CloudServices/Notifications/Push/API: Difference between revisions

Jump to navigation Jump to search

CloudServices/Notifications/Push/API (view source)

Revision as of 22:07, 5 February 2012

5 bytes removed ,  5 February 2012
m
→‎Feedback
Line 138: Line 138:
<p>
<p>
<blockquote>
<blockquote>
Re: spoofing (@Gerv)
* From a security viewpoint, the obvious choice to prevent spoofing is digital signatures. However, client-side (in this case the notifying website) developers who aren't familiar with PKI often find it too complex, resulting in a lack of third-party API implementations (see OAuth!). If Mozilla intends to develop, distribute and support the client API themselves, this is less of an issue. If this is not the case, OAuth 2.0 has some non-PKI options. Implementing all of the OAuth 2.0 protocol may be too heavyweight, but it would at least offer some inspiration.
 
* The designers should also consider verifying the integrity and source of notifications received by the browser.
From a security viewpoint, the obvious choice is digital signatures. However, client-side (in this case the notifying website) developers who aren't familiar with PKI often find it too complex, resulting in a lack of third-party API implementations (see OAuth!). If Mozilla intends to develop, distribute and support the client API themselves, this is less of an issue. If this is not the case, OAuth 2.0 has some non-PKI options. Implementing all of the OAuth 2.0 protocol may be too heavyweight, but it would at least offer some inspiration.
 
Note. The designers should also consider verifying the integrity and source of notifications received by the browser.


-- Ryan Schipper
-- Ryan Schipper
Retrieved from "https://wiki.allizom.org/Special:MobileDiff/394299"

Navigation menu