Thanks Arne! That makes me happy. nate
On Dec 7, 9:58 am, "Arne Roomann-Kurrik (Google)" <[EMAIL PROTECTED]> wrote: > Hi Nate, > > Yeah, part of the proposal is to include container-verified Viewer/ > Owner and Application IDs in the phone home calls. > > ~Arne > > On Dec 6, 11:31 am, nate <[EMAIL PROTECTED]> wrote: > > > Restricting by IP address is definitely a bad way to go. It ties the > > functionality of your application to the (each) container's network > > topology. > > > I think we just have to be patient and wait for the OpenSocial > > developers to release a mechanism for authentication. They've said > > they are working on it repeatedly, and I'm sure it's their top > > priority (because they said so). > > > The OAuth request signing mechanism allows the service provider (your > > app's home site) to verify that it's talking to the container and not > > an impostor using shared secrets. That way, you don't need to check > > for IPs or do anything else hinky. > > > My only suggestion (that I have not heard explicitly from any O.S. > > people) is that they make sure to include verified information about > > the gadget owner and viewer. This is not part of OAuth, and it > > doesn't sound like the O.S. developers are going to implement OAuth in > > its entirety. This is an O.S.-specific feature that containers would > > be required to implement. > > > nate > > > On Dec 5, 8:06 am, "Luciano Ricardi" <[EMAIL PROTECTED]> wrote: > > > > (...)"until the OAuth be implemented"(...) > > > > What I've said is that some implementations, more simple, could be made > > > until OAuth be implemented.... We don't know when the OAuth will be part > > > of > > > the OpenSocial... there is no information about date releases here: > > > >http://groups.google.com/group/opensocial/web/whats-up-with-opensocial > > > > On Dec 5, 2007 12:07 PM, Paul Lindner <[EMAIL PROTECTED]> wrote: > > > > > Please read this: > > > > >http://opensocialapis.blogspot.com/2007/11/improved-content-fetching-... > > > > > On Wed, Dec 05, 2007 at 11:01:47AM -0300, Luciano Ricardi wrote: > > > > > I really think that some few changes on the working method of > > > > > _IG_FetchContent() could bring some great security gains on OpenSocial > > > > until > > > > > the OAuth be implemented. > > > > > > Let's take the Orkut Sandbox for an example: > > > > > > 1 - We received the calls from Sandbox Proxies just from 3 proxies... > > > > > 66.249.84.15 > > > > > 72.14.195.49 > > > > > 74.125.16.6 > > > > > > Well, so we can implement security procedures on our codes that > > > > > prevent > > > > to > > > > > deliver content to anauthorised IPs. This is a good enhancement in > > > > security, > > > > > but we need some way to get this IP's List. We got this IP's from the > > > > access > > > > > logs of the web server... > > > > > > 2 - The request that comes from the proxies is like this: > > > > > > "GET > > > > > /gadgets/view_content.php?id_orkut=02772430860366983940&.cache=3239336552 > > > > > HTTP/1.1" > > > > > > The id_orkut is the parameter that we put on our gadget code. The > > > > ".cache" > > > > > is appended by the proxy server. Well, why not to append the real id > > > > > of > > > > the > > > > > gadget viewer? This could grant that the caller of _IG_FetchContent is > > > > the > > > > > viewer of the gadget. > > > > > > So.... this is what I suggest for enhance the security of OpenSocial > > > > until > > > > > OAuth be implemented: > > > > > > 1 - Some method to bring the IPs from the Proxy of the OpenSocial > > > > > containers. > > > > > 2 - Append the Id of the Viewer (or other informations) in the GET > > > > > parameters" > > > > > > []s > > > > > > Luciano R. > > > > > > On Dec 4, 2007 9:37 PM, nate <[EMAIL PROTECTED]> wrote: > > > > > > > This may or may not be obvious, but I would like to make a request > > > > > > regarding the data that will get signed into _IG_Fretch_Content() > > > > > > requests originating from OpenSocial containers. > > > > > > > I think the primary thing that Service Provider apps will want to > > > > > > validate is the viewer/owner relationship. To that end, it would be > > > > > > really handy to make every _IG_Fretch_Content() request contain a > > > > > > signed: > > > > > > * gadget owner ID > > > > > > * gadget viewer ID > > > > > > * owner/viewer relationship (i.e. "friends" or "public") with > > > > > > respect to the container > > > > > > > If this info can be made non-spoofable, Service Providers can > > > > > > reliably > > > > > > apply privacy settings, not to mention allow the gadget owner to set > > > > > > privacy settings from within the container. > > > > > > > Thanks for your consideration, and all your hard work. > > > > > > > - nate > > > > > -- > > > > Paul Lindner > > > > hi5 Architect > > > > [EMAIL PROTECTED] > > > > -- > > > Luciano --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OpenSocial API Definition" group. To post to this group, send email to opensocial-api@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/opensocial-api?hl=en -~----------~----~----~----~------~----~------~--~---
