W3C home > Mailing lists > Public > public-rww@w3.org > July 2012

Fwd: OAuth 2.0 and the road to hell

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Sat, 28 Jul 2012 16:58:09 +0200
Message-ID: <CAKaEYhK0bYfEVR7Odm6Y0RwoCOokGkhLvKDFcfz2wF2qTWSSdw@mail.gmail.com>
To: public-rww <public-rww@w3.org>
---------- Forwarded message ----------
From: Manu Sporny <msporny@digitalbazaar.com>
Date: 28 July 2012 16:44
Subject: OAuth 2.0 and the road to hell
To: Web Payments <public-webpayments@w3.org>

Eran Hammer has just resigned as the lead editor and driver for the
OAuth 2.0 specification... here's the article explaining why:


A couple of excerpts:

"It is the biggest professional disappointment of my career."

"2.0 got rid of all signatures and cryptography at the protocol level.
Instead it relies solely on TLS. This means that 2.0 tokens are
inherently less secure as specified."

"Whatever is gained from the removal of the signature is lost twice in
the introduction of the token state management requirement."

"we are also likely to see major security failures in the next couple of
years... It will be another hated protocol you are stuck with."

This is coming from the primary person that has driven the OAuth work
since its inception... food for thought.

I wouldn't claim that Web Keys is a replacement for OAuth (although, it
can be used as such)... but for people that need to use both Linked Data
and an easily verifiable message format - Web Keys will do a better job
for you than OAuth will. Food for thought...

-- manu

Manu Sporny (skype: msporny, twitter: manusporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Which is better - RDFa Lite or Microdata?
Received on Saturday, 28 July 2012 14:58:37 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:40:01 UTC