On Mon, Nov 23, 2009 at 12:59 AM, Solvek <[email protected]> wrote: > really from this specific wave user? (how can I approve that wave's > participant id is not hacked on the client side?
This is a hard problem, and Wave does not make it easy to authenticate users or events. The only option I'm aware of is for your gadget to authenticate the user from scratch (perhaps using the Google Accounts API), independently from the Wave interaction. You might be able to design an approach that uses a robot and encryption keys to moderate the game play. For example, for each round of play, a robot could generate a public/private key pair, and publish the public key in the gadget's wave state. Each player makes their selection, and the gadget encrypts that using the public key and persists their selection to the wave. Since it's encrypted, no one else can see the choice, and since the interactions are all occurring within Wave, it's authenticated. When the round is over, the robot publishes the private key too, and the gadgets can then decrypt everyone else's choice and declare a winner. (Alternatively, the key could remain unpublished and the robot would examine the choices and simply declare a winner. This approach also happens to play nicely with Wave's playback feature. Any wave container > signature allowing determine wave participant id is available?) > A simple signed user identity is insufficient since that could be stored by an evil gadget and reused later. I believe your only options at this point are to keep the interactions/data entirely within Wave, or authenticate the user wholly independently from Wave and never try to associate their authenticated identity with their purported Wave identity. David -- You received this message because you are subscribed to the Google Groups "Google Wave API" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-wave-api?hl=en.
