opencaching.com

CoyoteRed · Joined: 18 Sep 2003 Posts: 220

Is there a possiblity something can be set up so people don't ahve to register on each site on the opencaching network?

CR
_________________
"...been know to miss the finer points."

hmarq · Site Admin Joined: 15 Sep 2003 Posts: 351

Well, yes ... but I advise against it unless done through RPC which would still be subject to network failure. I really don't like the idea of syndicating user records (passwords and emails in particular) .... there are reams of stuff between me and the .de guys on this topic if you look for them.

CoyoteRed · Joined: 18 Sep 2003 Posts: 220

I was only half able to follow what you guys were saying.

I think a major sticking point could be all of the multiple logons people will end up having to do.

Has there been any inroads with ideas?

CR
_________________
"...been know to miss the finer points."

CoyoteRed · Joined: 18 Sep 2003 Posts: 220

The idea has been occupying my mind here at work. Need to ... get ... it ... out!

At first thought about encrypting/hashing the username and password and sending it off to a warehouse of user accounts, but there is nothing to stop a rogue site to pop up and end up caching these encrypted username/password combinations and working from there.

Here's the idea I had. ...okay... I tried writting it a couple of times but I can't articulate it well.

Basically, whatever outlaying site a user is using asks an "authority" if this person is legit. The site sends the user to the authority and the authority verifies the users and simply sends back a "yes" or "no." To prevent the user having to be verified each and every time, the outlaying site can optionally use a cookie to know that person is verified.

The outlaying site then never sees the password or derivative thereof.

What about that?

CR
_________________
"...been know to miss the finer points."

CoyoteRed · Joined: 18 Sep 2003 Posts: 220

Further thought:

The outlaying site can either offer individual logons whereby people register like any other site.

...or...

The site can say, "Okay, you say you're CoyoteRed, but let's check with the Opencaching Universal User Authority."

The OUUA comes back and says, "Yes, this person is, in fact, CoyoteRed."

The site says, "Okay, thank you, OUUA. CR, here's a cookie that says you are you. It's good until you sign out."

See, with this scheme the outlaying site never knows any private particulars about a user, but trusts the OUUA to tell the truth.

CR
_________________
"...been know to miss the finer points."

CoyoteRed · Joined: 18 Sep 2003 Posts: 220

More thinking out loud...

Say the outlaying site registers with the OUUA and is issued a code.

A user goes to the OUUA, or is sent by a site, and puts in their password. The OUUA verifies the password and issues a code. This code is a combination of the user name and the code the OUUA issued to the site. (Maybe a simple MD5 of the UID and code.)

The user then goes to the site and enters their username and this code. The site verifies the code and issues the cookie.

The beauty of this is all of this can happen in the URL.

Once the OUUA verifies the users password it can create a link back to that site. This link could be http://www.a1cachersite.com/verify.cgi?uid=sissy-n-cr&code=695f74697ad21759f81c91ea0403e15c

Of course, the user will have to protect this link as anyone who has it can become them, but the advantages are:
-instant registration (or no registration, whichever way you want to look at it.)
-only one password to remember.
-not sharing password between multiple sites.
-the links to each site, even with the same username and user's password would be different from site to site.

There! Finally got it out!

Any flaws I haven't seen yet?

CR
_________________
"...been know to miss the finer points."

CoyoteRed · Joined: 18 Sep 2003 Posts: 220

On more thing...

Add OUUAid to the verification process so there could be muliple authorities.

Oh, and this scheme could mean if you already have the resultant URL the OUUA doesn't have to be that reliable of a service (meaning uptime). It doesn't have to happen in realtime.

In fact, a user could sign up and the OUUA spit out code for all of the sites in it's database.

These codes would be like showing up at a site and showing this unique code to prove they are who they say they are.

CR
_________________
"...been know to miss the finer points."

Team BMW-Biker · Joined: 01 Oct 2003 Posts: 209

Maybe you remind - i've written some stuff how to handle all these things - look in 'Tech Stuff' ...

Because i didn't get response to that documents, i think there is no need complete or actualize all that ... now, i see that many discussions come on a second and a third time ...

CoyoteRed · Joined: 18 Sep 2003 Posts: 220

Team BMW-Biker · Joined: 01 Oct 2003 Posts: 209

CoyoteRed · Joined: 18 Sep 2003 Posts: 220

I know nothing of MS NET, I'm not a programmer.

But about your query about trust. How am I to trust a site? With my scheme there is no reason to not thrust them in regards to passwords, because they will never have one.

"Where is the problem with this caching ? " Let me point to what I said before; They can capture it and start signing up as others on other sites. In other words, if you sign on their site, they now have your password and they can sign on as you on other sites!

The whole idea of opencaching in scalability. How are we supposed to know who to trust when, hopefully, there are so many popping up? All it would take is one wrong decision and your account is history.

I'd rather not have to worry about trust. If figure it's best to start with a good system.

CR
_________________
"...been know to miss the finer points."

Team BMW-Biker · Joined: 01 Oct 2003 Posts: 209

hmarq · Site Admin Joined: 15 Sep 2003 Posts: 351

CoyoteRed · Joined: 18 Sep 2003 Posts: 220

Oh, okay. I didn't know what RPC was.

But concerning latency, my idea would be that a user would only have to verify himself once in a while. The outlaying site would use cookies to keep the verification persistent. Therefore precluding the need for a lot of querying the authority.

In fact, using the URL scheme the user could create a bookmark to logon to a particular site and not need to query the authority again until either the site changes it's secret code or the user changes his name.

CR
_________________
"...been know to miss the finer points."

CoyoteRed · Joined: 18 Sep 2003 Posts: 220

Okay, just read up a little on RPCs.

What I'm proposing is only similar. The difference is everything is passed in the URL and the return can be captured by the user and saved.

The call doesn't happen everytime thereby elimiating the latency problem.

When the user issues the UID and unique site/user code, the site then issues a cookie to that machine and knows who is using that computer. No need to query any other machine.

In fact, the outlaying machine doesn't have to query the authority at all. The user, after logging in, can ask the OUUA for a list of sites and then ask for the code for a particular site and grab that. (Or click the link and be instantly transported to that site already logged on!)

CR
_________________
"...been know to miss the finer points."