- From: Kingsley Idehen <kidehen@openlinksw.com>
- Date: Fri, 29 Mar 2013 16:54:10 -0400
- To: public-webpayments@w3.org
- Message-ID: <5155FF72.6050902@openlinksw.com>
On 3/22/13 12:00 PM, Manu Sporny wrote: > We had used OAuth1 in the early versions of the PaySwarm > implementation and eventually ended up dropping it for a variety of reasons: > > 1. OAuth2 was so complicated that we couldn't see it as providing the > basis for a payments solution that would scale as the community > grew (and integrated less security-savvy folks). > 2. OAuth1 wasn't as good as the Web Key solution, and OAuth2 was > worse in many ways compared to the Web Key solution. > 3. The implementation burden was far more complex than it needed to > be, and implementation burden is really important when it comes > to technology adoption. > > So, we used Web Key and waited for implementers to start speaking out > against OAuth2. The first big event showing that OAuth2 was probably > going to be a failure was when Eran Hammer (the creator of OAuth) > resigned and removed his name from the spec for some of the reasons I > outlined above: > > http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/ > > Now, developers are starting to chime in about how awful it is to build > a secure, inter-operable OAuth2 implementation: > > http://insanecoding.blogspot.com/2013/03/oauth-great-way-to-cripple-your-api.html > > Glad to hear that people are figuring this stuff out now instead of > later. What would have been truly horrible is if developers thought > there was no issue with OAuth2, implementations proceeded, and the Web > would have gotten hit with countless OAuth2-related security breaches as > a result. > > -- manu > Manu, I suggest to make a note that compares and contrasts Oauth and Web Key. OAuth doesn't scale, end of story. We support it, but our support is also about helping others understand its futility :-) Links: 1. http://kingsley.idehen.net/DAV/home/kidehen/ -- multi-pronged live demo . -- Regards, Kingsley Idehen Founder & CEO OpenLink Software Company Web: http://www.openlinksw.com Personal Weblog: http://www.openlinksw.com/blog/~kidehen Twitter/Identi.ca handle: @kidehen Google+ Profile: https://plus.google.com/112399767740508618350/about LinkedIn Profile: http://www.linkedin.com/in/kidehen
Attachments
- application/pkcs7-signature attachment: S/MIME Cryptographic Signature
Received on Friday, 29 March 2013 20:54:32 UTC