Changes in the spec below: - clarifications - documentation of existing security considerations (e.g. removing oauth* and opensocial* parameters) - permit multiple instances of the same application to be distinguished (this is optional, of course!) - changes to help automate distribution of public keys.
/** * Fetches content from the provided URL and feeds that content into the * callback function. ... * If opt_params[gadgets.io.RequestParameters.AUTHORIZATION] is set to gadgets.io.AuthorizationType.SIGNED: * This indicates that the container needs to vouch for the user's identity to the destination server. * The container will * - remove any request parameters with names that begin with oauth, xoauth, or opensocial (ignoring whether the parameter names are upper or lower case. * - add the following parameters to the request query string * opensocial_viewer_id: (required) The id of the current viewer, which will match the * getId() value on the viewer person object. * opensocial_owner_id: (required) The id of the current owner, which will match the * getId() value on the owner person object. * opensocial_app_url: (required) The URL of the application making the request. Containers may alias multiple application URLs to a single canonical application URL in the case where an application changes URLs. * opensocial_instance_id: (optional) An opaque identifier used to distinguish between multiple instances of the same application in a single container. If a container does not allow multiple instances of the same application to coexist, this parameter may be omitted. The combination of opensocial_app_url and opensocial_instance_id will always uniquely identify an instance of an application in a container. * opensocial_app_id: (optional) An opaque identifier for the application, unique to a particular container. This parameter is optional. Containers that wish to maintain backwards compatibility with the opensocial-0.7 specification may include this parameter. * xoauth_public_key: (optional) An opaque identifier for the public key used to sign the request. This parameter may be omitted by containers that do not use public keys to sign requests, or if the container arranges other means of key distribution with the target of the request. * - sign the resulting request according to section 9 of the OAuth specification (http://oauth.net/core/1.0/#signing_process) * * Key management for gadgets.io.AuthorizationType.SIGNED: * * If a container uses public keys to sign request, the container may choose to use either * self-signed certificates or certificates signed by a well-known certificate authority. * If a container does not distribute their oauth signing key over https, they should use a certificate signed by a well-known certificate authority. * * The commonName attribute of the certificate should match the hostname of the container server, and should also match the value of the oauth_consumer_key parameter specified in the request. * * The container should make their public key available for download at a well-known location. The location * https://<container-hostname>/opensocial/certificates/<xoauth_public_key value> is recommended. * * Recipients of signed requests must verify that the signature on the request is correct, and that the timestamp on the request is within a reasonable time window. A time window of +-5 minutes from the current time is recommended. * * Recipients of signed requests may use the oauth_consumer_key and xoauth_public_key parameters to automatically detect when a container deploys new certificates. If the container deploys certificates at a well-known location, the recipient may automatically download the new certificate. Recipients who automatically download new certificates should cache the resulting certificates. * * If a container's certificate is not downloaded from https://<container-hostname>, the recipient should verify that the certificat is signed by a well-known certificate authority before trusting the certificate. ...
Because it is allowing the ability to pass both url and an app id to the third party server. Thus delaying the need for resolution on what app id actually means to all containers. (Very nicely done :)
On Sat, Apr 19, 2008 at 3:10 AM, Brian Eaton <bea...@google.com> wrote:
> Changes in the spec below: > - clarifications > - documentation of existing security considerations (e.g. removing > oauth* and opensocial* parameters) > - permit multiple instances of the same application to be > distinguished (this is optional, of course!) > - changes to help automate distribution of public keys.
> /** > * Fetches content from the provided URL and feeds that content into the > * callback function. > ... > * If opt_params[gadgets.io.RequestParameters.AUTHORIZATION] is set > to gadgets.io.AuthorizationType.SIGNED: > * This indicates that the container needs to vouch for the user's > identity to the destination server. > * The container will > * - remove any request parameters with names that begin with > oauth, xoauth, or opensocial (ignoring whether the parameter names are > upper or lower case. > * - add the following parameters to the request query string > * opensocial_viewer_id: (required) The id of the current > viewer, which will match the > * getId() value on the viewer person object. > * opensocial_owner_id: (required) The id of the current > owner, which will match the > * getId() value on the owner person object. > * opensocial_app_url: (required) The URL of the application > making the request. Containers may alias multiple application URLs to > a single canonical application URL in the case where an application > changes URLs. > * opensocial_instance_id: (optional) An opaque identifier > used to distinguish between multiple instances of the same application > in a single container. If a container does not allow multiple > instances of the same application to coexist, this parameter may be > omitted. The combination of opensocial_app_url and > opensocial_instance_id will always uniquely identify an instance of an > application in a container. > * opensocial_app_id: (optional) An opaque identifier for the > application, unique to a particular container. This parameter is > optional. Containers that wish to maintain backwards compatibility > with the opensocial-0.7 specification may include this parameter. > * xoauth_public_key: (optional) An opaque identifier for the > public key used to sign the request. This parameter may be omitted by > containers that do not use public keys to sign requests, or if the > container arranges other means of key distribution with the target of > the request. > * - sign the resulting request according to section 9 of the OAuth > specification (http://oauth.net/core/1.0/#signing_process) > * > * Key management for gadgets.io.AuthorizationType.SIGNED: > * > * If a container uses public keys to sign request, the container may > choose to use either > * self-signed certificates or certificates signed by a well-known > certificate authority. > * If a container does not distribute their oauth signing key over > https, they should use a certificate signed by a well-known > certificate authority. > * > * The commonName attribute of the certificate should match the > hostname of the container server, and should also match the value of > the oauth_consumer_key parameter specified in the request. > * > * The container should make their public key available for download > at a well-known location. The location > * https://<container-hostname>/opensocial/certificates/<xoauth_public_key > value> is recommended. > * > * Recipients of signed requests must verify that the signature on > the request is correct, and that the timestamp on the request is > within a reasonable time window. A time window of +-5 minutes from > the current time is recommended. > * > * Recipients of signed requests may use the oauth_consumer_key and > xoauth_public_key parameters to automatically detect when a container > deploys new certificates. If the container deploys certificates at a > well-known location, the recipient may automatically download the new > certificate. Recipients who automatically download new certificates > should cache the resulting certificates. > * > * If a container's certificate is not downloaded from > https://<container-hostname>, the recipient should verify that the > certificat is signed by a well-known certificate authority before > trusting the certificate. > ...
> Because it is allowing the ability to pass both url and an app id to the > third party server. Thus delaying the need for resolution on what app id > actually means to all containers. (Very nicely done :)
> Thanks.
> - Cassie
> On Sat, Apr 19, 2008 at 3:10 AM, Brian Eaton <bea...@google.com> wrote:
> > Changes in the spec below: > > - clarifications > > - documentation of existing security considerations (e.g. removing > > oauth* and opensocial* parameters) > > - permit multiple instances of the same application to be > > distinguished (this is optional, of course!) > > - changes to help automate distribution of public keys.
