November 06, 2007

Ahem ... like I've been saying. There's nothing really wrong with the OpenSocial or openness or even common APIs for social applications. It's just that in practice it's pretty much impossible to square the conflicting privacy concerns, and requirements for user's control over their own data, with widgets except in a walled garden owned by one trusted platform owner.

You'd need an entirely new security model.

Currently ...

Security issues are the main problem. “At the moment security is up to the container,” Marks said. “It’s clearly something we need to work better on, authenticating between sites.”

OpenSocial could potentially have functions, such as add friend, and bridge between social networks, but security gaps get in the way. “It comes down to the permission model from Unix. It treats applications as agents of users. The model needs a bit of refinement–you don’t want to delegate read/write access permission to others.”

How much flexibility to build into the APIs is a concern. “If you delegate back to the container, a gadget can send mail. It’s different than a gadget asking to send mail itself. It’s a fine line to walk. If you protect it too much, you are making it unusable and people will walk around it,” Marks said.

OpenSocial could hook into an instant messaging buddy list, but it could allow invasive scenarios such as clicking on a friend and seeing the friends full buddy list.

Post a Comment