On 1/30/08, Brian Eaton <[EMAIL PROTECTED]> wrote: > > That's right. At some point we'll put actual authentication in that > code, but for now ironing out any kinks in the high level design is > more important.
I agree with that. Just for the exercise, what kind of signing/encryption would be needed here? I guess the values (viewerid, ownerid, applicationid) need to be both encrypted and signed (where the encryption may actually be used as signature). For the ajax-calls back to the container this is not a problem, since a private secret can be used for that in the container. If the gadget server needs to be able to do secure phone-home, I guess it will not use this #st value, but something else it gets returned from the ajax-calls to the container, right? Would you mind outlining your architecture for me? Will you be using > the java gadget server with a PHP container? Or are both the gadget > server and the container going to be PHP based? At this moment I'm experimenting with having the gadget server in java, while the container is in php. We were looking at using the php shindig server in the beginning, but since the java-one is much further in development, we'll use that one for now. Even if the PHP version was as far as the java version, I think we might still have chosen the java server. At the very least it will really force us to keep the two platforms totally separated :) Our initial plans were to use google-provided gadget servers for the official launch (I understood at the meeting at six apart that more containers were thinking of doing things that way), but I think there is quite some extra complexity in getting shindig to work in an environment totally independent of the container. So, seeing how Orkut will be launching a 0.7 service this week, and MySpace "something" next week, we might need to speed up things a little and at least during beta use our own shindig(-based) server. In any scenario I think its a big plus to have a proper understanding of the inner workings of Shindig.
