Wednesday, October 3, 2007

Who do you trust when they try teleporting to you...

The way I had done the code for my first attempt in the interdomain teleport inherently sucks bigtime. One sim tells the other one "hey, there's gonna be someone coming over". And there's someone coming over.

Indeed, I took care (well, somewhat) about the denial of service against the destination sim by including the cookie. Cookie is a good thing. It helps to get the others remember things for you. It's like if people buy something from you, but do not have the car to transport it - you can give them a fancy paper which only you could have made, which makes them eligible to get the stuff you sold them. When they come back and give you the paper which you recognize - you can just give them the things without much figuring on who they were and how they got there.

Indeed, they might have had their fancy paper stolen in transit...

So, here we come to a first little "problem".

The second little problem comes from the fact that we do not know who the incoming avatar is. It might be an 3v1l h4xx0r trying to have fun with the fancy griefing... I did write about the PGP-like web of trust for the identity before, but the main problem with all this is that the client does not have any of the features to do all this fancy crypto stuff. Once you're logged in - you're logged in. So, this is the second problem.

This brings us to the concept of "home sim" - both sim and its users having digital certificates.
the digital certificates of the users would be "trusted" by the home sim after the authentication of the client - and it would store them locally. So for all the client operations it can present the client's certificate and its own. Which in short means "It's me - and this is my client. If you trust me you should trust who my client is that is about to teleport."

And all the communications can be protected using the sims' certificates with mutual authentication - so the receiving sim can implement whichever policies about getting the incoming teleports - possibly even fully open.

So it looks like a nice fractal view - the trust between the users is roughly the same for the trust between the sims - except in the latter case there would be less of those.

Now, this is all great if we consider the teleport from home sim.. if there are multiple teleports - the source sim would not be the home sim anymore. Which means that for each user we'd need to drag the chain of the "confirmations" - basically the whole path of teleports since the last login. Bad for privacy ? yes. However, the act of teleporting into a sim already implies a great degree of trust to it - since the receiving sim does have the access to the whole inventory. And if one does not want the target sim to know the previous path - the teleport back to the home sim should "clear out" the stored path.

So basically the whole thing boils down into the abstraction of "network of trust" and managing it - both for avatars and for the sims.

But this is a big topic which will need to be covered after the basic functionality is working. The bottom line is that I will need to add another piece of info - a "blob" with all the certificates - into the teleport infrastructure, which for now will be unused.

So this is partly a note for myself, partly a request for comments from those who care and who understood the technobabble that I wrote :)

No comments: