Re: [apps-discuss] [saag] [websec] [kitten] HTTP authentication: the next generation

On 8 January 2011 11:49, Zed A. Shaw <zedshaw@zedshaw.com> wrote:
> On Sat, Jan 08, 2011 at 09:37:00AM -0800, Blaine Cook wrote:
> I don't normally respond, just being a lurker, but this statement is
> competely wrong Blaine.  OAuth may be used for more requests, but not
> more sites.  It's used on a tiny number of sites, with OpenID being used
> on way many more, and even then, not nowhere near the number of websites
> that form based authentication and browser authentication methods.
>
> Don't equate twitter having a ton of traffic to OAuth being some kind of
> raving success, and sure as hell don't evaluate the technical merits of
> something by its popularity.

Agreed - though, facebook is also using oauth-based (not 1.0, but
essentially the same approach) logins, and there are a number of other
sites that do provide oauth-based login infrastructure.

Moreover, the nudge towards oauth is intended with the movement
towards a new auth infrastructure in mind. We'd need some kind of
discovery / negotiation mechanism on top to make it not the
one-or-two-companies-own-the-web play that login-over-oauth is now.
(c.f. OpenID Connect).

b.

> While I agree that TLS client side isn't going to work, none of the
> proposed authentication methods will work without a change to browsers
> to support a way for two websites to establish a session in the browser.
> If that feature existed you would cut down on a lot of the complexity of
> things like OpenID and OAuth.

Again, agreed. ;-)

for the record, I don't think that OAuth itself is a suitable
replacement for HTTP authorisation, but wanted to stir the pot,
especially away from overwrought technical solutions that don't
actually solve anyone's needs.

b.

Received on Sunday, 9 January 2011 01:30:26 UTC