W3C home > Mailing lists > Public > public-webpayments@w3.org > July 2012

OAuth 2.0 and the road to hell

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Sat, 28 Jul 2012 10:44:27 -0400
Message-ID: <5013FACB.1070408@digitalbazaar.com>
To: Web Payments <public-webpayments@w3.org>
Eran Hammer has just resigned as the lead editor and driver for the
OAuth 2.0 specification... here's the article explaining why:

http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/

A couple of excerpts:

"It is the biggest professional disappointment of my career."

"2.0 got rid of all signatures and cryptography at the protocol level.
Instead it relies solely on TLS. This means that 2.0 tokens are
inherently less secure as specified."

"Whatever is gained from the removal of the signature is lost twice in
the introduction of the token state management requirement."

"we are also likely to see major security failures in the next couple of
years... It will be another hated protocol you are stuck with."

This is coming from the primary person that has driven the OAuth work
since its inception... food for thought.

I wouldn't claim that Web Keys is a replacement for OAuth (although, it
can be used as such)... but for people that need to use both Linked Data
and an easily verifiable message format - Web Keys will do a better job
for you than OAuth will. Food for thought...

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Which is better - RDFa Lite or Microdata?
http://manu.sporny.org/2012/mythical-differences/
Received on Saturday, 28 July 2012 14:44:51 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 28 July 2012 14:44:52 GMT