IETF Logo Mail Archive

Re: [mmox] OGP scalability concerns

Christian Scholz <cs@comlounge.net> Fri, 03 April 2009 09:10 UTC

Return-Path: <cs@comlounge.net>
X-Original-To: mmox@core3.amsl.com
Delivered-To: mmox@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8C60E3A68C7 for <mmox@core3.amsl.com>; Fri, 3 Apr 2009 02:10:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.149
X-Spam-Level:
X-Spam-Status: No, score=-2.149 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, J_CHICKENPOX_36=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HtKCv8qch6gj for <mmox@core3.amsl.com>; Fri, 3 Apr 2009 02:10:49 -0700 (PDT)
Received: from post.comlounge.net (post.comlounge.net [85.214.59.142]) by core3.amsl.com (Postfix) with ESMTP id BB76C3A69DB for <mmox@ietf.org>; Fri, 3 Apr 2009 02:10:48 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by post.comlounge.net (Postfix) with ESMTP id 7BC926F4012; Fri, 3 Apr 2009 11:11:50 +0200 (CEST)
Received: from post.comlounge.net ([127.0.0.1]) by localhost (h1346004.stratoserver.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sbq7x02Ei9J1; Fri, 3 Apr 2009 11:11:41 +0200 (CEST)
Received: from [192.168.2.101] (pC19EAD7C.dip.t-dialin.net [193.158.173.124]) by post.comlounge.net (Postfix) with ESMTP id C7B661CE0039; Fri, 3 Apr 2009 11:11:40 +0200 (CEST)
Message-ID: <49D5D2CC.6010105@comlounge.net>
Date: Fri, 03 Apr 2009 11:11:40 +0200
From: Christian Scholz <cs@comlounge.net>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: "Meadhbh Hamrick (Infinity)" <infinity@lindenlab.com>
References: <62BFE5680C037E4DA0B0A08946C0933D7B692E1B@rrsmsx506.amr.corp.intel.com> <CD02023C-3E7B-4E76-8429-11035C827E53@lindenlab.com> <f0b9e3410904011701i2ccb03d4r1b48d33cfe3988ea@mail.gmail.com> <49D40A06.7030708@gmail.com> <8D793BD8-6AA2-49C7-96EF-435A5B449AA6@lindenlab.com> <49D4295C.2020502@gmail.com> <52A129B8-3FC6-486A-99A5-C00BED8BDE08@lindenlab.com> <49D4E5AF.2030301@gmail.com><49D51A7D.8000104@comlounge.net><62BFE5680C037E4DA0B0A08946C0933D7B6934A3@rrsmsx506.amr.corp.intel .com><49D52DCD.2000806@comlounge.net> <49D531DA.4080006@gmail.com> <49D533EA.4010301@comlounge.net> <4DF1C9A3-6170-4448-95DD-A3C72901A53A@lindenlab.com>
In-Reply-To: <4DF1C9A3-6170-4448-95DD-A3C72901A53A@lindenlab.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Cc: "mmox@ietf.org" <mmox@ietf.org>, Jon Watte <jwatte@gmail.com>
Subject: Re: [mmox] OGP scalability concerns
X-BeenThere: mmox@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Massively Multi-participant Online Games and Applications <mmox.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mmox>, <mailto:mmox-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mmox>
List-Post: <mailto:mmox@ietf.org>
List-Help: <mailto:mmox-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmox>, <mailto:mmox-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2009 09:10:50 -0000

Hi!

Meadhbh Hamrick (Infinity) schrieb:
> yup. for what it's worth, i had several good chats with mark atwood at 
> the ietf meeting. he's coming down to the bay area for the mysql 
> conference, i hope to buy him a beer some evening and run a few 
> proposals past him wrt OAuth and it's use in OGP.

I would actually like to learn more about those conversations you had at 
the meeting ;-)
And I am still looking forward to hear more about the ProtectServe stuff 
they are working on.

> and. ack. i should probably have mentioned this earlier. i got a lot of 
> good feedback about the drafts we published, and one of the things 
> that's going into the next rev of the auth draft is how to deal with 
> transport authentication ( like when your transport manages 
> authentication for you like client side certs and HTTP digest 
> (*shudder*) ). eventually OpenID should go into a similar section, but 
> we feel there are still a few open issues with it's use. declaring the 
> solution to being "we just use XRI" and declaring victory seems a little 
> hasty, but it seems like there's enough interest to warrant it's 
> inclusion in any future charter / IDs / etc.
> 
> i haven't heard anyone say they have serious problems with OpenID in 
> general. i mean... if someone was implying that OpenID kills puppies, i 
> missed it. that being said, XRI / XRDS and OpenID are not in universal 
> use, so it's unlikely a statement like "OGP will only ever use OpenID" 
> will ever pass the humm test. but the statement "OpenID and XRDS should 
> forever be banished from OGP" will also never pass the humm test.

