[9:41] Dale Innis: Anyone with the time can post their own summary attached tot he transcripts
[9:41] Tao Takashi: I also would like something like "the user is in control of his data" in this list (and thus decides which data is passed to which entity)
[9:42] Goldie Katsu: Yeah post processing is always possible, just an at the time digest might be useful, but if it isn't possible oh well.
[9:42] Tao Takashi: I need to say that as group of the steering group of the DataPortability project ;-)
[9:44] Tao Takashi: Dale: well, of course it depends who plays good in this game
[9:44] Goldie Katsu: Yeah I think to some extent we need to define what markers we would want but realize that not all domains will implement them and the user will have to chose
[9:45] Tao Takashi: but we have the same problem on social networks.. and one can put some "good citizen" sign on those services who do follow such guidelines
[9:45] Tao Takashi: like right now either mostly everything is open or not (e.g. facebook)
[9:45] Tao Takashi: and you cannot really change it
[9:45] Dale Innis: There'll be lots of interesting issues; if I've said that Badguy Innis shouldn't be able to see my profile and I try to TP to a grid that doesn't support profiel access control, does the TP fail, or what?
[9:45] Wolt Amat: I'm going to add something else in there from my work on User Profile Management.
[9:45] Tao Takashi: Dale: Maybe I can first get some information about the grid
[9:45] Tao Takashi: and maybe I wouldn't give this grid information in the first place
[9:46] Siddhartha Fonda: maybe prior to TP, the viewer presents an accept/deny prompt?
[9:46] Siddhartha Fonda: kinda like how unverified ssl certs work?
[9:46] Tao Takashi: maybe for region domains you haven't entered yet
[9:46] Dale Innis: And I could choose to not let that grid have my profile at all for anyone? Sounds potentially v commplicated. :)
[9:46] Goldie Katsu: I do wonder how the user will be presented with all of the info - but I would expect an implementation to either have an accept/denyy prompt or there could be preferences that define where a person will go based on preferences.
[9:46] Tao Takashi: that's all client work though.. I mainly want to have some awareness of this when thinking about the protocol
[9:47] Goldie Katsu: Like parental controls that might limit kid TPs
[9:47] Wolt Amat: Goldie, I just added a 5th element on responsibility.
[9:47] Dale Innis: Need a rather open-ended way for a grid to declare what it does and doesn't support.
[9:47] Tao Takashi: I think we don't need to worry about how to implement it at that point but maybe give the possibility for two domains to negotiate what sort of information can be given out
[9:48] Goldie Katsu: I think that is an important piece. That there needs to be a way for the information to be communicated and that it be extensible.
[9:48] Tao Takashi: and maybe the region domain you want to go to needs to pull that information from the AD
[9:48] Wolt Amat: I am going to throw some links in here that people might find interesting as background thinking on this that has occurred elsewhere.
[9:48] Tao Takashi: so with OAuth you might first need to say "yes that's ok" and the region domain gets a token with which it can access this information
[9:48] Goldie Katsu: And a recognition that the trust parameters may fall in a few places.
[9:49] Tao Takashi: so without the token it might only get basic information anyway
[9:49] Tao Takashi: compared to social networks it might be like joining a new social network which wants to read all your data from existing services. This will be solved with OAuth in the future, too.
[9:49] Dale Innis: Lots of questions about the granulatiry with which to protect my information.
[9:50] Tao Takashi: But as I haven't though about this a bit more maybe this does not fit here
[9:50] Tao Takashi: so I will start with usecases someday :)
[9:50] Dale Innis: No, I think it's a great topic! We should be sure to write it down for thinking about.
[9:51] Tao Takashi: because compared to SNs you don't login to the region domain in this case.. in SNs you usually log in to the service which has the information, there you say "ok", this service sends a token to the consumer service
[9:51] Goldie Katsu: the data share style of social networks today (where you give everyone all of your logins and passwords) really is a problem. But that is a separate issue.
