set of sewrvices, which factor into the domains
[2008/07/15 10:13] ZHAO Ninja: AO set: Could not find animation 'ninjya-run'.
[2008/07/15 10:13] Zha Ewry: and. that we build trust around those domains, so we dont end up with soup
[2008/07/15 10:14] Goldie Katsu: So there is identity trust and there is some other kind of trust involved.
[2008/07/15 10:14] Saijanai Kuhn: one thing to point out is that connecting to a domain would be a multi-part process. You might have domain-specific inventory and groups for xample
[2008/07/15 10:15] Saijanai Kuhn: which could appy before rez_avtar
[2008/07/15 10:15] Latha Serevi: Identity trust at the base, and then each separate unit can associate capabilities with that identity. That's enough to bootstrap. But, a layer above that seems important for practical interoperability.
[2008/07/15 10:16] Latha Serevi: By the way, regarding un-spoofable communications, it's straightforward for you and me to set up a secure communication channel over insecure links, if we know we have each other's public keys. We're clear on that, right?
[2008/07/15 10:16] Zha Ewry: yes, if we have keys in place
[2008/07/15 10:16] Zha Ewry: Unspoofable, but not trustable, that the endpoint is well behaved
[2008/07/15 10:17] Goldie Katsu: The problem with VPNs is their endpoints :)
[2008/07/15 10:17] Zha Ewry: ie, once I send you the key, you can use it in a malcisous bit of software
[2008/07/15 10:21] Zha Ewry: And.. utiltiites regions use (Lindex, Searxh, etc)
[2008/07/15 10:21] Whump Linden: Zha, could you elaborate why asset servers might not be part of the Agent Domain?
[2008/07/15 10:22] Zha Ewry: I am reluctant to hae the third be just a random blob yet
[2008/07/15 10:22] Sea Urchin: beanbags: Going to next texture.
[2008/07/15 10:22] Zha Ewry: Because, I think there are lots of assets which aren't owned by users
[2008/07/15 10:22] Zha Ewry: Things like libraries of content
[2008/07/15 10:22] Zha Ewry: And.. it is also really, nice to break the tie between
[2008/07/15 10:22] Zha Ewry: "This domain hosts my account"
[2008/07/15 10:23] Zha Ewry: and "this domain holds *all* my stuff"
[2008/07/15 10:23] Goldie Katsu: And...where do groups fit? Or should current uses of groups be split into two (or more) other things. IM and notices are quite different from land perms and it is a complex mixture to combine them.
[2008/07/15 10:25] Zha Ewry: As we scale out, things like that feel really important too
[2008/07/15 10:25] Sea Urchin: beanbags: Going to next texture.
[2008/07/15 10:25] Latha Serevi: The basic build of a region seems to belong to the region. Sure, it can be forced to have an owner, but it's an uneasy fit. So, what kind of entity can own an object?
[2008/07/15 10:28] Latha Serevi: Some one (or small number) of entities will have the keys; but they'll also have a map of who they'll allow to twiddle the object by proxy. That map interests me too.
[2008/07/15 10:29] Zha Ewry: That's really odd in many ways
[2008/07/15 10:30] Latha Serevi: Regions holding stuff in odd ways - my instinct is that the LL model will have to be modified quite a bit in order to fit an open-sim model at all. Compatible, maybe, but very different underlying set of assumptions. Like zha said.
[2008/07/15 10:30] Zha Ewry: You can only find it, and manipulate it, if you com ehere in person
[2008/07/15 10:30] Zha Ewry: well, 90% of the OpenSim code follows Lindne's lead
[2008/07/15 10:31] Latha Serevi: ""Where objects exist" is in the 10% though!
[2008/07/15 10:31] Zha Ewry: Less than you might expect
[2008/07/15 10:31] Zha Ewry: You can lose prims on OpenSim in disturbingly simialr ways
[2008/07/15 10:33] Goldie Katsu: I like separating out the asset, but it does pose an interesting point on trust.
[2008/07/15 10:34] Latha Serevi: For the basic case of a no-copy object rezzed in a region ... the LL assumption is that it has been erased from the agent domain. And presumably you'll want to support that policy approach. But don't we also need a set of permission bits to pass around to allow implementing the "AD keeps a copy of course, even for no-copy objects rezzed somewhere, with permission bits set appropriately"
[2008/07/15 10:38] Latha Serevi: In my mind, we have a large number of identities with different capabilities granted to them. A common case is, 3 domains (agent, region, utility) plus a client. (maybe 4, adding L$ ?) . Correct me if this sounds broken.
[2008/07/15 10:39] Goldie Katsu: I would think separating the L$ makes sense.
[2008/07/15 10:39] Zha Ewry: I think the nice thing, ias when its a set?
[2008/07/15 10:39] Zha Ewry: Once it's more than 2+ client
[2008/07/15 10:39] Zha Ewry: you're in the general case
[2008/07/15 10:39] Goldie Katsu: I hvae a bank that is separate from my utliities
[2008/07/15 10:39] Zha Ewry: If we decide to add domains beyond 2.. you're prety much in the general case for problem solving
[2008/07/15 10:39] Goldie Katsu: I may trust Xcel for my power and gas, but I wouldn't trust them with my pacheck.
