On Tue, Dec 28, 2010 at 8:05 AM, Tateru Nino <tateru.n...@gmail.com> wrote:
> On 29/12/2010 2:57 AM, Robin Cornelius wrote: > > On Tue, Dec 28, 2010 at 3:55 PM, Robin Cornelius > > <robin.cornel...@gmail.com> wrote: > > > > v1.13.852 > > * the whole login process is now handled by the mobile device itself, > > from now on no passwords nor their hashes are transfered to our > > servers. > > > > So that avoids 2.e > I'd be more concerned about capabilities URIs, myself. The login > credentials are only the front-gate. Ultimately, there's a big risk in using any third-party viewer. Getting the initial authentication off of the third-party server narrows scope a bit. It removes credentials that could have been used for real currency cash outs, makes compromise of the third-party authentication server a less severe problem, and improves governance's chances of slowing down bad actors without having to take down a whole service. But, in no way do we intend it as a safeguard against a malicious TPV dev. -- Brian McGroarty | Linden Lab Sent from my Newton MP2100 via acoustic coupler
_______________________________________________ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