[9:51] Tao Takashi: and with that token (which can be revoked at any time) you can then access this information by signing messages with it
[9:51] Tao Takashi: Goldie: This is what OAuth tries to solve
[9:53] Tao Takashi: you might need to define this then for every AD you have an agent on
[9:53] Tao Takashi: or this information might be shared as well if you say so
[9:53] Dale Innis: As long as we have sensible defaults. Since 99% of ppl will use them. :)
[9:53] Goldie Katsu: Oh....that sounds like the re-entering data and settings on each social network.
[9:53] Tao Takashi: but then again maybe no OAuth is needed because the RD does not need to login to the AD anyway because it gets all information via push
[9:54] Tao Takashi: so you can directly define in the AD which informatin you push
[9:54] Tao Takashi: Goldie: My hope is that we can solve the reentering problem here as well
[9:54] Tao Takashi: how likely is it to use different agent domains?
[9:54] Goldie Katsu: yeah the question comes when you go to a RD that doesn't trust your AD
[9:54] Tao Takashi: except maybe when you really want to be somebody else?
[9:55] Tao Takashi: Goldie: I guess an example would be impersonating other people
[9:55] Dale Innis: Then log out and in again as someebody else. :)
[9:55] Goldie Katsu: people will always be able to create multiple unlinked online identities.
[9:55] Goldie Katsu: I think that that case we don't need to worry about.
[10:02] Saijanai Kuhn: well, no need for visurses. An agent from PriatesBayAD.com is really just a copybot funneling all assets straight to their asset server
[10:02] Dale Innis: Then those agents would have to be untrusted in some strong sense too.
[10:02] Tao Takashi: so the RD needs to know about the AD and needs to find out if it's a trusted one
[10:02] Tao Takashi: the question is, what does "trusted one" mean and how is trust defined? by some contract? TOS?
[10:02] Tao Takashi: by me saying "sure, trust it" ?
[10:02] Dale Innis: Trust should generally be tied to a contract.
[10:04] Dale Innis: Yeah, authentication is mostly a solved problem. Now we need to think about authorization. :)
[10:04] Wolt Amat: Guidelines for real-time person-to-person communication services; Future requirements - [7]
[10:05] Tao Takashi: let later generations worry about this ;-)
[10:05] Tao Takashi: social networks also did not worry about it ;-)
[10:05] Wolt Amat: Telecare services; Issues and recommendations for user aspects - [8]
[10:05] Dale Innis: So I dunno; are there really use-cases for an RD getting contacted by an AD that it doesn't trust, but the RD still (say) allows an agent to rezz in and do things?
[10:06] Wolt Amat: The negotiation will have to be tiered, and each provider will have his own set of checkboxes to determine trust from available data.
[10:07] Dale Innis: I dunno; I wouldn't be all that happy to have someone running around in SL who wasn't me, but still had "Dale Innis" over his head, even if it said "(maybe)" afterward...
[10:08] Wolt Amat: Universal Communications Identifier (UCI); Improving communications for disabled, young and elderly people - [9]
[10:08] Ehdward Spengler: you all need to realize that as opensim is open source, it will have alot of eyes on it. security problems will be found and outed very quickly
[10:09] Tao Takashi: oh, and people might disable trust systems in open source sw anyway if they think it's better without for whatever reason
[10:09] Tao Takashi: so there definitely will be RDs which don't care
[10:09] Goldie Katsu: Yes, but even with open source security problems can lie undetected for a long time
[10:09] Ehdward Spengler: this worry about evil domains sucking up assets like a vacuum cleaner arent going to be as big a problem as you might like to think
[10:09] Tao Takashi: maybe also because they think they can implement that later ;_)
[10:09] Tao Takashi: indeed, Ehdward and I also think it's easier to copy with a client anyway
[10:09] Dale Innis: The worry about evil domains stealing assets isn't about security bugs, it's about making sure we don't design the ability into the protocol!
