Re: [ogpx] VWRAP Draft Charter - 2009 09 01

[Carlo Wood <carlo@alinoe.com>]

Can't type much with my RSI, but I'd like to add that instead
I'd prefer this for D, (not G):

1. the agent domain and the region domain hash out an agreement
beforehand where the region domain operator tells the agent domain
operator the equivalent of... "whoa dude, you won't get me in trouble
with the state if you let 19 year olds into my adults only sim, PLEASE
DON'T block them from entering sims i mark as adult." this effectively turns
scenario D into scenario B for the AD2 / RD1 pairing.

Reason, it's the region (destination) that really determines the law.
And as extension to this, it should be the region that determines all
rules that a visiting user must follow (independent of AD they use).

On Fri, Oct 02, 2009 at 09:32:22AM -0700, Infinity Linden wrote:
> i am vaguely confused by the path we're taking. a lot of what we're
> fretting over was discussed over the summer.
> 
> i am also disappointed that morgaine believes that simply making a
> fiat statement like "we are arriving at DDP" makes it true. it is not
> true. BOTH the agent domain and the region domain MUST have an
> opportunity to express their policy.
> 
> the problem outlined by carlo above is interesting, but tractable.
> 
> the agent domain is the entity with a direct relationship with the
> user. we should not require the region domain to have information
> about the user (such as the user's age.) and here's why...
> 
> in VWRAP, as discussed before, it is the agent domain that acts as a
> trust broker. the user trusts the agent domain and the agent domain
> trusts the provider of other services (such as the agent presence
> service running on a host in the region domain.) we do not require the
> user to have a direct relationship with the region domain. instead, we
> define trust transitively.
> 
> if the agent domain must ensure that underage users do not visit
> regions with adult content, then they should disallow underage user's
> avatars from visiting those regions. if this is an organizational
> policy that must be adhered to, then the agent domain should have
> information to make that decision: the user's age and whether a
> specific region (or entire region domain) allows adult content.
> 
> if the region domain operator believes that the agent domain operator
> may believe that an acceptable age to view adult content is lower than
> they are comfortable with, they should communicate this concern at the
> time that they are negotiating access. please note that in this
> scenario, the evaluation of organizational policies is something that
> is performed by humans, not automated systems.
> 
> the policy enforcement tool the AD can use in this scenario is to
> decide to not place a user's avatar in a particular region. the
> information the AD uses to evaluate whether they want to allow or deny
> a teleport request is largely not a concern of the protocol. though..
> if the decision depends on the state of a region in the region domain,
> then there has to be a way to communicate this information from the
> region domain to the agent domain. and that _is_ definitely a protocol
> concern.
> 
> the situation with the region domain is largely similar. the tool the
> RD has to enforce policy in this scenario is to disallow an agent
> domain from placing an avatar in one of it's regions.
> 
> but i really like this example, so i created a diagram from this
> example at https://wiki.secondlife.com/wiki/File:VWRAP_adult_content_evaluation_example.jpg
> .
> 
> it shows two agent domains and two region domains. one of the agent
> domains and one of the region domains define adult content as being
> viewable by those 18 and older, the others think adult content is
> viewable by those 21 and older. each has two regions; one of which has
> adult content, the other does not. lets assume that the user is 19.
> when the agent domain attempts to place an avatar in each of the
> regions, you get 8 scenarios.
> 
> A - no adult content in the region, AD allows transfer, RD allows transfer
> B - adult content, but both the AD and RD agree that if you're 19,
> you're okay to view adult content. AD allows transfer, RD allows
> transfer.
> C - no adult content in the region, AD allows transfer, RD allows transfer
> D - adult content, but AD2 believes the user isn't old enough. AD does
> not allow transfer.
> E - no adult content in the region, AD allows transfer, RD allows transfer
> F - no adult content in the region, AD allows transfer, RD allows transfer
> G - adult content. AD1 believes the user is old enough, begins
> transfer. RD believes the user is not old enough, disallows transfer.
> H - adult content, but both AD2 and RD2 believe the user is old
> enough. AD allows transfer, RD allows transfer.
> 
> i think the most vexxing scenario is scenario G. it forces the RD to
> make a policy decision based on information about the user maintained
> by the agent domain. there are a couple of ways to handle this.
> 
> 1. the agent domain and the region domain hash out an agreement
> beforehand where the region domain operator tells the agent domain
> operator the equivalent of... "whoa dude, you'll get me in trouble
> with the state if you let 19 year olds into my adults only sim, PLEASE
> block them from entering sims i mark as adult." this effectively turns
> scenario G into scenario D for the AD2 / RD2 pairing.
> 
> 2. the agent domain offers information in the teleport request about
> the user's age to the RD, allowing the RD to disallow the transfer of
> agent presence into adult regions.
> 
> 3. the agent domain offers an interface the RD that lets the RD query
> information about the user (including their age.)
> 
> all of these have some drawbacks. my employer is probably most
> interested in solution 1. linden views the relationship of agent
> domain to region domain as a long-term trust relationship with a fair
> amount of effort involved in setting it up. still, there are people
> that want to have more of a tourist model where the user enters the
> URL of a region into the client app and off you go without a
> previously established agreements on policy enforcement.
> 
> for the tourist model, you could do either 2 or 3. 2 has the advantage
> that the RD doesn't need to make a request back to the AD before
> deciding whether to complete the teleport. it has the disadvantage
> that it requires the AD to give information about the user's age to an
> RD who may or may not be trustworthy (cause... remember... we're
> talking about the tourist model here.)
> 
> i think what i'm getting at here is that carlo's example is
> interesting, but it does yield to analysis. i think it also exposes
> the difference between linden's vision of their service and what
> morgaine (and presumably others) want people to build. but we can get
> one protocol that works for both models, we just have to be careful,
> and the end result will likely be more complicated than we would
> prefer. but. welcome to the world of standards.
> 
> -cheers
> -meadhbh
> _______________________________________________
> ogpx mailing list
> ogpx@ietf.org
> https://www.ietf.org/mailman/listinfo/ogpx

-- 
Carlo Wood <carlo@alinoe.com>