[RegAPIList] They don't believe it it's possible to registeroutside secondlife.com

hellekin hellekin at cepheide.org
Thu Jun 21 18:20:22 PDT 2007


This is a sound post, thank you.

On Fri 2007-06-22 at 08:24:58 +0900, David Graham wrote:
> 
> [snip]
> 
> A wise person once told me: 'if you wrestle
> with pigs, all you will do is get dirty, and the pigs will enjoy it.' 
>
*** Thank you for sharing this wisdom, as it's also a funny line :)
> 
> [snip]
> 
> 	1) No credit card information is collected in the API registration
> process. Ultimately the user has to go to Linden Lab to input credit card
> information. Thus, in the beginning, there isn't much gain from having the
> password.
>
*** A dishonnest registrar might use the password to connect to SL
with this information, and from here get access to the current L$
balance. Of course, it may be a limited gain, but it's still a
possibility. Proving that the fraud came from the registrar might be
difficult if he managed to connect with an anonimized client from a
remote location, i.e. not connected to the registrar.

Thinking aloud...

The transparency guidelines you provide are good. Maybe SL registrars
should abide to some transparency charter? 

An additional possibility would be to provide the source code for the
registration service, such as to ensure by peer review that the
password is well-protected. Although it doesn't prevent the registrar
to plug in some other, malicious code to it, it might be beneficial to
all alternate registrars and users.

I read in the thread about some LL security checks. SL registrars
could submit to a security tests by the LL team and gain an "approved"
label from it. But actually I don't think it's worth the effort
involved.

On the other hand, wrapping the RegAPI code into something close to
OpenID would allow registrars to register new avatars without
accessing the password at all. Instead, the information form would
submit to LL, where the user would enter his new password, and the
registrar would receive a UUID or some other unique identifier for the
avatar and the registrar. Login to the registrar's site would then be
along the lines of what OpenID does, redirecting the user to LL, and
sending back a hash to be compared with what the registrar received
from LL upon registration.

==
hk


More information about the Regapi mailing list