[10:09] Goldie Katsu: The protocol just needs to provide a way to communicate - but "ILieRD" could say "I support these trust models" and really not do it
[10:11] Dale Innis: With good defaults in the as-shipped code. :)
[10:11] Ehdward Spengler: and yes, someone that knows just a wee bit of mono can use copybot to grab whatever they want
[10:11] Tao Takashi: so what is left then is that you need to be sure that the AD or RD is who it claims to be and the URL is not forged or something like that
[10:11] Saijanai Kuhn: so you have the "trust" for really getting the real identity of a domain, and the "trust" for really knowing what they say they'll do is what they will do barring accidents and crazy pople running the domain
[10:11] Tao Takashi: but of course this does not solve things like "I allow my object only to go into trusted RDs"
[10:12] Tao Takashi: well, maybe it does if the RDs e.g. directly connected to LL are supposed to be trusted
[10:12] Goldie Katsu: yeah that is why there are multiple layers (which Infinity spells out (at least to some extent - we might review that at some point.)
[10:12] Dale Innis: Maybe we should stop using the work. :)
[10:12] Saijanai Kuhn: well, it allows that to become a plausible thing to say in the first place
[10:12] Goldie Katsu: Trust layers is how we provide the different functions.
[10:13] Goldie Katsu: And I think the use cases will help us identify if we have more layers needed or not
[10:13] Tao Takashi: so what I wanted to do is basically think about how objects might travel from hand to hand and where control is needed
[10:13] Dale Innis: So you have to trust that you have the right public key for the other party, trust (or not) that the other party is correctly announcing their capabilities and policies...
[10:13] Tao Takashi: because I am very unclear onwhat is needed for objects moving around
[10:13] Dale Innis: Tao: do you want to think about that within a single sim, or only in interop cases?
[10:13] Tao Takashi: e.g. what happens if an object is rezzed on region X and then LL cancels the contract? (but that's not a technology question)
[10:17] Tao Takashi: or you don't accept it if offered
[10:17] Goldie Katsu: and then based on policy they determine if assets from users on AD can be rezzed in RD? Or Sold on RD?
[10:17] Tammy Nowotny: unless they pop up like they do on the WWW sometimes
[10:17] Saijanai Kuhn: Ehdward, the Agent Domain is potentially the most powerful bit of malicious software in the entire system
[10:17] Ehdward Spengler: yeah, those mismatch certs are irritating
[10:17] Tao Takashi: Goldie: I think we need use cases to collect what can happen in the first place and see how it can be handled and what's needed in the protocol to handle it
[10:17] Dale Innis: I would hope that the domains wouldn't expose expired certificates etc like browsers do. :)
[10:18] Dale Innis: Let's try the "I TP to grid X and give a transferabble object in my inventory to someone there" case. Are there hard questions?
[10:18] Goldie Katsu: I guess the question is - is trust for behavior something that the AD and RD just define internally once they verify the identiy or do they exchange policy information?
[10:18] Tao Takashi: how cool would that be if I cannot access my inventory because my AD forgot to renew the cert ;-)
[10:18] Rex Cronon: u make 1000USD deposit to connect your grid to the main, if your grid is used for unlawfull activities u loose the deposit, your grid is disconnected, and if u want connect again the deposit increases 10 times
[10:18] Tao Takashi: Goldie: that would mean to somehow formally define policy decisions
[10:18] Dale Innis: ( Like that time MS forgot to renew with NetSol, and all of Passport broke heehee )
[10:19] Goldie Katsu: oh no big provider ( like google) would forget to renew their cert
[10:20] Goldie Katsu: so I guess there is the AD/RD trust establishment process
[10:20] Saijanai Kuhn: you can easily run a REgion domain without trust of any kind. However, running an Agent DOmain without trust is a different color of seahorse...
[10:22] Tao Takashi: either SC or trying and getting a 403
[10:23] Dale Innis: Yeah, the way I see it, ADx says "Hi, I'm ADx", and RDy makes sure it really is, and then looks up in its policy book h ow much to trust ADx.
[10:23] Goldie Katsu: Ok, so AD and RD are talking, AD semi-trusts RD. What gets communicated to the Agent?