> > /** > > * Fetches content from the provided URL and feeds that content into the > > * callback function. > > ... > > * If opt_params[gadgets.io.RequestParameters.AUTHORIZATION] is set > > to gadgets.io.AuthorizationType.SIGNED: > > * This indicates that the container needs to vouch for the user's > > identity to the destination server. > > * The container will > > * - remove any request parameters with names that begin with > > oauth, xoauth, or opensocial (ignoring whether the parameter names are > > upper or lower case. > > * - add the following parameters to the request query string > > * opensocial_viewer_id: (required) The id of the current > > viewer, which will match the > > * getId() value on the viewer person object. > > * opensocial_owner_id: (required) The id of the current > > owner, which will match the > > * getId() value on the owner person object. > > * opensocial_app_url: (required) The URL of the application > > making the request. Containers may alias multiple application URLs to > > a single canonical application URL in the case where an application > > changes URLs. > > * opensocial_instance_id: (optional) An opaque identifier > > used to distinguish between multiple instances of the same application > > in a single container. If a container does not allow multiple > > instances of the same application to coexist, this parameter may be > > omitted. The combination of opensocial_app_url and > > opensocial_instance_id will always uniquely identify an instance of an > > application in a container. > > * opensocial_app_id: (optional) An opaque identifier for the > > application, unique to a particular container. This parameter is > > optional. Containers that wish to maintain backwards compatibility > > with the opensocial-0.7 specification may include this parameter. > > * xoauth_public_key: (optional) An opaque identifier for the > > public key used to sign the request. This parameter may be omitted by > > containers that do not use public keys to sign requests, or if the > > container arranges other means of key distribution with the target of > > the request. > > * - sign the resulting request according to section 9 of the OAuth > > specification (http://oauth.net/core/1.0/#signing_process) > > * > > * Key management for gadgets.io.AuthorizationType.SIGNED: > > * > > * If a container uses public keys to sign request, the container may > > choose to use either > > * self-signed certificates or certificates signed by a well-known > > certificate authority. > > * If a container does not distribute their oauth signing key over > > https, they should use a certificate signed by a well-known > > certificate authority. > > * > > * The commonName attribute of the certificate should match the > > hostname of the container server, and should also match the value of > > the oauth_consumer_key parameter specified in the request. > > * > > * The container should make their public key available for download > > at a well-known location. The location > > * https:// > > <container-hostname>/opensocial/certificates/<xoauth_public_key > > value> is recommended. > > * > > * Recipients of signed requests must verify that the signature on > > the request is correct, and that the timestamp on the request is > > within a reasonable time window. A time window of +-5 minutes from > > the current time is recommended. > > * > > * Recipients of signed requests may use the oauth_consumer_key and > > xoauth_public_key parameters to automatically detect when a container > > deploys new certificates. If the container deploys certificates at a > > well-known location, the recipient may automatically download the new > > certificate. Recipients who automatically download new certificates > > should cache the resulting certificates. > > * > > * If a container's certificate is not downloaded from > > https://<container-hostname>, the recipient should verify that the > > certificat is signed by a well-known certificate authority before > > trusting the certificate. > > ...
+1 to this with Louis' amendment. This is an excellent clarification
of some of the ambiguities around signed requests. I like including
the suggested practices around key fetching and request lifespan as
well.
On Apr 21, 10:54 am, "Louis Ryan" <lr...@google.com> wrote:
> > Because it is allowing the ability to pass both url and an app id to the
> > third party server. Thus delaying the need for resolution on what app id
> > actually means to all containers. (Very nicely done :)
> > Thanks.
> > - Cassie
> > On Sat, Apr 19, 2008 at 3:10 AM, Brian Eaton <bea...@google.com> wrote:
> > > Changes in the spec below:
> > > - clarifications
> > > - documentation of existing security considerations (e.g. removing
> > > oauth* and opensocial* parameters)
> > > - permit multiple instances of the same application to be
> > > distinguished (this is optional, of course!)
> > > - changes to help automate distribution of public keys.
> > > /**
> > > * Fetches content from the provided URL and feeds that content into the
> > > * callback function.
> > > ...
> > > * If opt_params[gadgets.io.RequestParameters.AUTHORIZATION] is set
> > > to gadgets.io.AuthorizationType.SIGNED:
> > > * This indicates that the container needs to vouch for the user's
> > > identity to the destination server.
> > > * The container will
> > > * - remove any request parameters with names that begin with
> > > oauth, xoauth, or opensocial (ignoring whether the parameter names are
> > > upper or lower case.
> > > * - add the following parameters to the request query string
> > > * opensocial_viewer_id: (required) The id of the current
> > > viewer, which will match the
> > > * getId() value on the viewer person object.
> > > * opensocial_owner_id: (required) The id of the current
> > > owner, which will match the
> > > * getId() value on the owner person object.
> > > * opensocial_app_url: (required) The URL of the application
> > > making the request. Containers may alias multiple application URLs to
> > > a single canonical application URL in the case where an application
> > > changes URLs.
> > > * opensocial_instance_id: (optional) An opaque identifier
> > > used to distinguish between multiple instances of the same application
> > > in a single container. If a container does not allow multiple
> > > instances of the same application to coexist, this parameter may be
> > > omitted. The combination of opensocial_app_url and
> > > opensocial_instance_id will always uniquely identify an instance of an
> > > application in a container.
> > > * opensocial_app_id: (optional) An opaque identifier for the
> > > application, unique to a particular container. This parameter is
> > > optional. Containers that wish to maintain backwards compatibility
> > > with the opensocial-0.7 specification may include this parameter.
> > > * xoauth_public_key: (optional) An opaque identifier for the
> > > public key used to sign the request. This parameter may be omitted by
> > > containers that do not use public keys to sign requests, or if the
> > > container arranges other means of key distribution with the target of
> > > the request.
> > > * - sign the resulting request according to section 9 of the OAuth
> > > specification (http://oauth.net/core/1.0/#signing_process)
> > > *
> > > * Key management for gadgets.io.AuthorizationType.SIGNED:
> > > *
> > > * If a container uses public keys to sign request, the container may
> > > choose to use either
> > > * self-signed certificates or certificates signed by a well-known
> > > certificate authority.
> > > * If a container does not distribute their oauth signing key over
> > > https, they should use a certificate signed by a well-known
> > > certificate authority.
> > > *
> > > * The commonName attribute of the certificate should match the
> > > hostname of the container server, and should also match the value of
> > > the oauth_consumer_key parameter specified in the request.
> > > *
> > > * The container should make their public key available for download
> > > at a well-known location. The location
> > > * https://
> > > <container-hostname>/opensocial/certificates/<xoauth_public_key
> > > value> is recommended.
> > > *
> > > * Recipients of signed requests must verify that the signature on
> > > the request is correct, and that the timestamp on the request is
> > > within a reasonable time window. A time window of +-5 minutes from
> > > the current time is recommended.
> > > *
> > > * Recipients of signed requests may use the oauth_consumer_key and
> > > xoauth_public_key parameters to automatically detect when a container
> > > deploys new certificates. If the container deploys certificates at a
> > > well-known location, the recipient may automatically download the new
> > > certificate. Recipients who automatically download new certificates
> > > should cache the resulting certificates.
> > > *
> > > * If a container's certificate is not downloaded from
> > > https://<container-hostname>, the recipient should verify that the
> > > certificat is signed by a well-known certificate authority before
> > > trusting the certificate.
> > > ...
> +1 to this with Louis' amendment. This is an excellent clarification > of some of the ambiguities around signed requests. I like including > the suggested practices around key fetching and request lifespan as > well.
> On Apr 21, 10:54 am, "Louis Ryan" <lr...@google.com> wrote: > > One note. opensocial_viewer_id should be optional not required as > containers > > can choose to hide the viewers identity from the gadget.
