One of the first challenges I've been trying to tackle on the topic of widgets is the concept of "trust". If we have people publishing their own widgets (as I hope we do), then end-users and IT professionals alike will need some way of knowing whether or not to trust a widget before and during installation. Here's what I've been thinking so far. Let me know what you think about it. In an early internal experiment here at SAP we made some mistakes that would have allowed another widget to hijack the user’s credentials- handy for giving yourself a raise, but horror show for us. As a result, we realized that we’d better make it easy to create safe code and introduce pre-built libraries for handling user credentials and data transmission. Look for these coming soon from frederic.samson/blog. Eventually, we’re looking to provide a small footprint client-side enterprise widget service provider that will run alongside the widget engine. Since that’s entirely too long of a name and it doesn’t spell anything snazzy, lets call it "Foundation" for now. In addition to providing a service to handle user credentials and data transmission, Foundation will also afford end-users and IT folks a method of validating "trust". Here’s how it might work: when an enterprise widget is installed, the Foundation checks to see that the widget correctly uses the Foundation services and doesn’t install components directly on the OS). If everything checks out, the Foundation will pop-up a nifty SAP branded dialog saying that this widget uses SAP authentication and communication services. This won't ensure that the widget will provide good data or accurate results, but at least it won't expose private data or mishandle user credentials. I compare this to what Verisign does. Verisign doesn’t prove that a website won’t rip-you off, but it does ensure that at least the publisher is who they say they are. At a Web 2.0 event I attended last week, a large financial company confessed to me that they "want someone to sue in order to trust something". If this feeling is widespread, I’m thinking about providing a SAP code certification program. This sounds expensive, and probably will be, but for those customers who want to rely on a 3rd part vendor to provide a tool for their customers, then this will be the way to go.