[10:23] Tao Takashi: it might also be that you get some data but not the complete set or so
[10:23] Dale Innis: "semi-trusts" isn't very specific. :)
[10:23] Saijanai Kuhn: a region domain need not be trusted to allow visiters from otheer places, but an agent domain HAS to be the most trusted thing in the system
[10:24] Goldie Katsu: That may become relevant to the agent level.
[10:24] Dale Innis: Hold on , Sai, couldn't an AD be trusted only to the extent that the RD believes it when it says "here's JoeJones@ADfoo rezzing in">
[10:24] Dale Innis: What could a malicious AD do, exactly?
[10:25] Saijanai Kuhn: how would you trust them not to have a man-in-the-middle proxy of some kind?
[10:25] Tao Takashi: send a "broken" Dale Innis ;-)
[10:25] Dale Innis: As long as it's DaleInnix@ADfoo, that's okay with me. :)
[10:25] Wolt Amat: The user will have to be brought into the negotiation if the tiered authorization limits some functionality, and needs to be accepted.
[10:25] Tao Takashi: who in reality is Plasticduck
[10:28] Goldie Katsu: well if it is truly untrusted then the agents on that AD won't be able to access the RD
[10:28] Dale Innis: Sai, are you saying that the ability to have a copybot AD is somehow worse than the ability to have a copybot client? Why?
[10:28] Saijanai Kuhn: by default, and Agent Domain is to be considered a giant copybot scheme, IMHO
[10:28] Saijanai Kuhn: because you could take REAL people and turn them unknwoingly into copybots as well
[10:28] Ehdward Spengler: content creators are hysterical from what ive seen. open source exposes security problems. if someone tried that, theyd be exposed very quickly
[10:28] Tao Takashi: I think clever people take an account on a trusted AD, send in their bots and copy stuff
[10:29] Tao Takashi: not setup an AD which then is blocked after a day
[10:29] Dale Innis: Exactly. Doesn't seem like a new threat.
[10:29] Tao Takashi: or maybe trying to get access in the first place
[10:29] Goldie Katsu: Open source can't fix a bad protocol.
[10:29] Tao Takashi: open source can't fix bad people ;-)
[10:29] Goldie Katsu: Open source is not a cure all for security, it addresses some things but not all things.
[10:29] Saijanai Kuhn: yes, but its still different than having an Agent Domain that automatically makes all avies logged in part of the copybot system
[10:29] Goldie Katsu: some of it is a social problem.
[10:29] Goldie Katsu: yes but if the AD did that it would become untrusted.
[10:29] Ehdward Spengler: true but it is a good mechanism for exposing problems
[10:29] Wolt Amat: Maybe agent log in will require a human only test.
[10:29] Tao Takashi: Sai: sure every AD owner might have access to the whole inventory of all their users
[10:30] Saijanai Kuhn: I thought we were assuming that this particular AD WAS untrusted but still had the right to rez_avatar
[10:30] Tao Takashi: that influences also where an object can go
[10:30] Goldie Katsu: agreed. Just pointing out that just because it is open source doesn't mean it addresses all concerns.
[10:30] Tao Takashi: and it depends whether an object is copied to a customer's agent domain or stays on the creator AD
[10:30] Dale Innis: Anyway, I think this is sort of drifting off of the protocol question, into the "how careful do you have to be what ADs you believe?" question, which is really for each RD to decide for itself.
[10:30] Saijanai Kuhn: Wolt a human controlling an avie logged in through PiratesBayAD might still be a copybot via man in the middle
[10:30] Ehdward Spengler: of course, im not suggesting oss is going to solve world hunger or something ;)
[10:30] Tao Takashi: while the latter would be more safe for the creator the first one would be more safe for the customer
[10:31] Wolt Amat: Yes, thx, I was addressing the "1000s of bots".
[10:31] Tao Takashi: so I at least would like to have the objects I bought to reside on my AD
[10:31] Goldie Katsu: does the trust defined in the AD/RD relationship (what they trust each other to do) have any implication in the trust further up in the nature of the decision the agent may make about going to a place or chosing to rez an object
[10:32] Saijanai Kuhn: if a client is logged in through an AD, anything the AD introduces the client to is potentially hacked
[10:32] Goldie Katsu: or are these only thigns that impact what the AD or RD does?
