On Mon, Apr 14, 2008 at 2:43 PM, Raymond Auge <[EMAIL PROTECTED]> wrote: > Also, what is appId supposed to be, exactly? What is the definition? Is > it simply a unique identifier of the current gadget?
It identifies a given gadget. [EMAIL PROTECTED] should be globally unique, I think. > If so, why not simply use the URL? This must be unique already... +1. There's a proposal on the spec mailing list to do this. The implementation is a little tricky, because you don't want to explode the size of the security token by embedding the entire gadget URL in there, but it's surely doable. > If there are other reasons for making this not simply the URL, perhaps a > good way of gen'ing an appId is by using an MD5, or SHA-1 hash. We could do this too. I'm not wild about the idea because it's a little obscure and doesn't save that much in terms of the size. > There is a javascript version of both here > http://pajhome.org.uk/crypt/md5/ (BSD License) You can't trust javascript to specify the app id, it has to come from the gadget server (and be signed with the gadget server's private key) in order to be trusted. Check out SigningFetcher.java to see what I'm talking about. Cheers, Brian
