[9:42] Tess Linden: the Beta folks have been working on figuring out next steps for making teleports work, but aside from that, there's been lots of discussion at Zero's office hours with regards to trust related to off-grid permissions
[9:43] Teravus Ousley: Yes, I'm interested in the revision 3 draft.
[9:43] Tess Linden: ah, I just spoke with Zero this morning about the status of draft 3
[9:43] Tess Linden: we have a meeting this afternoon to walk through more of what we've changed, but we don't want to publish anything that hasn't been vetted
[9:44] Tess Linden: the timeline is approx 1-2 weeks before draft 3 is published
[9:44] Bartholomew Kleiber: on aside note: Tao released a beta of syntronik.de btw which is a proof of concept agent domain.
[9:44] Teravus Ousley: ok, cool. Gives me time to get OGP into modules so it it's a configuration option instead of a patch..
[9:44] Multi Gadget: v2.0.3b by Timeless Prototype, '/44 info'
[9:45] Saijanai Kuhn: though really, given how the AD works, its not so much a a proof of concept as a prototype. The AD registers and performs introductions and the like. It doesn't need to be a huge serer form all by itself
[9:45] Tess Linden: that would be awesome Teravus. Have you been going to Whump's office hours or the Beta huddles?
[9:46] Tess Linden: I think I saw you there -- just wanna make sure people are talkign ot each other
[9:46] Tao Takashi: is very much in favor of the AD not being a huge thing, mostly a service directory
[9:47] Teravus Ousley: started going yesterday.. did the OGP test.. updated the OGP patch to the latest svn revision at the time.. (published on forge.opensimulator.org)
[9:47] Tess Linden: has there been any docs written up on the current status of the trust discussion?
[9:47] Teravus Ousley: .. getting people talking about a few differences that need to be resolved...
[9:54] Tao Takashi: and we need to see how far we get with what we discussed which basically came down to using SSL to make sure the one you talk to is the component it claims to be
[9:54] Saijanai Kuhn: well its easy to define the extremes for trust. Its the middle ground that is hard to describe
[9:54] Tao Takashi: and let policy be implemented as domains like to
[9:54] Tess Linden: Latha: which section needs more clarification? I can take some notes to ask Infinity later
[9:55] Latha Serevi: Tess, it isn't that Infty's stuff is unclear; it's that we as a community haven't really written down the Three Laws of Trust. Defining different layers, etc.
[9:55] Tao Takashi: but that will make it harder to control things
[9:55] Saijanai Kuhn: ah, and someone mentioned this to me yesterday and it seems to be relevant: [2]
[9:56] Saijanai Kuhn: guy developed a computer language specifically to address distributed trust issues
[9:56] Saijanai Kuhn: lots of background links referenced on that website
[9:56] Latha Serevi: My approach might be, start with a few basic use cases, and assume that each participant has a locally (magically maintained) trust map; try to figure out what kind of loookups into that map would need to happen. Okay, I'm about to rezz an object. I need to look up whether the region I'm in can be trusted with teh bits of the object according to me (object owner) and it (object creator) ...
[9:56] Tao Takashi: I think what it mainly needed is to think through some scenarios and see what is needed or if the things discussed will work
[9:58] Latha Serevi: ...;the region needs to look up whether I (or my AD) may rezz objects in this sim; and (if there are permissions on this region) whether I have the needed group memberships; ...
[9:59] Latha Serevi: After we get a few of these use cases down and try to enumerate the trust checks that might happen for each participant, then we can try to work out a preliminary model for how to implement all those that might conceivably satisfy the needs. Nobody has done that yet as far as I can tell.
[10:02] Tess Linden: I'm not sure what the "three layers of trust" is
[10:02] Latha Serevi: Yes on the matrix, but I don't think any of us can confidently write it down. I just made up the "three layers of trust" just now, it doesn't exist.
[10:03] Tess Linden: Latha: were you refrring to Infinity's Trust "Layers" section 6?
[10:03] Bartholomew Kleiber: but a matrix makes sense right? (even without red or blue pill)
[10:04] Bartholomew Kleiber: because the possible use cases might be quite complex
[10:04] Tess Linden: so I heard one variable is "who does the object currently belong to? what are the object's current permissions?"
