Also note that a malicious server could do bad things to a user account if it's allowed to use the ticket to file requests on the user's behalf. If you have important resources guarded by player accounts, this may be a problem. ("Hey, this player is giving all his XP and gold to this other player!") Thus, perhaps the best way to structure that, is to issue TWO tickets; one that says "I am the player" and one that says "I am a server the player is logging in to." For requests like "player A trades resources with player B" you would then require that player A makes the request straight to the server using player A ticket, and player B makes the request straight to the server using player B ticket, and perhaps player-server also makes the request to the server using the player-A-server and player-B-server tickets. That way, you know that both players are desiring to perform the action (because you see each of the player tickets) and that the player-hosted server has said OK to the trade (which enforces some kind of server rule -- but that rule is hackable because the player-hosted servers are hackable.)
The military does this with PKI, a public key which is stored on a physical device ( which in your setup would be the users passwords ) and a private key, given by a CA ( certificate authority ) and checked for reliability. If the user has a private key and a public key is most likely the user. ( loose translation of what you said here, but i think it is more or less the same concept ) Am i right?
Perhaps, again I am not familiar with this entire thing so I dont even know what I was really asking. I have an idea and wanted to share it... seemed as though in doing that people were telling me to do something that I had already done. I can agree that maybe I took that personally when I should not have. I am not use to be caught off guard in such a way since I normally have some idea of what I am talking about. Thank you for your patience and understanding.
If that had been the question, you would have gotten a different answer. I just want you to realize that communication is a two-way street -- everything may be clear in your mind, but when others don't react the way you expect them to, it's probably more like likely that the problem is with how you present your case, than it is with everyone in the thread trying to be malicious.