> > -Louis
> > On Mon, Apr 21, 2008 at 3:46 AM, Cassie <d...@google.com> wrote: > > > To be clear, this is simply more detail added to this proposal:
> > > Because it is allowing the ability to pass both url and an app id to > the > > > third party server. Thus delaying the need for resolution on what app > id > > > actually means to all containers. (Very nicely done :)
> > > Thanks.
> > > - Cassie
> > > On Sat, Apr 19, 2008 at 3:10 AM, Brian Eaton <bea...@google.com> > wrote:
> > > > Changes in the spec below: > > > > - clarifications > > > > - documentation of existing security considerations (e.g. removing > > > > oauth* and opensocial* parameters) > > > > - permit multiple instances of the same application to be > > > > distinguished (this is optional, of course!) > > > > - changes to help automate distribution of public keys.
> > > > /** > > > > * Fetches content from the provided URL and feeds that content into > the > > > > * callback function. > > > > ... > > > > * If opt_params[gadgets.io.RequestParameters.AUTHORIZATION] is set > > > > to gadgets.io.AuthorizationType.SIGNED: > > > > * This indicates that the container needs to vouch for the user's > > > > identity to the destination server. > > > > * The container will > > > > * - remove any request parameters with names that begin with > > > > oauth, xoauth, or opensocial (ignoring whether the parameter names > are > > > > upper or lower case. > > > > * - add the following parameters to the request query string > > > > * opensocial_viewer_id: (required) The id of the current > > > > viewer, which will match the > > > > * getId() value on the viewer person object. > > > > * opensocial_owner_id: (required) The id of the current > > > > owner, which will match the > > > > * getId() value on the owner person object. > > > > * opensocial_app_url: (required) The URL of the application > > > > making the request. Containers may alias multiple application URLs > to > > > > a single canonical application URL in the case where an application > > > > changes URLs. > > > > * opensocial_instance_id: (optional) An opaque identifier > > > > used to distinguish between multiple instances of the same > application > > > > in a single container. If a container does not allow multiple > > > > instances of the same application to coexist, this parameter may be > > > > omitted. The combination of opensocial_app_url and > > > > opensocial_instance_id will always uniquely identify an instance of > an > > > > application in a container. > > > > * opensocial_app_id: (optional) An opaque identifier for the > > > > application, unique to a particular container. This parameter is > > > > optional. Containers that wish to maintain backwards compatibility > > > > with the opensocial-0.7 specification may include this parameter. > > > > * xoauth_public_key: (optional) An opaque identifier for the > > > > public key used to sign the request. This parameter may be omitted > by > > > > containers that do not use public keys to sign requests, or if the > > > > container arranges other means of key distribution with the target of > > > > the request. > > > > * - sign the resulting request according to section 9 of the OAuth > > > > specification (http://oauth.net/core/1.0/#signing_process) > > > > * > > > > * Key management for gadgets.io.AuthorizationType.SIGNED: > > > > * > > > > * If a container uses public keys to sign request, the container may > > > > choose to use either > > > > * self-signed certificates or certificates signed by a well-known > > > > certificate authority. > > > > * If a container does not distribute their oauth signing key over > > > > https, they should use a certificate signed by a well-known > > > > certificate authority. > > > > * > > > > * The commonName attribute of the certificate should match the > > > > hostname of the container server, and should also match the value of > > > > the oauth_consumer_key parameter specified in the request. > > > > * > > > > * The container should make their public key available for download > > > > at a well-known location. The location > > > > * https:// > > > > <container-hostname>/opensocial/certificates/<xoauth_public_key > > > > value> is recommended. > > > > * > > > > * Recipients of signed requests must verify that the signature on > > > > the request is correct, and that the timestamp on the request is > > > > within a reasonable time window. A time window of +-5 minutes from > > > > the current time is recommended. > > > > * > > > > * Recipients of signed requests may use the oauth_consumer_key and > > > > xoauth_public_key parameters to automatically detect when a container > > > > deploys new certificates. If the container deploys certificates at a > > > > well-known location, the recipient may automatically download the new > > > > certificate. Recipients who automatically download new certificates > > > > should cache the resulting certificates. > > > > * > > > > * If a container's certificate is not downloaded from > > > > https://<container-hostname>, the recipient should verify that the > > > > certificat is signed by a well-known certificate authority before > > > > trusting the certificate. > > > > ...
On Fri, Apr 25, 2008 at 4:31 AM, Cassie <d...@google.com> wrote: > I made opensocial_viewer_id optional in the spec change, so we have 3 votes.
> - Cassie
> On Fri, Apr 25, 2008 at 2:58 AM, Arne Roomann-Kurrik (Google) > <api.kur...@google.com> wrote:
> > +1 to this with Louis' amendment. This is an excellent clarification > > of some of the ambiguities around signed requests. I like including > > the suggested practices around key fetching and request lifespan as > > well.
> > On Apr 21, 10:54 am, "Louis Ryan" <lr...@google.com> wrote: > > > One note. opensocial_viewer_id should be optional not required as > containers > > > can choose to hide the viewers identity from the gadget.
> > > -Louis
> > > On Mon, Apr 21, 2008 at 3:46 AM, Cassie <d...@google.com> wrote: > > > > To be clear, this is simply more detail added to this proposal:
> > > > Because it is allowing the ability to pass both url and an app id to > the > > > > third party server. Thus delaying the need for resolution on what app > id > > > > actually means to all containers. (Very nicely done :)
> > > > Thanks.
> > > > - Cassie
> > > > On Sat, Apr 19, 2008 at 3:10 AM, Brian Eaton <bea...@google.com> > wrote:
> > > > > Changes in the spec below: > > > > > - clarifications > > > > > - documentation of existing security considerations (e.g. removing > > > > > oauth* and opensocial* parameters) > > > > > - permit multiple instances of the same application to be > > > > > distinguished (this is optional, of course!) > > > > > - changes to help automate distribution of public keys.