[10:05] Tess Linden: another variable is "who is the object being transfered or copied to? and/or which region is the object going ot be rezzed?"
[10:05] Latha Serevi: I don't think the "matrix" makes sense to me yet, except vaguely.
[10:05] Tess Linden: there are 2 operations for transfers between "domains"
[10:06] Latha Serevi: My own model is, each participant with a bitmap. But I don't know what goes in the bitmap.
[10:06] Tess Linden: you can either give an object to someone else (agent -> agent) transfer
[10:06] Tess Linden: or you can rez the object (agent -> region) transfer or derez (region -> agent)
[10:07] Tess Linden: That's a simpler way to look at it right?
[10:08] Latha Serevi: Sounds OK, Tess, although we might need to support more than one protocol for rezzing an object into a region -- the notion of a no-copy object being transferred-then-deleted , for instance, isn't something I would want to implement in an OGP server if I had an alternative.
[10:08] Tess Linden: if you are actually changing owners, then the owner's agent domain has to trust the receiving person's agent domain to not copy stuff
[10:09] Tess Linden: but you trusted the region domain you teleported to to keep your no copy object
[10:10] Tao Takashi: that's why I don't trust SL ;_)
[10:10] Tao Takashi: but without an alternative... ;-)
[10:11] Teravus Ousley: .. a while back Which was talking about keeping the object in escrow.. and the region would have to invoke a cap, which would do the change.
[10:11] Tess Linden: We do everything we can to fail safe, but sometimes its unrecoverable
[10:11] Tao Takashi: so if AD 1 gives it to AD 2 (or maybe rather inventory service 1 to 2) then you also need to trust that 2 is not giving it out to some non-trustworthy other service
[10:11] Tess Linden: but we're not talking about bugs here, we're talking about trust
[10:11] Tess Linden: the intent is still good -- the region you rezzed on doesn't purposely want to lose your no copy object
[10:12] Latha Serevi: I may be adding unnecessary confusion here, but I personally don't think the transfer of a no-copy object should involve movement-of-bits-then-destruction-of-original, but rather a transfer of flags. This seems more important as grids get more open/distributed. I'm suggesting that there might be more than one way to impl;ement "only one copy used at once" -- 1 coyp of bits versus one "active" bit at once.
[10:12] Tess Linden: and if it does lose it, you should know what you can do -- who you can call for support etc
[10:13] Tao Takashi: so the protocol maybe shouldn't say how to deactivate the object
[10:14] Tao Takashi: as long as it's not usable to the user anymore
[10:14] Tao Takashi: so as for the earthquake question I as a user want to decide where my stuff is stored
[10:14] Tao Takashi: but "my stuff" is relative depending on whom you ask. content creators might also see stuff they sold as "their stuff"
[10:15] Latha Serevi: Maybe we have a couple of issues we're mixing here -- how to test whether a participant is satisfied w.r.t. trust component X, and different possible agreements between partipants for how to acceptably implement certain content protections.
[10:15] Tao Takashi: but in RL you usually don't have that level of control.. although e.g. the music industry is trying hard
[10:16] Tao Takashi: yes, we are mixing things up. I guess we can handle the no-copy issue separately from the "where are objects allowed to go" issue
[10:16] Tess Linden: are people ok with a disclaimer when you buy something that bastically means "this object will only be stored in my agent domain so that my agent domain can maintain permissions" ?
[10:16] Tao Takashi: that's what I wanted to propose, that you at least should be able to know the limits
[10:17] Tao Takashi: but of course you need to trust the seller
[10:17] Latha Serevi: The no-copy thing was my fault bringing it up; but I wanted to point out that there may be multiple quite different implementations of content transfer and restrictions. Tess, that sounds OK as one of the options available to users/implementors.
[10:17] Latha Serevi: In the spirit of Zha, we shouldn't tell people what to want.
