- From: Melvin Carvalho <melvincarvalho@gmail.com>
- Date: Fri, 22 Mar 2013 16:51:44 +0100
- To: Noah Mendelsohn <nrm@arcanedomain.com>
- Cc: "www-tag@w3.org" <www-tag@w3.org>
- Message-ID: <CAKaEYhJ_gPbt_vuT4sUBnVDzSgLN+ZDncOHYXyvBMO+RrXw-dA@mail.gmail.com>
On 22 March 2013 16:31, Noah Mendelsohn <nrm@arcanedomain.com> wrote: > Eran Hammer has published a detailed critique of OAuth at [1]. Well worth > reading for anyone interested in Web authentication. His conclusion: > > "If you're looking to implement authorization for your website, I > recommend to sticking with well understood secure designs, such as HTTP > Basic Authentication over SSL/TLS (or HTTP Digest Authentication)." > > He then goes on to suggest more elaborate schemes for cases in which > access to 3rd party software is desired. > Some excellent points raised. Much of this arises out of the Trusted Third Party model of delegated credentials, which is a valuable use case, but one with limitations. I believe Eran missed something that is of architectural importance. That is that "Identity" and "Authentication" are related, but separate, challenges. Very often a solution will couple the two tightly together, when they need not be, and this can be problematic. Basic Auth over TLS really isnt bad as an "Authentication" solution, but is lacking as an "Identity" solution. When we have a mainstream system able to solve both (and I think WebID has potential here) many of the issues will be able to have cleaner, and more secure, solutions. > > BTW: the above is by way of Slashdot. > > Noah > > [1] http://insanecoding.blogspot.**com/2013/03/oauth-great-way-** > to-cripple-your-api.html<http://insanecoding.blogspot.com/2013/03/oauth-great-way-to-cripple-your-api.html> > [2] http://tech.slashdot.org/**story/13/03/22/1439235/a-** > truckload-of-oauth-issues-**that-would-make-any-author-**quit<http://tech.slashdot.org/story/13/03/22/1439235/a-truckload-of-oauth-issues-that-would-make-any-author-quit> > >
Received on Friday, 22 March 2013 15:52:15 UTC