On Sat, Dec 26, 2009 at 01:21, John Smith <deltafoxtrot...@gmail.com> wrote: > 2009/12/26 Matt Amos <zerebub...@gmail.com>: >> On Fri, Dec 25, 2009 at 9:38 AM, John Smith <deltafoxtrot...@gmail.com> >> wrote: >>> I don't think OAuth is a valid security method. >> >> why not? > > If you hadn't snipped my email you would have read the answer.
Well here it is, your answer: > In this day and age we should have moved to mutual cryptographic > authentication a long ago. Hmmm one of us doesn't understand OAuth or we have a different understanding of what _mutual cryptographic authentication_ is. The client and server verify each other using shared secrets which should normally happen using HMAC-SHA1[1] (while plain text is supported)[2][3]. The Resource Owner Authorization[4] as well as the exchange of the shared secret will need to be done using a secure method (SSL/TLS) but that doesn't mean that OAuth 1.0a or OAuth WRAP aren't valid authentication/authorization mechanisms. It just means that there is a way to implement it in an insecure way. Cheers, Lars [1] http://en.wikipedia.org/wiki/HMAC [2] http://tools.ietf.org/html/draft-hammer-oauth-08#section-3.2 [3] http://tools.ietf.org/html/draft-hammer-oauth-08#section-3 [4] http://tools.ietf.org/html/draft-hammer-oauth-08#section-2.2 _______________________________________________ talk mailing list talk@openstreetmap.org http://lists.openstreetmap.org/listinfo/talk