[10:32] Saijanai Kuhn: to whatever level the client can see/use assets on the region domain
[10:32] Wolt Amat: Sounds like a business opportunity for a third party UUID registrar.
[10:32] Tao Takashi: I need use cases for this I think ;-)
[10:32] Goldie Katsu: Ah that is a client->AD trust issue
[10:32] Tao Takashi: esp. because I am getting quite tired here..
[10:33] Dale Innis: Yeah, the user will have to trust the RD not to make stupid trust decicions... :)
[10:33] Tao Takashi: like only allowing the user in naked ;-)
[10:33] Saijanai Kuhn: Goldie, it is a trust issue with AD's period. an AD that is accepted into a comercial region's whitelist has to be at the top tier of trust, period (IMHO)
[10:35] Dale Innis: So I can imagine very paranoid grids using Sai's "only talk to very very trusted ADs" policy, and very open ones using Ehd's "good until proven bad". We just need to support both in the protocol. :)
[10:35] Tao Takashi: actually they have smart people working on cool things.. I met one at the IdentityCamp. but somehow they always seem to screw it up in the end ;-)
[10:35] Goldie Katsu: Then the question is what happens when they go to a grid that requests a new AD - that can have the account created automagically but with a lower trust.
[10:36] Latha Serevi: (I do have the general idea that the viewer can represent the user's interests, and therefore the user needn't be assumed to be an idiot all the time, just sometimes)
[10:38] Dale Innis: If notLinden doesn't trust Linden, but someotherAD does trust Linden, I wouldn't think notLinden nshould trust someOther??
[10:38] Tao Takashi: it maybe can streamline it though
[10:39] Tao Takashi: the client actually could streamline it
[10:39] Tao Takashi: and then you have a linked agent
[10:39] Dale Innis: That usecase would have to be spelled out in more detail for me, I think. Seems weird. :)
[10:39] Latha Serevi: Goldie's story reminds us that we may need to support more models than "1 person has one AD always", even if it is the most common/important case. Perhaps "I" have different knds of assets, or there's more than one interesting kind of AD. Can I "link" my identities between two AD's, and if so how, I wonder?
[10:39] Tao Takashi: well, it might be Facebook ;-)
[10:40] Wolt Amat: We will all have multiple identities on multiple sites with varied trust, and each time it needs to be negotiated, all available paths should be available for selection by the user.
[10:40] Tao Takashi: it might be a corporate AD and RD
[10:40] Saijanai Kuhn: There might be times when a walled garden grid (WoW) requires that only a copy of an avie be allowed in...
[10:40] Tao Takashi: but I'd rather think that you login to the new AD then.. I wonder how this could be made transparent
[10:40] Saijanai Kuhn: so a new AD takes over for that stay
[10:41] Latha Serevi: Wolt, I don't expect that most of us will have access to that full multiple-identity-ordering-capability most of the time, even if it's a nice idea in principle.
[10:41] Wolt Amat: We have that problem today in comms - user uses personal or company phone, on public, his company, or other company net, for personal or company session.
[10:41] Dale Innis: The viewer could show you your various identities and ask which one you want right now, and go to the appropirate AD.
[10:41] Saijanai Kuhn: but the state transfer is one way in that case. You can't log back into a trusted AD from a non-trusted AD
[10:41] Tao Takashi: well, changing AD also might mean different inventory, friends list etc.. leaving group IMs ...
[10:41] Dale Innis: ( When does this meeting actually end? :) )
[10:41] Tao Takashi: so you should be informed about that change esp. as the client needs to log you in to the new AD anyway
[10:42] Saijanai Kuhn: when people get tired or have a nother meeting or RL
[10:43] Goldie Katsu: where should they go on the wiki
[10:43] Latha Serevi: Wolt ... support for multiple options exist, but the super-smart-let-me-choose-automagically-client doesn't. Support first, do magic later.
[10:43] Dale Innis: On that same page from Infinity, or elsewhere?