> > > > > /** > > > > > * Fetches content from the provided URL and feeds that content into > the > > > > > * callback function. > > > > > ... > > > > > * If opt_params[gadgets.io.RequestParameters.AUTHORIZATION] is set > > > > > to gadgets.io.AuthorizationType.SIGNED: > > > > > * This indicates that the container needs to vouch for the user's > > > > > identity to the destination server. > > > > > * The container will > > > > > * - remove any request parameters with names that begin with > > > > > oauth, xoauth, or opensocial (ignoring whether the parameter names > are > > > > > upper or lower case. > > > > > * - add the following parameters to the request query string > > > > > * opensocial_viewer_id: (required) The id of the current > > > > > viewer, which will match the > > > > > * getId() value on the viewer person object. > > > > > * opensocial_owner_id: (required) The id of the current > > > > > owner, which will match the > > > > > * getId() value on the owner person object. > > > > > * opensocial_app_url: (required) The URL of the application > > > > > making the request. Containers may alias multiple application URLs > to > > > > > a single canonical application URL in the case where an application > > > > > changes URLs. > > > > > * opensocial_instance_id: (optional) An opaque identifier > > > > > used to distinguish between multiple instances of the same > application > > > > > in a single container. If a container does not allow multiple > > > > > instances of the same application to coexist, this parameter may be > > > > > omitted. The combination of opensocial_app_url and > > > > > opensocial_instance_id will always uniquely identify an instance of > an > > > > > application in a container. > > > > > * opensocial_app_id: (optional) An opaque identifier for the > > > > > application, unique to a particular container. This parameter is > > > > > optional. Containers that wish to maintain backwards compatibility > > > > > with the opensocial-0.7 specification may include this parameter. > > > > > * xoauth_public_key: (optional) An opaque identifier for the > > > > > public key used to sign the request. This parameter may be omitted > by > > > > > containers that do not use public keys to sign requests, or if the > > > > > container arranges other means of key distribution with the target > of > > > > > the request. > > > > > * - sign the resulting request according to section 9 of the > OAuth > > > > > specification (http://oauth.net/core/1.0/#signing_process) > > > > > * > > > > > * Key management for gadgets.io.AuthorizationType.SIGNED: > > > > > * > > > > > * If a container uses public keys to sign request, the container > may > > > > > choose to use either > > > > > * self-signed certificates or certificates signed by a well-known > > > > > certificate authority. > > > > > * If a container does not distribute their oauth signing key over > > > > > https, they should use a certificate signed by a well-known > > > > > certificate authority. > > > > > * > > > > > * The commonName attribute of the certificate should match the > > > > > hostname of the container server, and should also match the value of > > > > > the oauth_consumer_key parameter specified in the request. > > > > > * > > > > > * The container should make their public key available for download > > > > > at a well-known location. The location > > > > > * https:// > > > > > <container-hostname>/opensocial/certificates/<xoauth_public_key > > > > > value> is recommended. > > > > > * > > > > > * Recipients of signed requests must verify that the signature on > > > > > the request is correct, and that the timestamp on the request is > > > > > within a reasonable time window. A time window of +-5 minutes from > > > > > the current time is recommended. > > > > > * > > > > > * Recipients of signed requests may use the oauth_consumer_key and > > > > > xoauth_public_key parameters to automatically detect when a > container > > > > > deploys new certificates. If the container deploys certificates at > a > > > > > well-known location, the recipient may automatically download the > new > > > > > certificate. Recipients who automatically download new certificates > > > > > should cache the resulting certificates. > > > > > * > > > > > * If a container's certificate is not downloaded from > > > > > https://<container-hostname>, the recipient should verify that the > > > > > certificat is signed by a well-known certificate authority before > > > > > trusting the certificate. > > > > > ...
On Fri, Apr 25, 2008 at 9:37 AM, Brian Eaton <bea...@google.com> wrote:
> [+balfanz, because he thinks this is a good idea]
> On Fri, Apr 25, 2008 at 4:31 AM, Cassie <d...@google.com> wrote: > > I made opensocial_viewer_id optional in the spec change, so we have 3 > votes.
> > - Cassie
> > On Fri, Apr 25, 2008 at 2:58 AM, Arne Roomann-Kurrik (Google) > > <api.kur...@google.com> wrote:
> > > +1 to this with Louis' amendment. This is an excellent clarification > > > of some of the ambiguities around signed requests. I like including > > > the suggested practices around key fetching and request lifespan as > > > well.
> > > On Apr 21, 10:54 am, "Louis Ryan" <lr...@google.com> wrote: > > > > One note. opensocial_viewer_id should be optional not required as > > containers > > > > can choose to hide the viewers identity from the gadget.
> > > > -Louis
> > > > On Mon, Apr 21, 2008 at 3:46 AM, Cassie <d...@google.com> wrote: > > > > > To be clear, this is simply more detail added to this proposal:
> > > > > Because it is allowing the ability to pass both url and an app id > to > > the > > > > > third party server. Thus delaying the need for resolution on what > app > > id > > > > > actually means to all containers. (Very nicely done :)
> > > > > Thanks.
> > > > > - Cassie
> > > > > On Sat, Apr 19, 2008 at 3:10 AM, Brian Eaton <bea...@google.com> > > wrote:
> > > > > > Changes in the spec below: > > > > > > - clarifications > > > > > > - documentation of existing security considerations (e.g. > removing > > > > > > oauth* and opensocial* parameters) > > > > > > - permit multiple instances of the same application to be > > > > > > distinguished (this is optional, of course!) > > > > > > - changes to help automate distribution of public keys.
> > > > > > /** > > > > > > * Fetches content from the provided URL and feeds that content > into > > the > > > > > > * callback function. > > > > > > ... > > > > > > * If opt_params[gadgets.io.RequestParameters.AUTHORIZATION] is > set > > > > > > to gadgets.io.AuthorizationType.SIGNED: > > > > > > * This indicates that the container needs to vouch for the > user's > > > > > > identity to the destination server. > > > > > > * The container will > > > > > > * - remove any request parameters with names that begin with > > > > > > oauth, xoauth, or opensocial (ignoring whether the parameter > names > > are > > > > > > upper or lower case. > > > > > > * - add the following parameters to the request query string > > > > > > * opensocial_viewer_id: (required) The id of the current > > > > > > viewer, which will match the > > > > > > * getId() value on the viewer person object. > > > > > > * opensocial_owner_id: (required) The id of the current > > > > > > owner, which will match the > > > > > > * getId() value on the owner person object. > > > > > > * opensocial_app_url: (required) The URL of the > application > > > > > > making the request. Containers may alias multiple application > URLs > > to > > > > > > a single canonical application URL in the case where an > application > > > > > > changes URLs. > > > > > > * opensocial_instance_id: (optional) An opaque identifier > > > > > > used to distinguish between multiple instances of the same > > application > > > > > > in a single container. If a container does not allow multiple > > > > > > instances of the same application to coexist, this parameter may > be > > > > > > omitted. The combination of opensocial_app_url and > > > > > > opensocial_instance_id will always uniquely identify an instance > of > > an > > > > > > application in a container. > > > > > > * opensocial_app_id: (optional) An opaque identifier for > the > > > > > > application, unique to a particular container. This parameter is > > > > > > optional. Containers that wish to maintain backwards > compatibility > > > > > > with the opensocial-0.7 specification may include this parameter. > > > > > > * xoauth_public_key: (optional) An opaque identifier for > the > > > > > > public key used to sign the request. This parameter may be > omitted > > by > > > > > > containers that do not use public keys to sign requests, or if > the > > > > > > container arranges other means of key distribution with the > target > > of > > > > > > the request. > > > > > > * - sign the resulting request according to section 9 of the > > OAuth > > > > > > specification (http://oauth.net/core/1.0/#signing_process) > > > > > > * > > > > > > * Key management for gadgets.io.AuthorizationType.SIGNED: > > > > > > * > > > > > > * If a container uses public keys to sign request, the container > > may > > > > > > choose to use either > > > > > > * self-signed certificates or certificates signed by a > well-known > > > > > > certificate authority. > > > > > > * If a container does not distribute their oauth signing key > over > > > > > > https, they should use a certificate signed by a well-known > > > > > > certificate authority. > > > > > > * > > > > > > * The commonName attribute of the certificate should match the > > > > > > hostname of the container server, and should also match the value > of > > > > > > the oauth_consumer_key parameter specified in the request. > > > > > > * > > > > > > * The container should make their public key available for > download > > > > > > at a well-known location. The location > > > > > > * https:// > > > > > > <container-hostname>/opensocial/certificates/<xoauth_public_key > > > > > > value> is recommended. > > > > > > * > > > > > > * Recipients of signed requests must verify that the signature > on > > > > > > the request is correct, and that the timestamp on the request is > > > > > > within a reasonable time window. A time window of +-5 minutes > from > > > > > > the current time is recommended. > > > > > > * > > > > > > * Recipients of signed requests may use the oauth_consumer_key > and > > > > > > xoauth_public_key parameters to automatically detect when a > > container > > > > > > deploys new certificates. If the container deploys certificates > at > > a > > > > > > well-known location, the recipient may automatically download the > > new > > > > > > certificate. Recipients who automatically download new > certificates > > > > > > should cache the resulting certificates. > > > > > > * > > > > > > * If a container's certificate is not downloaded from > > > > > > https://<container-hostname>, the recipient should verify that > the > > > > > > certificat is signed by a well-known certificate authority before > > > > > > trusting the certificate. > > > > > > ...
