On Wed, Dec 9, 2009 at 7:30 PM, dougx <[email protected]> wrote:
> Anyway, basically you can get around the authenticity problem by using > RSA to sign the state data in the gadget, to ensure the state is > valid. > This ensures authenticity, but not integrity (the user controls the browser, so they can get valid signatures on arbitrary data, though only tied to their user ID) and not availability (any other user can delete/corrupt these values). It's also vulnerable to replay. A robot might be able to help with some of that, by restoring deleted/corrupted state, or if you have timestamps, track the timestamps and replace older timestamps with the most recently seen, and by doing sanity checks on the data, but this may not be effective (maybe deleting the variable is a legitimate thing to do? maybe there's no way to check that the data is meaningful?). > I'm actually tempted to post this as a feature request. > I posted something similar in http://code.google.com/p/google-wave-resources/issues/detail?id=142. David -- You received this message because you are subscribed to the Google Groups "Google Wave API" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-wave-api?hl=en.