[10:17] Tao Takashi: because if it's e.g. in a vendor and you cannot directly examine the object you don't know before you buy
[10:18] Tao Takashi: but in general I as a user would like to know if I can move it to my own server, on which grids I can take it with me and so on
[10:18] Tao Takashi: so the market can decide what the best strategy is
[10:18] Tao Takashi: but with permissions we already need to trust the seller actually
[10:19] Tess Linden: for objects that only live on one agent domain, they can live in multiple region domains too
[10:19] Tao Takashi: and I think there is also no other way than trusting the seller
[10:19] Tess Linden: yeah, when you buy something from someone, u have to trust the seller
[10:19] Tess Linden: just like you trust the region you bought it in
[10:19] Tao Takashi: yes, there needs to be some description of the level of portability in both domains: inventory server and region domain
[10:20] Latha Serevi: "have to trust" for what, though?
[10:20] Tao Takashi: that the seller does not advertise copy but the obect in fact is not
[10:20] Tess Linden: trust that after the transaction, you will be able to use the object with the terms you agreed to
[10:20] Tao Takashi: or in our case that it says "work everywhere" but in reality it only works on grid A
[10:20] Latha Serevi: Thanks for clarifying, Tess. I think the phrase "you have to trust entity X" is too vague and should ring alarm bells.
[10:21] Tao Takashi: started with examples in order to not be too vague ;-)
[10:21] Tao Takashi: so the question is what the description for the portability of an object can look like
[10:21] Tao Takashi: simple would be "only this AD" and "everywhere" for the AD case
[10:22] Tao Takashi: but it might also be "can be copied to any server on this AD and the ADs it trusts"
[10:22] Latha Serevi: We need to invent some language that we can start using, that we can gradually percolate out to the rest of the community, that helps people get un-confused about the concept that "I interact with you" is not the same as "I trust you with my crown jewels".
[10:22] Tao Takashi: yes, it will be mostly a usability question
[10:25] Tao Takashi: so I don't want to give the person who then "owns" it all the rights
[10:26] Tao Takashi: that's why owning is problematic.. I think we should think of "owning" just as a term to describe that it's in some users inventory
[10:26] Teravus Ousley: still suggests tagging a notecard with a license on to an object.. but hasn't really paid attention in the last month and a half on the trust conversations.. stuck in 1st life work.
[10:26] Tao Takashi: and I would propose to add some license text field to objects
[10:27] Tao Takashi: so it always also depends on trust
[10:27] Tao Takashi: trust between the seller and the buyer that they both don't do things they are not intended to do
[10:28] Tao Takashi: we can help with permissions but this usually won't cover everything
[10:28] Latha Serevi: We won't get to control how people use the word "owns" or "trusts", so I'm just going to use different words and expect those words to stay imprecise. I also think we're getting a bit ahead of our ability to be precise about these things; we haven't written out even the simplest cases yet.
[10:28] Tao Takashi: and we can work with contracts between ADs and RDs that they agree to use these permissions and not just copy everything
[10:29] Tess Linden: but the license has to be broken up so that it can be enforceable
[10:29] Tao Takashi: but some aspects might be unenforceable.
[10:29] Tao Takashi: "only for non-commercial use"
[10:29] Teravus Ousley: right, there are certain aspects that we're expected to maintain.
[10:29] Tao Takashi: at least not technically enforcable
[10:29] Tao Takashi: but we of course want to keep permission as some sort of enforcement
[10:30] Teravus Ousley: .. beyond that though, the license could be an extra legal statement.. for things that we can't possibly enforce technically.
[10:30] Tao Takashi: yes, it can be some CC license
[10:30] Tao Takashi: and it would be great if you can attach this additionally
[10:30] Tao Takashi: so you at least can go to court if you really want to
[10:31] Tao Takashi: Barth: maybe we should discuss some use cases on friday :)
[10:31] Latha Serevi: I'm pretty sure we have all confused each other by now. This confirms my notion that we need to get a few of us together for a day, and try to pound out some kind of taxonomy or at least big-space-of-issues-with-names.
[10:31] Latha Serevi: Here's one possible recipe: (1) write down a fairly exhaustive list of "trust interests of the various participants" and give them short mnemonic codes. (2) write down a couple of simple use cases. (3) write down some candidate steps in the protocol to achieve the desired action. (4) for each step, try to write down the "trust codes" that would need to be satisfied.