> On Fri, Apr 25, 2008 at 9:37 AM, Brian Eaton <bea...@google.com> wrote:
>> [+balfanz, because he thinks this is a good idea]
>> On Fri, Apr 25, 2008 at 4:31 AM, Cassie <d...@google.com> wrote: >> > I made opensocial_viewer_id optional in the spec change, so we have 3 >> votes.
>> > - Cassie
>> > On Fri, Apr 25, 2008 at 2:58 AM, Arne Roomann-Kurrik (Google) >> > <api.kur...@google.com> wrote:
>> > > +1 to this with Louis' amendment. This is an excellent clarification >> > > of some of the ambiguities around signed requests. I like including >> > > the suggested practices around key fetching and request lifespan as >> > > well.
>> > > On Apr 21, 10:54 am, "Louis Ryan" <lr...@google.com> wrote: >> > > > One note. opensocial_viewer_id should be optional not required as >> > containers >> > > > can choose to hide the viewers identity from the gadget.
>> > > > -Louis
>> > > > On Mon, Apr 21, 2008 at 3:46 AM, Cassie <d...@google.com> wrote: >> > > > > To be clear, this is simply more detail added to this proposal:
>> > > > > Because it is allowing the ability to pass both url and an app id >> to >> > the >> > > > > third party server. Thus delaying the need for resolution on what >> app >> > id >> > > > > actually means to all containers. (Very nicely done :)
>> > > > > Thanks.
>> > > > > - Cassie
>> > > > > On Sat, Apr 19, 2008 at 3:10 AM, Brian Eaton <bea...@google.com> >> > wrote:
>> > > > > > Changes in the spec below: >> > > > > > - clarifications >> > > > > > - documentation of existing security considerations (e.g. >> removing >> > > > > > oauth* and opensocial* parameters) >> > > > > > - permit multiple instances of the same application to be >> > > > > > distinguished (this is optional, of course!) >> > > > > > - changes to help automate distribution of public keys.
>> > > > > > /** >> > > > > > * Fetches content from the provided URL and feeds that content >> into >> > the >> > > > > > * callback function. >> > > > > > ... >> > > > > > * If opt_params[gadgets.io.RequestParameters.AUTHORIZATION] is >> set >> > > > > > to gadgets.io.AuthorizationType.SIGNED: >> > > > > > * This indicates that the container needs to vouch for the >> user's >> > > > > > identity to the destination server. >> > > > > > * The container will >> > > > > > * - remove any request parameters with names that begin with >> > > > > > oauth, xoauth, or opensocial (ignoring whether the parameter >> names >> > are >> > > > > > upper or lower case. >> > > > > > * - add the following parameters to the request query string >> > > > > > * opensocial_viewer_id: (required) The id of the current >> > > > > > viewer, which will match the >> > > > > > * getId() value on the viewer person object. >> > > > > > * opensocial_owner_id: (required) The id of the current >> > > > > > owner, which will match the >> > > > > > * getId() value on the owner person object. >> > > > > > * opensocial_app_url: (required) The URL of the >> application >> > > > > > making the request. Containers may alias multiple application >> URLs >> > to >> > > > > > a single canonical application URL in the case where an >> application >> > > > > > changes URLs. >> > > > > > * opensocial_instance_id: (optional) An opaque >> identifier >> > > > > > used to distinguish between multiple instances of the same >> > application >> > > > > > in a single container. If a container does not allow multiple >> > > > > > instances of the same application to coexist, this parameter may >> be >> > > > > > omitted. The combination of opensocial_app_url and >> > > > > > opensocial_instance_id will always uniquely identify an instance >> of >> > an >> > > > > > application in a container. >> > > > > > * opensocial_app_id: (optional) An opaque identifier for >> the >> > > > > > application, unique to a particular container. This parameter >> is >> > > > > > optional. Containers that wish to maintain backwards >> compatibility >> > > > > > with the opensocial-0.7 specification may include this >> parameter. >> > > > > > * xoauth_public_key: (optional) An opaque identifier for >> the >> > > > > > public key used to sign the request. This parameter may be >> omitted >> > by >> > > > > > containers that do not use public keys to sign requests, or if >> the >> > > > > > container arranges other means of key distribution with the >> target >> > of >> > > > > > the request. >> > > > > > * - sign the resulting request according to section 9 of the >> > OAuth >> > > > > > specification (http://oauth.net/core/1.0/#signing_process) >> > > > > > * >> > > > > > * Key management for gadgets.io.AuthorizationType.SIGNED: >> > > > > > * >> > > > > > * If a container uses public keys to sign request, the >> container >> > may >> > > > > > choose to use either >> > > > > > * self-signed certificates or certificates signed by a >> well-known >> > > > > > certificate authority. >> > > > > > * If a container does not distribute their oauth signing key >> over >> > > > > > https, they should use a certificate signed by a well-known >> > > > > > certificate authority. >> > > > > > * >> > > > > > * The commonName attribute of the certificate should match the >> > > > > > hostname of the container server, and should also match the >> value of >> > > > > > the oauth_consumer_key parameter specified in the request. >> > > > > > * >> > > > > > * The container should make their public key available for >> download >> > > > > > at a well-known location. The location >> > > > > > * https:// >> > > > > > <container-hostname>/opensocial/certificates/<xoauth_public_key >> > > > > > value> is recommended. >> > > > > > * >> > > > > > * Recipients of signed requests must verify that the signature >> on >> > > > > > the request is correct, and that the timestamp on the request is >> > > > > > within a reasonable time window. A time window of +-5 minutes >> from >> > > > > > the current time is recommended. >> > > > > > * >> > > > > > * Recipients of signed requests may use the oauth_consumer_key >> and >> > > > > > xoauth_public_key parameters to automatically detect when a >> > container >> > > > > > deploys new certificates. If the container deploys certificates >> at >> > a >> > > > > > well-known location, the recipient may automatically download >> the >> > new >> > > > > > certificate. Recipients who automatically download new >> certificates >> > > > > > should cache the resulting certificates. >> > > > > > * >> > > > > > * If a container's certificate is not downloaded from >> > > > > > https://<container-hostname>, the recipient should verify that >> the >> > > > > > certificat is signed by a well-known certificate authority >> before >> > > > > > trusting the certificate. >> > > > > > ...
> +1, in particular because opensocial_app_url is not optional...
> --g
> On Fri, Apr 25, 2008 at 9:42 AM, Lane LiaBraaten <lliab...@google.com>
> wrote:
> > +1
> > On Fri, Apr 25, 2008 at 9:37 AM, Brian Eaton <bea...@google.com> wrote:
> >> [+balfanz, because he thinks this is a good idea]
> >> On Fri, Apr 25, 2008 at 4:31 AM, Cassie <d...@google.com> wrote:
> >> > I made opensocial_viewer_id optional in the spec change, so we have 3
> >> votes.
