AlexMax
Forum Regular
Posts: 761
Registered: 01-03 |
Rivecoder said:
Stuff
I've actually put a great deal of thought into both of your questions.
Q1. How to deal with decentralized nature of server when it comes to banning?
A1. Easy. Allow Skulltag to parse a remote bans.txt, a la ZDaemon. However, instead of being forced on, you would be allowed to parse zero or more arbitrary URL's for your banlist.
Q2. How to deal with aliasing and namefaking?
A2. An obvious first step would be something like a /whois command similar to IRC. If you can /whois a hacker using someone's name on a duel server and tell that...wait a second...this guy is halfway across the country from where the real guy is or using a proxy, then it's pretty damn obvious.
The absolute best solution to prevent aliasing would be a GUID system. Bear with me, because this is a little lengthy...
The user, if he wanted to authenticate himself, would create a GPG key pair. The client would encode a message (such as "Skulltag 0.97d2-rc3") using a username and the private key on his computer. The auth server itself would contain a directory of users with usernames, public GPG keys and a password (so you could log on to the auth server itself and change your public key later). The server would query the auth server with the username and either the encoded message itself (so the auth server could spit out the decoded message back at the server) or simply request the public key for the particular username and let the server decode the message. If the message is an expected one, the user is authenticated and doing a /whois on the user would show that he is indeed who he says he is.
Servers would have an option of which keyserver to use (since the keyserver itself would be open-source and many keyservers could potentially exist...though probably only one or two would exist in practice), and a server could either force users to authenticate themselves, allow anonymous unauthenticated use, or simply opt not to use authentication at all.
This is a little complicated, but I think it offers good security while being open. An individual server-based username and password system would not work, since you would have to register your username on EVERY server you played on (and what if someone steals your username on a new server?) Worse, someone could run a hacked (if closed source)/modified (if open source) "bait server" for the purposes of harvesting username/password combinations. And on other stuff I would get annoyed by, I do think that the auth server should be open source, since there's really nothing to lose by allowing people to pick which auth server they register against. Of course, most people would use the default auth server, but if people disagreed with the way the auth server was being run, the community should have the freedom to set up an alternative one. (just like being able to pick your banlist)
AlexMax refers to a smooth, responsible, self-policing community, but I'm not sure we have that yet.
Doom multiplayer source ports have never been a bastion of maturity, which is an unfortunate stumbling block. The question is, how would you go about maturing the Skulltag community into something capable of better policing itself? I have my own thoughts about this, but I don't think I'm in a position capable of formulating them at this moment, so I'll get back to you on that.
Last edited by AlexMax on 07-02-08 at 09:49
|
07-02-08 09:34 
