- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Fri, 22 Mar 2013 12:00:04 -0400
- To: Web Payments CG <public-webpayments@w3.org>
We had used OAuth1 in the early versions of the PaySwarm implementation and eventually ended up dropping it for a variety of reasons: 1. OAuth2 was so complicated that we couldn't see it as providing the basis for a payments solution that would scale as the community grew (and integrated less security-savvy folks). 2. OAuth1 wasn't as good as the Web Key solution, and OAuth2 was worse in many ways compared to the Web Key solution. 3. The implementation burden was far more complex than it needed to be, and implementation burden is really important when it comes to technology adoption. So, we used Web Key and waited for implementers to start speaking out against OAuth2. The first big event showing that OAuth2 was probably going to be a failure was when Eran Hammer (the creator of OAuth) resigned and removed his name from the spec for some of the reasons I outlined above: http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/ Now, developers are starting to chime in about how awful it is to build a secure, inter-operable OAuth2 implementation: http://insanecoding.blogspot.com/2013/03/oauth-great-way-to-cripple-your-api.html Glad to hear that people are figuring this stuff out now instead of later. What would have been truly horrible is if developers thought there was no issue with OAuth2, implementations proceeded, and the Web would have gotten hit with countless OAuth2-related security breaches as a result. -- manu -- Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) President/CEO - Digital Bazaar, Inc. blog: Aaron Swartz, PaySwarm, and Academic Journals http://manu.sporny.org/2013/payswarm-journals/
Received on Friday, 22 March 2013 16:00:30 UTC