[2008/07/15 10:42] Goldie Katsu: Which means in the asset service there needs to be a way to have untrusted assets and assets that cannot be rezzed in untrusted regions. trust here being "I trust this region to handle assets correctly"
[2008/07/15 10:42] Goldie Katsu: or soemthing like that.
[2008/07/15 10:44] Latha Serevi: "trusted region", bad term. All regions should have an identity, or we won't even talk to them. (Identities had better be available to anybody easily). "untrusted" is more like "doesn't promise to my satisfaction to preserve my permissions"
[2008/07/15 10:44] Shamir Katsu: There just needs to be a way to encapsulate and share that notion of trust and it has to be granular enough to support those assertions on individual objects for each context
[2008/07/15 10:45] Goldie Katsu: So identity trust is pretty simple I trust you are Zha true/false. (which implies a transitive trust that I trust the region to show me the right agent name, and the region trusted that the agent domain passed the right agent information and the agent domain trusted that the client to authenticate.)
[2008/07/15 10:45] Zha Ewry: Well, if we do this at all right, we're building a bunch of stuff which scales out and grows into somethingvery much like the web
[2008/07/15 10:45] Zha Ewry: Truted regoin is a very bad term
[2008/07/15 10:45] Zha Ewry: "Compatible with doing X"
[2008/07/15 10:46] Latha Serevi: goldie, no on the transitive trust I think. Go check the public key index and handshake with the identity you want to communicate with.
[2008/07/15 10:46] Zha Ewry: As little chained trust as possible feels right to me
[2008/07/15 10:47] Latha Serevi: denial of service possible, but not spoofing, if the link is malicious
[2008/07/15 10:47] Object: llStopAnimation: Script trying to stop animations but agent not found
[2008/07/15 10:47] Goldie Katsu: Ok, let me reframe what I meant (without me getting lost in details that fit futher down )
[2008/07/15 10:47] Goldie Katsu: Identity trust is easy A is or is not believed to be A
[2008/07/15 10:47] Shamir Katsu: The reason you need trust to be sharable is otherwise everyone ends up having to do their own authentication
[2008/07/15 10:48] Goldie Katsu: the hard part comes in defining what capabilities we trust A to do on your behalf.
[2008/07/15 10:48] Zha Ewry: Right, Shamir.. if we don't do it pretty broadly.. we don't get it in a useful way
[2008/07/15 10:48] Latha Serevi: shamir, I think they should do their own. OK, you can have a proxy for that if you must, but in our minds everybody can take the time to authenticate everybody else.
[2008/07/15 10:48] Goldie Katsu: (And there has to be transitive trust/chained trust of some sort because I can only see that the region shows my client that the agent Zha is in this sim.)
[2008/07/15 10:49] Zha Ewry: Sure, but as little as possible
[2008/07/15 10:49] Goldie Katsu: and the region only knows Zha is here because the agent Domain said it was the agent Zha
[2008/07/15 10:49] Latha Serevi: goldie, agree on binary identity trust. disagree on the rest; if it's important, go check.
[2008/07/15 10:50] Latha Serevi: (so maybe there are multiple states - "unverified agent Zha seems to be here"
[2008/07/15 10:50] Zha Ewry: Yeah, that last is nasty, Latha
[2008/07/15 10:50] Goldie Katsu: Yes that fits in the next level.
[2008/07/15 10:50] Goldie Katsu: Region domain's can't verify an agent identity except through the agent domain.
[2008/07/15 10:51] Latha Serevi: Why nasty? Avatar abcd just hasn't been verifiably linked to identity Zha by me yet.
[2008/07/15 10:51] Goldie Katsu: But the region domain agent domain trust can define "Identies are verified" "Identities are questionable" "identities are unverified"
[2008/07/15 10:52] Latha Serevi: Hmm, I wonder if we're talking two different situations here. In principle, there's no need to delegate to AD and RD except to establish comms. But, in a common case....
[2008/07/15 10:53] Latha Serevi: ...common case, agents in AD have delegated AD as trusted to authenticate them?
[2008/07/15 10:53] Zha Ewry: You'd rather never have me here, unverified, at some level
[2008/07/15 10:54] Goldie Katsu: Here, but perhaps in wild west?
[2008/07/15 10:54] Goldie Katsu: Like the black and whites in Snow Crash?
[2008/07/15 11:01] Zha Ewry: If it's moslty internal, we can keep it contained
[2008/07/15 11:02] Saijanai Kuhn: this starts to feel like something that requires a very sophisticated mathematical analysis to make sure you've covered properly all the cases you've exposed
[2008/07/15 11:02] Latha Serevi: What's a domain? I think of them as just meta-identities, so my base would be the domain of size 1.
[2008/07/15 11:02] Goldie Katsu: Domain would be an Agent Doman or a region domain (or utilities domain?) as defined in OGP?
[2008/07/15 11:03] Zha Ewry: I htink of a domain as a collection of services with common properties and a way of proving membership
[2008/07/15 11:03] Goldie Katsu: Much better definition.
[2008/07/15 11:03] Goldie Katsu: Just looking at an agent domain - 2 users may be trusted with different capabilities.
[2008/07/15 11:03] Zha Ewry: has been trying really hard to get that one right
[2008/07/15 11:04] Latha Serevi: So far, we can only prove individual identity. maybe (next meeting?) talk about how to prove membership in a group?
[2008/07/15 11:04] Rex Cronon: i have to go, bye everybody