On Sun, 2008-04-20 at 11:12 +0200, edA-qa mort-ora-y wrote:
The question comes to the identity of the "Client". Basically I want to server an official client, let's call it "WhatNots". Now, the source if completely open, and I wish to encourage everybody to make their own version of "WhatNots", but I don't want those copies to be able to identify as the official client with the score server.
I know this problem in the commercial game world, basically the one of preventing cheaters. But that world has the advantage of using obfuscation in their authentication algorithms.
You should try to answer the following questions: What data needs to be secured?
The integrity of the scoring data on the server. It wishes only to accept scoring data from authorized clients (that is, the official game clients).
Where is that data is stored?
On the server.
Where is that data is being transferred from/to?
Produced by the client, transferred to the server.
Who is that data is being secured from?
People with unathorized clients attempting to give themselves inflated scores.
You have a trust problem, and there is no other way to solve it than to eliminate the problem of trust or to fully trust.
An easy solution (in term of trust) is to remove the problem. Never trust the client, always compute whatever you need to trust only server side.
If you need to trust the client for other reasons (performance for example), then the only way to fully trust it is by using a trust computing platform against the users, something free software does not really like to do unless there is agreement from the user.