On Thu, Apr 23, 2009 at 6:43 PM, Dossy Shiobara <do...@panoptic.com> wrote: > On 4/23/09 9:26 PM, Brian Eaton wrote: >> That's not a good user experience, nor is it necessary to fix the >> security problems in the protocol. > > Let me say it another way: yanking support for OAuth in response to > security issues is even worse user experience. > > Define the spec. such that it is sufficiently secure, then in future > revisions work hard to pare it down to what is necessary and sufficient > in order to improve the user experience.
It's totally unsurprising that it's easy to build something insecure on top of OAuth, desktop or otherwise. The vulnerability we've been freaking out about all week means that you basically *can't* build a secure system on top of it without either doing a lot of things that aren't even hinted at in the security considerations or changing the protocol completely. The goal for any changes we make should be to make it easy to build a secure system on top of OAuth. Making it hard to build something insecure using OAuth isn't anywhere near possible and it's a waste of time to try to discuss it. In the case of desktop apps using OAuth, there are a bunch of (hopefully) blindingly obvious pitfalls - the root of the problem being that it's inherently impossible for the SP to authenticate that the consumer is who it claims to be. This is nothing new, and nothing we can fix by adding more tokens and requests and signatures. There are any number of ideas floating around, all of which are possible to implement using OAuth 1.0, which still allow you to build something reasonably secure. (For example, there are any number of iPhone apps using a custom URL scheme for their callback URL.) But these things don't need to be hardcoded into the spec. > > -- > Dossy Shiobara | do...@panoptic.com | http://dossy.org/ > Panoptic Computer Network | http://panoptic.com/ > "He realized the fastest way to change is to laugh at your own > folly -- then you can let go and quickly move on." (p. 70) > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---