> >> > - Cassie
> >> > On Fri, Apr 25, 2008 at 2:58 AM, Arne Roomann-Kurrik (Google)
> >> > <api.kur...@google.com> wrote:
> >> > > +1 to this with Louis' amendment. This is an excellent clarification
> >> > > of some of the ambiguities around signed requests. I like including
> >> > > the suggested practices around key fetching and request lifespan as
> >> > > well.
> >> > > On Apr 21, 10:54 am, "Louis Ryan" <lr...@google.com> wrote:
> >> > > > One note. opensocial_viewer_id should be optional not required as
> >> > containers
> >> > > > can choose to hide the viewers identity from the gadget.
> >> > > > -Louis
> >> > > > On Mon, Apr 21, 2008 at 3:46 AM, Cassie <d...@google.com> wrote:
> >> > > > > To be clear, this is simply more detail added to this proposal:
> >> > > > > Because it is allowing the ability to pass both url and an app id
> >> to
> >> > the
> >> > > > > third party server. Thus delaying the need for resolution on what
> >> app
> >> > id
> >> > > > > actually means to all containers. (Very nicely done :)
> >> > > > > Thanks.
> >> > > > > - Cassie
> >> > > > > On Sat, Apr 19, 2008 at 3:10 AM, Brian Eaton <bea...@google.com>
> >> > wrote:
> >> > > > > > Changes in the spec below:
> >> > > > > > - clarifications
> >> > > > > > - documentation of existing security considerations (e.g.
> >> removing
> >> > > > > > oauth* and opensocial* parameters)
> >> > > > > > - permit multiple instances of the same application to be
> >> > > > > > distinguished (this is optional, of course!)
> >> > > > > > - changes to help automate distribution of public keys.
> >> > > > > > /**
> >> > > > > > * Fetches content from the provided URL and feeds that content
> >> into
> >> > the
> >> > > > > > * callback function.
> >> > > > > > ...
> >> > > > > > * If opt_params[gadgets.io.RequestParameters.AUTHORIZATION] is
> >> set
> >> > > > > > to gadgets.io.AuthorizationType.SIGNED:
> >> > > > > > * This indicates that the container needs to vouch for the
> >> user's
> >> > > > > > identity to the destination server.
> >> > > > > > * The container will
> >> > > > > > * - remove any request parameters with names that begin with
> >> > > > > > oauth, xoauth, or opensocial (ignoring whether the parameter
> >> names
> >> > are
> >> > > > > > upper or lower case.
> >> > > > > > * - add the following parameters to the request query string
> >> > > > > > * opensocial_viewer_id: (required) The id of the current
> >> > > > > > viewer, which will match the
> >> > > > > > * getId() value on the viewer person object.
> >> > > > > > * opensocial_owner_id: (required) The id of the current
> >> > > > > > owner, which will match the
> >> > > > > > * getId() value on the owner person object.
> >> > > > > > * opensocial_app_url: (required) The URL of the
> >> application
> >> > > > > > making the request. Containers may alias multiple application
> >> URLs
> >> > to
> >> > > > > > a single canonical application URL in the case where an
> >> application
> >> > > > > > changes URLs.
> >> > > > > > * opensocial_instance_id: (optional) An opaque
> >> identifier
> >> > > > > > used to distinguish between multiple instances of the same
> >> > application
> >> > > > > > in a single container. If a container does not allow multiple
> >> > > > > > instances of the same application to coexist, this parameter may
> >> be
> >> > > > > > omitted. The combination of opensocial_app_url and
> >> > > > > > opensocial_instance_id will always uniquely identify an instance
> >> of
> >> > an
> >> > > > > > application in a container.
> >> > > > > > * opensocial_app_id: (optional) An opaque identifier for
> >> the
> >> > > > > > application, unique to a particular container. This parameter
> >> is
> >> > > > > > optional. Containers that wish to maintain backwards
> >> compatibility
> >> > > > > > with the opensocial-0.7 specification may include this
> >> parameter.
> >> > > > > > * xoauth_public_key: (optional) An opaque identifier for
> >> the
> >> > > > > > public key used to sign the request. This parameter may be
> >> omitted
> >> > by
> >> > > > > > containers that do not use public keys to sign requests, or if
> >> the
> >> > > > > > container arranges other means of key distribution with the
> >> target
> >> > of
> >> > > > > > the request.
> >> > > > > > * - sign the resulting request according to section 9 of the
> >> > OAuth
> >> > > > > > specification (http://oauth.net/core/1.0/#signing_process)
> >> > > > > > *
> >> > > > > > * Key management for gadgets.io.AuthorizationType.SIGNED:
> >> > > > > > *
> >> > > > > > * If a container uses public keys to sign request, the
> >> container
> >> > may
> >> > > > > > choose to use either
> >> > > > > > * self-signed certificates or certificates signed by a
> >> well-known
> >> > > > > > certificate authority.
> >> > > > > > * If a container does not distribute their oauth signing key
> >> over
> >> > > > > > https, they should use a certificate signed by a well-known
> >> > > > > > certificate authority.
> >> > > > > > *
> >> > > > > > * The commonName attribute of the certificate should match the
> >> > > > > > hostname of the container server, and should also match the
> >> value of
> >> > > > > > the oauth_consumer_key parameter specified in the request.
> >> > > > > > *
> >> > > > > > * The container should make their public key available for
> >> download
> >> > > > > > at a well-known location. The location
> >> > > > > > * https://
> >> > > > > > <container-hostname>/opensocial/certificates/<xoauth_public_key
> >> > > > > > value> is recommended.
> >> > > > > > *
> >> > > > > > * Recipients of signed requests must verify that the signature
> >> on
> >> > > > > > the request is correct, and that the timestamp on the request is
> >> > > > > > within a reasonable time window. A time window of +-5 minutes
> >> from
> >> > > > > > the current time is recommended.
> >> > > > > > *
> >> > > > > > * Recipients of signed requests may use the oauth_consumer_key
> >> and
> >> > > > > > xoauth_public_key parameters to automatically detect when a
> >> > container
> >> > > > > > deploys new certificates. If the container deploys certificates
> >> at
> >> > a
> >> > > > > > well-known location, the recipient may automatically download
> >> the
> >> > new
> >> > > > > > certificate. Recipients who automatically download new
> >> certificates
> >> > > > > > should cache the resulting certificates.
> >> > > > > > *
> >> > > > > > * If a container's certificate is not downloaded from
> >> > > > > > https://<container-hostname>, the recipient should verify that
> >> the
> >> > > > > > certificat is signed by a well-known certificate authority
> >> before
> >> > > > > > trusting the certificate.
> >> > > > > > ...
On Fri, Apr 25, 2008 at 3:47 PM, <mnewbo...@myspace.com> wrote:
> +1
> On Apr 25, 9:51 am, Graham Spencer <g...@google.com> wrote: > > +1, in particular because opensocial_app_url is not optional...
> > --g
> > On Fri, Apr 25, 2008 at 9:42 AM, Lane LiaBraaten <lliab...@google.com> > > wrote:
> > > +1
> > > On Fri, Apr 25, 2008 at 9:37 AM, Brian Eaton <bea...@google.com> > wrote:
> > >> [+balfanz, because he thinks this is a good idea]
> > >> On Fri, Apr 25, 2008 at 4:31 AM, Cassie <d...@google.com> wrote: > > >> > I made opensocial_viewer_id optional in the spec change, so we have > 3 > > >> votes.