I personally did not want to imply that OpenID should be the only thing 
to support. We always talked about some pluggable mechanism for 
authentication and I still think that's the way to go. As for a service 
catalogue it could simply list several authentication methods and the 
other side can select the best suited one.

> which is to say... if anyone's willing to do the work to figure out how 
> to wedge OpenID into OGP, i'm all for it. to be clear, in this context, 
> the word "work" means:
> 
> 1. you work with other list members requirements.
> 2. you produce a document describing how OpenID or XRDS can be used in 
> conjunction with the existing spec (though the existing specs are cast 
> in jello, not in stone, so there's some room to modify them if we 
> absolutely have to.)
> 3. producing code to demonstrate it's use.. *cough*PyOGP*cough*

I am certainly willing to work on use cases, requirements and discussing 
a solution but my personal priority would be on the general social 
networking case, not OGP (which might mean of course that this work 
might also be done outside this group if there is no interest in that). 
I am also not sure how to mix it with OGP. OAuth would be most likely a 
replacement for caps, wouldn't it? So maybe it would be then fitting 
into the spec.

I am with John here though and IMHO the Agent Domain really should be 
split into it's individual services which all are usable independantly 
of each other.

> so.. to recap.. we (LL) have made no statement about OpenID one way or 
> another. so... don't hold your breath waiting for us to deploy services 
> that consume OpenID id services. still, it's gaining in popularity, so 
> we're not going to ignore it, we want to make sure it's properly applied 
> to the problem at hand. ditto with OAuth. ditto with SAML 1.1 / Shib 1.3.

I think we all want to have it properly applied :-) I think on this list 
we are right now also more struggling at defining "the problem at hand" ;-)

-- Christian

> On Apr 2, 2009, at 2:53 PM, Christian Scholz wrote:
> 
>> Jon Watte schrieb:
>>> Christian Scholz wrote:
>>>> Another option would be to join forces with the OAuth group at IETF 
>>>> and check on how we could add identity to OAuth (there is discussion 
>>>> about that already). Eventually this might be an easier choice and 
>>>> you could do authorization in one step, at least for some 
>>>> centralized services.
>>> The first question is: does the OAuth "callback" URL work in a VW 
>>> sense? At a minimum, this means that a VW needs to have a publicly 
>>> available *incoming* URL for receiving authentication tokens. For a 
>>> VW behind a firewall, that's not necessarily true. (Then again, OAuth 
>>> doesn't work for an intranet web site behind a firewall, either)
>>
>> The redirect setup is only one example of obtaining the OAuth token. 
>> You can do it whatever way you want to (the new version of the spec 
>> also makes that clearer as it starts with just the way you actually do 
>> authorized requests and only explains in the second part the redirect 
>> mechanism).
>>
>> But if you look at e.g. iMovie and how it uploads movies to YouTube 
>> you have an example of how a desktop app can do it (although it's not 
>> using OAuth I think but probably Google AuthSub but it's basically the 
>> same).
>>
>> Basically instead of having a callback URL the client will simply wait 
>> until the user has finished authorization in the web browser. The 
>> server then might tell him to go back to the client and click 
>> "Continue". After that the client will contact the server again and 
>> will try to exchange the request token for an access token which only 
>> will work if the user authorized it.
>>
>> I am not sure though I understand the question. You might also be 
>> talking about the server being behind a firewall and not reachable by 
>> the client. But then I guess you need some ports open anyway for the 
>> client to be able to connect any way.
>>
>> -- Christian
>>
>>
>>
>> -- 
>> COM.lounge GmbH
>> http://comlounge.net
>> Hanbrucher Strasse 33, 52064 Aachen
>> Amtsgericht Aachen HRB 15170
>> Geschäftsführer: Dr. Ben Scheffler, Christian Scholz
>>
>> email: info@comlounge.net
>> fon: +49-241-4007300
>> fax: +49-241-97900850
>>
>> personal email: cs@comlounge.net
>> personal blog: http://mrtopf.de/blog
>> personal podcasts: http://openweb-podcast.de, 
>> http://datawithoutborders.net
>>
>> _______________________________________________
>> mmox mailing list
>> mmox@ietf.org
>> https://www.ietf.org/mailman/listinfo/mmox
> 


-- 
COM.lounge GmbH
http://comlounge.net
Hanbrucher Strasse 33, 52064 Aachen
Amtsgericht Aachen HRB 15170
Geschäftsführer: Dr. Ben Scheffler, Christian Scholz

email: info@comlounge.net
fon: +49-241-4007300
fax: +49-241-97900850

personal email: cs@comlounge.net
personal blog: http://mrtopf.de/blog
personal podcasts: http://openweb-podcast.de, http://datawithoutborders.net

v2.23.0 | Report a Bug | By Email