Fwd: Interesting critique of OAuth by one of its creators from Melvin Carvalho on 2013-03-22 (public-webid@w3.org from March 2013)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Fri, 22 Mar 2013 16:43:14 +0100
To: public-webid <public-webid@w3.org>, public-rww <public-rww@w3.org>
Message-ID: <CAKaEYhLZLm8dU9iNAg=_kn5huD3+-H6aKFanbis4G+vOZWv-Mg@mail.gmail.com>

FYI: interesting piece

---------- Forwarded message ----------
From: Noah Mendelsohn <nrm@arcanedomain.com>
Date: 22 March 2013 16:31
Subject: Interesting critique of OAuth by one of its creators
To: "www-tag@w3.org" <www-tag@w3.org>


Eran Hammer has published a detailed critique of OAuth at [1]. Well worth
reading for anyone interested in Web authentication. His conclusion:

"If you're looking to implement authorization for your website, I recommend
to sticking with well understood secure designs, such as HTTP Basic
Authentication over SSL/TLS (or HTTP Digest Authentication)."

He then goes on to suggest more elaborate schemes for cases in which access
to 3rd party software is desired.

BTW: the above is by way of Slashdot.

Noah

[1] http://insanecoding.blogspot.**com/2013/03/oauth-great-way-**
to-cripple-your-api.html<http://insanecoding.blogspot.com/2013/03/oauth-great-way-to-cripple-your-api.html>
[2] http://tech.slashdot.org/**story/13/03/22/1439235/a-**
truckload-of-oauth-issues-**that-would-make-any-author-**quit<http://tech.slashdot.org/story/13/03/22/1439235/a-truckload-of-oauth-issues-that-would-make-any-author-quit>

Received on Friday, 22 March 2013 15:43:47 UTC