Security implications
2 views
Skip to first unread message
Tom Wang
Aug 4, 2008, 5:55:16 PM8/4/08
to Open Data Definition
Hi everyone,
Has there been a discussion on some of the security implications and
designs that may be necessary regarding importing an OpenDD document?
I have not noticed anything regarding security on the OpenDD website
or this discussion group. Thanks.
Tom
Has there been a discussion on some of the security implications and
designs that may be necessary regarding importing an OpenDD document?
I have not noticed anything regarding security on the OpenDD website
or this discussion group. Thanks.
Tom
Marcus Povey
Aug 5, 2008, 6:07:14 AM8/5/08
to Open Data Definition
Hi Tom,
The discussion has not yet been formally had, but I'm more than happy
to have it now :)
I've had to think about a number of things when putting together the
Elgg implementation, but I have not talked about this at length
because they were issues that were specific to Elgg.
My feeling is that most of the issues are going to be related to the
implementation and application of OpenDD, rather than with the format
itself. In the import/export usecase OpenDD is just a medium for data
exchange...
Marcus
The discussion has not yet been formally had, but I'm more than happy
to have it now :)
I've had to think about a number of things when putting together the
Elgg implementation, but I have not talked about this at length
because they were issues that were specific to Elgg.
My feeling is that most of the issues are going to be related to the
implementation and application of OpenDD, rather than with the format
itself. In the import/export usecase OpenDD is just a medium for data
exchange...
Marcus
Chris Messina
Aug 5, 2008, 9:00:31 PM8/5/08
to open-data-...@googlegroups.com
I'll just put it out there, but I think OAuth is a blanket solution for data access here...
Once you've granted access using the typical OAuth flow, you'd simply be piping OAuth-signed ODD documents back and forth.
Chris
--
Chris Messina
Citizen-Participant &
Open Source Advocate-at-Large
factoryjoe.com # diso-project.org
citizenagency.com # vidoop.com
This email is: [ ] bloggable [X] ask first [ ] private
Chris Messina
Citizen-Participant &
Open Source Advocate-at-Large
factoryjoe.com # diso-project.org
citizenagency.com # vidoop.com
This email is: [ ] bloggable [X] ask first [ ] private
Tse-Wen Tom Wang
Aug 6, 2008, 3:34:40 PM8/6/08
to open-data-...@googlegroups.com
Sounds good. OAuth should work here.
I think another thing to watch out is that any relationship imported
from an ODD document should require the same confirmation as an
ordinary "Add Friend" in the social network. For instance, let's say
that LinkedIn and MySpace decide to implement OpenDD. LinkedIn
records the relationships as "connections." If MySpace decide simply
to import the connections relationships from LinkedIn without
confirmation, and your boss and you are connected in LinkedIn, your
boss can simply add you as a friend on MySpace by exporting the ODD
file from LinkedIn and importing it into MySpace. This very well may
not be desirable, depending on what you have put on MySpace.
Tom
chris....@gmail.com
Aug 6, 2008, 4:29:07 PM8/6/08
to open-data-...@googlegroups.com, jos...@plaxo.com
I think bidi relationship statuses could be offered in the spec but
should not be required. For example, "following" has become common as
of late (see Twitter) and bi-directionality is not only *not*
required, but possibly the minority situation.
should not be required. For example, "following" has become common as
of late (see Twitter) and bi-directionality is not only *not*
required, but possibly the minority situation.
As well, bi-directionality is contextual: perhaps we follow each other
on Twitter but not on Tumblr or some other such site.
Take a look at the spec coming out of portablecontacts.net for more
thinking on this.
Chris
Marcus Povey
Aug 10, 2008, 7:24:03 AM8/10/08
to Open Data Definition
I tend to agree with you...
OpenDD + OAuth is something I definitely want to look at once things
quiet down a bit on the Elgg dev front.
Marcus
OpenDD + OAuth is something I definitely want to look at once things
quiet down a bit on the Elgg dev front.
Marcus
Marcus Povey
Aug 10, 2008, 8:00:30 AM8/10/08
to Open Data Definition
Agreed.
Whether you do this as a flag on relationship, or by having two
relationship tags defining a relationship instead of one, is
debatable.
So, a tag saying 'Alice is a friend of Bob' and another saying 'Bob is
a friend of Alice' would together define a bidirectional
representation of a friend.
Import from a system like elgg or livejournal where friends are not
bidi to one where they are would probably have to trigger some
conflict resolution - confirmation emails etc as suggested.
Marcus
On Aug 6, 9:29 pm, chris.mess...@gmail.com wrote:
> I think bidi relationship statuses could be offered in the spec but
> should not be required. For example, "following" has become common as
> of late (see Twitter) and bi-directionality is not only *not*
> required, but possibly the minority situation.
>
> As well, bi-directionality is contextual: perhaps we follow each other
> on Twitter but not on Tumblr or some other such site.
>
> Take a look at the spec coming out of portablecontacts.net for more
> thinking on this.
>
> Chris
>
> On 8/6/08, Tse-Wen Tom Wang <tse...@gmail.com> wrote:
>
>
>
>
>
> > Sounds good. OAuth should work here.
>
> > I think another thing to watch out is that any relationship imported
> > from an ODD document should require the same confirmation as an
> > ordinary "Add Friend" in the social network. For instance, let's say
> > that LinkedIn and MySpace decide to implement OpenDD. LinkedIn
> > records the relationships as "connections." If MySpace decide simply
> > to import the connections relationships from LinkedIn without
> > confirmation, and your boss and you are connected in LinkedIn, your
> > boss can simply add you as a friend on MySpace by exporting the ODD
> > file from LinkedIn and importing it into MySpace. This very well may
> > not be desirable, depending on what you have put on MySpace.
>
> > Tom
>
> > On Tue, Aug 5, 2008 at 6:00 PM, Chris Messina <chris.mess...@gmail.com>
Whether you do this as a flag on relationship, or by having two
relationship tags defining a relationship instead of one, is
debatable.
So, a tag saying 'Alice is a friend of Bob' and another saying 'Bob is
a friend of Alice' would together define a bidirectional
representation of a friend.
Import from a system like elgg or livejournal where friends are not
bidi to one where they are would probably have to trigger some
conflict resolution - confirmation emails etc as suggested.
Marcus
On Aug 6, 9:29 pm, chris.mess...@gmail.com wrote:
> I think bidi relationship statuses could be offered in the spec but
> should not be required. For example, "following" has become common as
> of late (see Twitter) and bi-directionality is not only *not*
> required, but possibly the minority situation.
>
> As well, bi-directionality is contextual: perhaps we follow each other
> on Twitter but not on Tumblr or some other such site.
>
> Take a look at the spec coming out of portablecontacts.net for more
> thinking on this.
>
> Chris
>
> On 8/6/08, Tse-Wen Tom Wang <tse...@gmail.com> wrote:
>
>
>
>
>
> > Sounds good. OAuth should work here.
>
> > I think another thing to watch out is that any relationship imported
> > from an ODD document should require the same confirmation as an
> > ordinary "Add Friend" in the social network. For instance, let's say
> > that LinkedIn and MySpace decide to implement OpenDD. LinkedIn
> > records the relationships as "connections." If MySpace decide simply
> > to import the connections relationships from LinkedIn without
> > confirmation, and your boss and you are connected in LinkedIn, your
> > boss can simply add you as a friend on MySpace by exporting the ODD
> > file from LinkedIn and importing it into MySpace. This very well may
> > not be desirable, depending on what you have put on MySpace.
>
> > Tom
>
Reply all
Reply to author
Forward
0 new messages