WotC Product Identity and Design

I have a simple question, at least simple for people who understand legalities better than me. The way I understand the OGL and SRD, is that you can use anything from within and sell it without restrictions. That is, without using anything listed under product identity. And this is as simplified as it gets in my head.

For example, a Lizardfolk can be used since the monster is in the SRD, but a Lizardfolk Shaman cannot, since he isn’t. That much is clear. The question comes now for the design.

I am glad that things like 5e LaTeX and GM Binder exist. But can one really make his documents look exactly like the WotC ones? Like the red splatter on the cover or the fonts inside? Are these things not product identity?

Another question is about copying material from the SRD. Can one, let’s say, write a campaign setting that complies with the SRD, and include inside this campaign setting some magic items or monsters from the SRD? And by include I mean full text, one to one matching. The artwork can be different.

Thanks in advance for any possible answers.

Can a known recipient of sending via sending stones conceal their identity?

A character has discovered one of a pair of sending stones in a D&D 5e game. They can use the stone to cast sending, with the target being the holder of the other stone. The person holding the other stone, who we’ll call the "recipient", is in fact someone that the character knows, but they are unaware that it is the recipient who holds the other stone, and the recipient does not want them to know. Can the recipient reply to the sending while concealing their identity from the character?

The question of the caster of sending concealing their identity has already been addressed in Is there any way to fake/conceal your identity when casting Sending?, and the caster cannot conceal their identity because sending says:

You send a short message of twenty-five words or less to a creature with which you are familiar. The creature hears the message in its mind, recognizes you as the sender if it knows you, and can answer in a like manner immediately.

This does not address whether the recipient can conceal their identity, but this is because the caster of sending must be familiar with the recipient in order to cast the spell. It’s therefore reasonable to assume that the recipient’s "reply", which is sent "in a like manner", will mean that the caster will recognise the identity of the recipient, because the caster knows the recipient, and because the caster knows who they targeted with the spell.

However, sending stones bypass this familiarity requirement:

While you touch one stone, you can use an action to cast the sending spell from it. The target is the bearer of the other stone.

There is no indication here that the user of a sending stone must be familiar with the recipient, who holds the matching stone. (And such a requirement would make sending stones considerably less useful! So I think it’s reasonable to assume that the user of a stone is not required to know the holder of the other stone.)

However, in the situation I’m describing, the "caster" is familiar with the recipient, but the recipient does not want them to know who the recipient is.

Obviously, the recipient can refuse to respond. However, it’s a lot more fun if the recipient can respond, while concealing their identity. So… is there a way for a known recipient of sending cast via sending stones to conceal their identity?

Use of additional magical items or spells by the recipient (such as the ring of mind shielding suggested in an answer to the linked question) is acceptable in an answer.

How does the spell Mind Blank interact with shapeshifters and other forms of false identity?

Mind Blank states:

Until the spell ends, one willing creature you touch is immune to psychic damage, any effect that would sense its emotions or read its thoughts, divination spells, and the charmed condition. The spell even foils wish spells and spells or effects of similar power used to affect the target’s mind or to gain information about the target.

How does the spell Mind Blank interact with shapeshifters and other forms of false identity?

Are all aspects of their identity protected, or just information associated with their true form/name?

  • For example, can a guard give a description of a changeling’s persona via sending since it is not their natural form?

Do we need to guard against federated identity servers lying about who signed in?

Having successfully integrated my old web forms app with an ADFS server I got to thinking about how the process works as a whole. The old app passes the user to the remote ADFS, then eventually the user arrives back in our server having a signed-in identity of joe.schmoe@somedomain.com but I’m not entirely clear on whether I’m supposed to trust that’s right, or whether I’m supposed to try and ensure it’s right.

Supposing that a rogue actor at somedomain.com replaces the sign on at the remote end or manipulates it in some way such that my local server ends up being told that bigboss@somedomain.com signed in (when it was actually tom.hacker@somedomain,com), or worse that bigboss@otherdomain.net signed in, what do we do with such situations?

Is this handled already by the auth process such that we can be sure there are some local rules that enforce the federated server may only return users with some characteristic such as "must really be a user of somedomain.com, for which you know this identity server is responsible" ?

When we hand off authentication to a third party, and get the "user X auth’d successfully", do we need to be wary about whether it’s truly user X and whether the server confirming the identity truly has authority to do so for the user given?

At the moment I’m thinking I should also implement my own local check that the announced user matches a pattern to ensure the federated server isn’t used to break into other domains’ accounts and also implement 2FA to give some extra check that the user announced truly is that person

What’s the difference between the endorsement key and the attestation identity key within the TPM?

I’m trying to make notes about the TPM and what it does. More specifically I’m looking at the 3 RSA key pairs: the ‘endorsement key’, the ‘storage root key’ and the ‘attestation identity key’.

This is what I have written so far:

The ‘Endorsement Key’ is an RSA key pair where any data sent to another device is encrypted using the private key and the receiving device decrypts it with the public key, so it knows the data is trusted. This is created when the TPM is manufactured (not user-specific)

The ‘Storage Root Key’ is a pair of RSA keys within the TPM and is used to protect TPM protected keys created by applications and stored outside of the TPM, so that these keys cannot be used without the TPM. It’s created when you take ownership of the TPM (If user changes so does the key)

However, I am now trying to research the use of the attestation identity key but don’t understand how it is different from the endorsement key? If anyone could explain in simple terms because this is all new to me I would greatly appreciate it 🙂

Is identity certificate same as public key?

I’m new to public key infrastructure. I think I understand how public key encryption works, conceptually. So public key is, by definition, public and not a secret. Recently when I came across the term identity certificate and read about it, it sounded very similar to public key of an entity. But, it was not explicitly stated whether they are same or different.

My questions are…

Is identity certificate same as public key? If no, then is identity cert considered a secret?

How are they related?