Re: Fwd: Interesting critique of OAuth by one of its creators from Kingsley Idehen on 2013-03-23 (public-webid@w3.org from March 2013)

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Sat, 23 Mar 2013 09:46:51 -0400
To: Melvin Carvalho <melvincarvalho@gmail.com>
CC: public-webid <public-webid@w3.org>, public-rww <public-rww@w3.org>
Message-ID: <514DB24B.5060402@openlinksw.com>

On 3/22/13 11:43 AM, Melvin Carvalho wrote:
> FYI: interesting piece
>
> ---------- Forwarded message ----------
> From: *Noah Mendelsohn* <nrm@arcanedomain.com 
> <mailto:nrm@arcanedomain.com>>
> Date: 22 March 2013 16:31
> Subject: Interesting critique of OAuth by one of its creators
> To: "www-tag@w3.org <mailto:www-tag@w3.org>" <www-tag@w3.org 
> <mailto:www-tag@w3.org>>
>
>
> Eran Hammer has published a detailed critique of OAuth at [1]. Well 
> worth reading for anyone interested in Web authentication. His conclusion:
>
> "If you're looking to implement authorization for your website, I 
> recommend to sticking with well understood secure designs, such as 
> HTTP Basic Authentication over SSL/TLS (or HTTP Digest Authentication)."
>
> He then goes on to suggest more elaborate schemes for cases in which 
> access to 3rd party software is desired.
>
> BTW: the above is by way of Slashdot.
>
> Noah
>
> [1] 
> http://insanecoding.blogspot.com/2013/03/oauth-great-way-to-cripple-your-api.html
> [2] 
> http://tech.slashdot.org/story/13/03/22/1439235/a-truckload-of-oauth-issues-that-would-make-any-author-quit
>
>
The kicker:

"In order to achieve a situation where users can securely authorize 
third party software, without giving over their personal credentials 
(passwords), I recommend that these services have a page where they can 
generate new credentials (keys) which the user can copy and paste. They 
can then name these keys themselves (avoiding application registration 
hassle), and set permissions upon them themselves. Since the user is the 
one initiating the key creation, and copying and pasting it themselves, 
they cannot fall prey to a man-in-the-middle attack where the third 
party software initiates the authorization process."

That's putting the value of de-referencable URIs, RDF graphs (for all 
kinds of entity relationship semantics),  RDF based Linked Data, and TLS 
into clear perspective.

We should seize the moment!

-- 

Regards,

Kingsley Idehen	
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen

Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature

Received on Saturday, 23 March 2013 13:47:21 UTC