IETF Logo Mail Archive

Re: [ogpx] Seed capability behavior

Arrogant Cyberstar <arrogant.cyberstar@gmail.com> Thu, 21 January 2010 00:57 UTC

Return-Path: <arrogant.cyberstar@gmail.com>
X-Original-To: ogpx@core3.amsl.com
Delivered-To: ogpx@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9408328C11E; Wed, 20 Jan 2010 16:57:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QzmDqrG-x263; Wed, 20 Jan 2010 16:57:24 -0800 (PST)
Received: from mail-pw0-f50.google.com (mail-pw0-f50.google.com [209.85.160.50]) by core3.amsl.com (Postfix) with ESMTP id B15163A6859; Wed, 20 Jan 2010 16:57:24 -0800 (PST)
Received: by pwi20 with SMTP id 20so3839517pwi.29 for <multiple recipients>; Wed, 20 Jan 2010 16:57:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=ptGbnYHkUcZIIgGYKiUzXgN7MrZQRaX5Fd60vILdNg8=; b=mxWAd+l463MlN7BxUuLha1mjLFbNi2MnSHpeNGS7WYhxcIQBS5ZtMtc3O/dD+Y9d5b GbD+qIJuU+cb4MitfbHwr1R9JBH0Q+40iGnMSA4cyKIt7Zp4V7S1IdAli9J+TB26yzRV eUzMSWfkDHcptB2hMyUa3z+jUuxDB9oMZqGE0=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=dnj+9gCYGlTvVAWyL+VS4JbL8BF7Q5lcIDP6uFooYzHr8iUidmsXT/GzsDLb7sERjU mu1BPtWBB65W3Iv9Ze662mdpC3IykTRhqifo4R4Vz2Fktee9yZzgZYT5pyStdTR0zbsO lv7UpjC7iiMogu4UFNTNsyJYo4g7LIeuFg+YU=
MIME-Version: 1.0
Received: by 10.114.7.18 with SMTP id 18mr523047wag.0.1264035435522; Wed, 20 Jan 2010 16:57:15 -0800 (PST)
In-Reply-To: <606825.66007.qm@web112815.mail.gq1.yahoo.com>
References: <62BFE5680C037E4DA0B0A08946C0933DC4B2DCF9@rrsmsx506.amr.corp.intel.com> <OFEDB4A382.947559FB-ON852576B1.007B59C0-852576B1.007C448C@us.ibm.com> <3a880e2c1001201643p3a885e23ma60f0c9df8d783b@mail.gmail.com> <186103.40609.qm@web112807.mail.gq1.yahoo.com> <5cca23bc1001201653m67298deey1c3395b80b5b0e29@mail.gmail.com> <606825.66007.qm@web112815.mail.gq1.yahoo.com>
Date: Wed, 20 Jan 2010 16:57:15 -0800
Message-ID: <5cca23bc1001201657u1f59c7aco8369580e125cad87@mail.gmail.com>
From: Arrogant Cyberstar <arrogant.cyberstar@gmail.com>
To: Hogmanay Milestone <hogmanay.milestone@yahoo.com>
Content-Type: multipart/alternative; boundary="0016e648c9a01e2cb0047da22f95"
Cc: "Infinity Linden (Meadhbh Hamrick)" <infinity@lindenlab.com>, ogpx-bounces@ietf.org, "ogpx@ietf.org" <ogpx@ietf.org>
Subject: Re: [ogpx] Seed capability behavior
X-BeenThere: ogpx@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Virtual Worlds and the Open Grid Protocol <ogpx.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ogpx>, <mailto:ogpx-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ogpx>
List-Post: <mailto:ogpx@ietf.org>
List-Help: <mailto:ogpx-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ogpx>, <mailto:ogpx-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jan 2010 01:40:43 -0000

On Wed, Jan 20, 2010 at 4:56 PM, Hogmanay Milestone <
hogmanay.milestone@yahoo.com> wrote:

>
> >>>>1.2. if the seed cap persists for a fixed period of time, it allows
> >>>>service caps to have shorter lifetimes. deployers may want some caps
> >>>>(like caps for spending money and transferring items) to have a
> >>>>shorter lifetime than others (like caps for connecting to public
> >>>>regions or caps for getting the grid status.)
> >>>>
> >>>>by persisting the seed cap, the client may request a new service cap
> >>>>from the seed without having to re-authenticate.
> >>
> >>
> >>you could request a "new seed" capability from the seed cap, then when
> you need a >new one, you access the new seed capability to give you a new
> seed capability.
> >>
> >>
> >>
> >
> >how is this different from just keeping the seed cap around? if the
> concern is that an >attacker will be able to exploit a security
> vulnerability to access a seed cap, then it >could just as easily extract
> the "new seed" cap instead of the seed cap. the attacker >could then use the
> new seed cap  to get another seed cap, and the client is still pwnd.
>
> but keeping the same seed cap would mean it's easier for someone to guess
> it.
>

the docs so far suggest that caps are 128 bit uuid's. if you're going to
guess, you only have a 2^-128 chance of guessing correctly. by comparison,
the chance that a gamma ray burst will cause a mass extinction event today
is 2.7 * 10 ^ -12 (or about 2^-39)

v2.23.0 | Report a Bug | By Email