> > >> > - Cassie
> > >> > On Fri, Apr 25, 2008 at 2:58 AM, Arne Roomann-Kurrik (Google) > > >> > <api.kur...@google.com> wrote:
> > >> > > +1 to this with Louis' amendment. This is an excellent > clarification > > >> > > of some of the ambiguities around signed requests. I like > including > > >> > > the suggested practices around key fetching and request lifespan > as > > >> > > well.
> > >> > > On Apr 21, 10:54 am, "Louis Ryan" <lr...@google.com> wrote: > > >> > > > One note. opensocial_viewer_id should be optional not required > as > > >> > containers > > >> > > > can choose to hide the viewers identity from the gadget.
> > >> > > > -Louis
> > >> > > > On Mon, Apr 21, 2008 at 3:46 AM, Cassie <d...@google.com> > wrote: > > >> > > > > To be clear, this is simply more detail added to this > proposal:
> > >> > > > > Because it is allowing the ability to pass both url and an > app id > > >> to > > >> > the > > >> > > > > third party server. Thus delaying the need for resolution on > what > > >> app > > >> > id > > >> > > > > actually means to all containers. (Very nicely done :)
> > >> > > > > Thanks.
> > >> > > > > - Cassie
> > >> > > > > On Sat, Apr 19, 2008 at 3:10 AM, Brian Eaton < > bea...@google.com> > > >> > wrote:
> > >> > > > > > Changes in the spec below: > > >> > > > > > - clarifications > > >> > > > > > - documentation of existing security considerations (e.g. > > >> removing > > >> > > > > > oauth* and opensocial* parameters) > > >> > > > > > - permit multiple instances of the same application to be > > >> > > > > > distinguished (this is optional, of course!) > > >> > > > > > - changes to help automate distribution of public keys.
> > >> > > > > > /** > > >> > > > > > * Fetches content from the provided URL and feeds that > content > > >> into > > >> > the > > >> > > > > > * callback function. > > >> > > > > > ... > > >> > > > > > * If > opt_params[gadgets.io.RequestParameters.AUTHORIZATION] is > > >> set > > >> > > > > > to gadgets.io.AuthorizationType.SIGNED: > > >> > > > > > * This indicates that the container needs to vouch for the > > >> user's > > >> > > > > > identity to the destination server. > > >> > > > > > * The container will > > >> > > > > > * - remove any request parameters with names that begin > with > > >> > > > > > oauth, xoauth, or opensocial (ignoring whether the > parameter > > >> names > > >> > are > > >> > > > > > upper or lower case. > > >> > > > > > * - add the following parameters to the request query > string > > >> > > > > > * opensocial_viewer_id: (required) The id of the > current > > >> > > > > > viewer, which will match the > > >> > > > > > * getId() value on the viewer person object. > > >> > > > > > * opensocial_owner_id: (required) The id of the > current > > >> > > > > > owner, which will match the > > >> > > > > > * getId() value on the owner person object. > > >> > > > > > * opensocial_app_url: (required) The URL of the > > >> application > > >> > > > > > making the request. Containers may alias multiple > application > > >> URLs > > >> > to > > >> > > > > > a single canonical application URL in the case where an > > >> application > > >> > > > > > changes URLs. > > >> > > > > > * opensocial_instance_id: (optional) An opaque > > >> identifier > > >> > > > > > used to distinguish between multiple instances of the same > > >> > application > > >> > > > > > in a single container. If a container does not allow > multiple > > >> > > > > > instances of the same application to coexist, this > parameter may > > >> be > > >> > > > > > omitted. The combination of opensocial_app_url and > > >> > > > > > opensocial_instance_id will always uniquely identify an > instance > > >> of > > >> > an > > >> > > > > > application in a container. > > >> > > > > > * opensocial_app_id: (optional) An opaque > identifier for > > >> the > > >> > > > > > application, unique to a particular container. This > parameter > > >> is > > >> > > > > > optional. Containers that wish to maintain backwards > > >> compatibility > > >> > > > > > with the opensocial-0.7 specification may include this > > >> parameter. > > >> > > > > > * xoauth_public_key: (optional) An opaque > identifier for > > >> the > > >> > > > > > public key used to sign the request. This parameter may be > > >> omitted > > >> > by > > >> > > > > > containers that do not use public keys to sign requests, or > if > > >> the > > >> > > > > > container arranges other means of key distribution with the > > >> target > > >> > of > > >> > > > > > the request. > > >> > > > > > * - sign the resulting request according to section 9 of > the > > >> > OAuth > > >> > > > > > specification (http://oauth.net/core/1.0/#signing_process) > > >> > > > > > * > > >> > > > > > * Key management for gadgets.io.AuthorizationType.SIGNED: > > >> > > > > > * > > >> > > > > > * If a container uses public keys to sign request, the > > >> container > > >> > may > > >> > > > > > choose to use either > > >> > > > > > * self-signed certificates or certificates signed by a > > >> well-known > > >> > > > > > certificate authority. > > >> > > > > > * If a container does not distribute their oauth signing > key > > >> over > > >> > > > > > https, they should use a certificate signed by a well-known > > >> > > > > > certificate authority. > > >> > > > > > * > > >> > > > > > * The commonName attribute of the certificate should match > the > > >> > > > > > hostname of the container server, and should also match the > > >> value of > > >> > > > > > the oauth_consumer_key parameter specified in the request. > > >> > > > > > * > > >> > > > > > * The container should make their public key available for > > >> download > > >> > > > > > at a well-known location. The location > > >> > > > > > * https://
> <container-hostname>/opensocial/certificates/<xoauth_public_key > > >> > > > > > value> is recommended. > > >> > > > > > * > > >> > > > > > * Recipients of signed requests must verify that the > signature > > >> on > > >> > > > > > the request is correct, and that the timestamp on the > request is > > >> > > > > > within a reasonable time window. A time window of +-5 > minutes > > >> from > > >> > > > > > the current time is recommended. > > >> > > > > > * > > >> > > > > > * Recipients of signed requests may use the > oauth_consumer_key > > >> and > > >> > > > > > xoauth_public_key parameters to automatically detect when a > > >> > container > > >> > > > > > deploys new certificates. If the container deploys > certificates > > >> at > > >> > a > > >> > > > > > well-known location, the recipient may automatically > download > > >> the > > >> > new > > >> > > > > > certificate. Recipients who automatically download new > > >> certificates > > >> > > > > > should cache the resulting certificates. > > >> > > > > > * > > >> > > > > > * If a container's certificate is not downloaded from > > >> > > > > > https://<container-hostname>, the recipient should verify > that > > >> the > > >> > > > > > certificat is signed by a well-known certificate authority > > >> before > > >> > > > > > trusting the certificate. > > >> > > > > > ...
On Fri, Apr 25, 2008 at 3:52 PM, John Panzer <jpan...@google.com> wrote: > +1
> On Fri, Apr 25, 2008 at 3:47 PM, <mnewbo...@myspace.com> wrote:
> > +1
> > On Apr 25, 9:51 am, Graham Spencer <g...@google.com> wrote: > > > +1, in particular because opensocial_app_url is not optional...
