W3C home > Mailing lists > Public > www-tag@w3.org > March 2013

Interesting critique of OAuth by one of its creators

From: Noah Mendelsohn <nrm@arcanedomain.com>
Date: Fri, 22 Mar 2013 11:31:07 -0400
Message-ID: <514C793B.4010809@arcanedomain.com>
To: "www-tag@w3.org" <www-tag@w3.org>
Eran Hammer has published a detailed critique of OAuth at [1]. Well worth 
reading for anyone interested in Web authentication. His conclusion:

"If you're looking to implement authorization for your website, I recommend 
to sticking with well understood secure designs, such as HTTP Basic 
Authentication over SSL/TLS (or HTTP Digest Authentication)."

He then goes on to suggest more elaborate schemes for cases in which access 
to 3rd party software is desired.

BTW: the above is by way of Slashdot.


Received on Friday, 22 March 2013 15:31:34 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:56:54 UTC