On Jan 30, 2008 11:21 AM, Reinoud Elhorst <[EMAIL PROTECTED]> wrote:
> I'm not convinced yet that this is enough. The secure phone home does need
> to securely transfer the viewer_id, owner_id and application_id (or
> gadget-xml-url is perhaps better), right ("securely" here means "not having
> been tampered with")? However, how does the gadget server know whether the
> gadget is allowed to view the viewer_id. I believe this is only possible if
> either allowing permission to the viewer id would set some signed value
> within the gadget, or the actual retrieval of the viewer sets some signed
> data (where the latter method seems more appropriate); perhaps I'm missing
> something here.I'm not sure I understand your question. Could it be paraphrased as "how does the container know that the gadget has the permission to reveal the viewer ID by making a phone home request?" If that's the question, then I think the answer is you need an access control layer of some type within the container. The container needs to know that revealing the viewer ID is acceptable to the user. This gets into some interesting topics, like how should the viewer ID be chosen (is it an e-mail, or a username, or just an opaque value unique to each user? Should different gadgets see different viewer IDs for the same user, or should gadgets be able to correlate viewer IDs?) Does anyone know if the opensocial specs have touched on these questions? Those are policy decisions. I'm not sure if Shindig needs code to support those policies, or if they can be enforced without help from Shindig. Cheers, Brian