> > > --g
> > > On Fri, Apr 25, 2008 at 9:42 AM, Lane LiaBraaten <lliab...@google.com> > > > wrote:
> > > > +1
> > > > On Fri, Apr 25, 2008 at 9:37 AM, Brian Eaton <bea...@google.com> > wrote:
> > > >> [+balfanz, because he thinks this is a good idea]
> > > >> On Fri, Apr 25, 2008 at 4:31 AM, Cassie <d...@google.com> wrote: > > > >> > I made opensocial_viewer_id optional in the spec change, so we have > 3 > > > >> votes.
> > > >> > - Cassie
> > > >> > On Fri, Apr 25, 2008 at 2:58 AM, Arne Roomann-Kurrik (Google)
> > > >> > > +1 to this with Louis' amendment. This is an excellent > clarification > > > >> > > of some of the ambiguities around signed requests. I like > including > > > >> > > the suggested practices around key fetching and request lifespan > as > > > >> > > well.
> > > >> > > On Apr 21, 10:54 am, "Louis Ryan" <lr...@google.com> wrote: > > > >> > > > One note. opensocial_viewer_id should be optional not required > as > > > >> > containers > > > >> > > > can choose to hide the viewers identity from the gadget.
> > > >> > > > -Louis
> > > >> > > > On Mon, Apr 21, 2008 at 3:46 AM, Cassie <d...@google.com> > wrote: > > > >> > > > > To be clear, this is simply more detail added to this > proposal:
> > > >> > > > > Because it is allowing the ability to pass both url and an > app id > > > >> to > > > >> > the > > > >> > > > > third party server. Thus delaying the need for resolution on > what > > > >> app > > > >> > id > > > >> > > > > actually means to all containers. (Very nicely done :)
> > > >> > > > > Thanks.
> > > >> > > > > - Cassie
> > > >> > > > > On Sat, Apr 19, 2008 at 3:10 AM, Brian Eaton > <bea...@google.com> > > > >> > wrote:
> > > >> > > > > > Changes in the spec below: > > > >> > > > > > - clarifications > > > >> > > > > > - documentation of existing security considerations (e.g. > > > >> removing > > > >> > > > > > oauth* and opensocial* parameters) > > > >> > > > > > - permit multiple instances of the same application to be > > > >> > > > > > distinguished (this is optional, of course!) > > > >> > > > > > - changes to help automate distribution of public keys.
> > > >> > > > > > /** > > > >> > > > > > * Fetches content from the provided URL and feeds that > content > > > >> into > > > >> > the > > > >> > > > > > * callback function. > > > >> > > > > > ... > > > >> > > > > > * If > opt_params[gadgets.io.RequestParameters.AUTHORIZATION] is > > > >> set > > > >> > > > > > to gadgets.io.AuthorizationType.SIGNED: > > > >> > > > > > * This indicates that the container needs to vouch for the > > > >> user's > > > >> > > > > > identity to the destination server. > > > >> > > > > > * The container will > > > >> > > > > > * - remove any request parameters with names that begin > with > > > >> > > > > > oauth, xoauth, or opensocial (ignoring whether the > parameter > > > >> names > > > >> > are > > > >> > > > > > upper or lower case. > > > >> > > > > > * - add the following parameters to the request query > string > > > >> > > > > > * opensocial_viewer_id: (required) The id of the > current > > > >> > > > > > viewer, which will match the > > > >> > > > > > * getId() value on the viewer person object. > > > >> > > > > > * opensocial_owner_id: (required) The id of the > current > > > >> > > > > > owner, which will match the > > > >> > > > > > * getId() value on the owner person object. > > > >> > > > > > * opensocial_app_url: (required) The URL of the > > > >> application > > > >> > > > > > making the request. Containers may alias multiple > application > > > >> URLs > > > >> > to > > > >> > > > > > a single canonical application URL in the case where an > > > >> application > > > >> > > > > > changes URLs. > > > >> > > > > > * opensocial_instance_id: (optional) An opaque > > > >> identifier > > > >> > > > > > used to distinguish between multiple instances of the same > > > >> > application > > > >> > > > > > in a single container. If a container does not allow > multiple > > > >> > > > > > instances of the same application to coexist, this > parameter may > > > >> be > > > >> > > > > > omitted. The combination of opensocial_app_url and > > > >> > > > > > opensocial_instance_id will always uniquely identify an > instance > > > >> of > > > >> > an > > > >> > > > > > application in a container. > > > >> > > > > > * opensocial_app_id: (optional) An opaque > identifier for > > > >> the > > > >> > > > > > application, unique to a particular container. This > parameter > > > >> is > > > >> > > > > > optional. Containers that wish to maintain backwards > > > >> compatibility > > > >> > > > > > with the opensocial-0.7 specification may include this > > > >> parameter. > > > >> > > > > > * xoauth_public_key: (optional) An opaque > identifier for > > > >> the > > > >> > > > > > public key used to sign the request. This parameter may be > > > >> omitted > > > >> > by > > > >> > > > > > containers that do not use public keys to sign requests, or > if > > > >> the > > > >> > > > > > container arranges other means of key distribution with the > > > >> target > > > >> > of > > > >> > > > > > the request. > > > >> > > > > > * - sign the resulting request according to section 9 of > the > > > >> > OAuth > > > >> > > > > > specification (http://oauth.net/core/1.0/#signing_process) > > > >> > > > > > * > > > >> > > > > > * Key management for gadgets.io.AuthorizationType.SIGNED: > > > >> > > > > > * > > > >> > > > > > * If a container uses public keys to sign request, the > > > >> container > > > >> > may > > > >> > > > > > choose to use either > > > >> > > > > > * self-signed certificates or certificates signed by a > > > >> well-known > > > >> > > > > > certificate authority. > > > >> > > > > > * If a container does not distribute their oauth signing > key > > > >> over > > > >> > > > > > https, they should use a certificate signed by a well-known > > > >> > > > > > certificate authority. > > > >> > > > > > * > > > >> > > > > > * The commonName attribute of the certificate should match > the > > > >> > > > > > hostname of the container server, and should also match the > > > >> value of > > > >> > > > > > the oauth_consumer_key parameter specified in the request. > > > >> > > > > > * > > > >> > > > > > * The container should make their public key available for > > > >> download > > > >> > > > > > at a well-known location. The location > > > >> > > > > > * https://
> <container-hostname>/opensocial/certificates/<xoauth_public_key > > > >> > > > > > value> is recommended. > > > >> > > > > > * > > > >> > > > > > * Recipients of signed requests must verify that the > signature > > > >> on > > > >> > > > > > the request is correct, and that the timestamp on the > request is > > > >> > > > > > within a reasonable time window. A time window of +-5 > minutes > > > >> from > > > >> > > > > > the current time is recommended. > > > >> > > > > > * > > > >> > > > > > * Recipients of signed requests may use the > oauth_consumer_key > > > >> and > > > >> > > > > > xoauth_public_key parameters to automatically detect when a > > > >> > container > > > >> > > > > > deploys new certificates. If the container deploys > certificates > > > >> at > > > >> > a > > > >> > > > > > well-known location, the recipient may automatically > download > > > >> the > > > >> > new > > > >> > > > > > certificate. Recipients who automatically download new > > > >> certificates > > > >> > > > > > should cache the resulting certificates. > > > >> > > > > > * > > > >> > > > > > * If a container's certificate is not downloaded from > > > >> > > > > > https://<container-hostname>, the recipient should verify > that > > > >> the > > > >> > > > > > certificat is signed by a well-known certificate authority > > > >> before > > > >> > > > > > trusting the certificate. > > > >> > > > > > ...
|
