[OSM-talk] Why doesn't OSM implement a simple measure to protect it's users and passwords?
osm.list at randomjunk.co.uk
Tue Dec 22 18:40:08 GMT 2009
On Tue, Dec 22, 2009 at 6:14 PM, Florian Lohoff <flo at rfc822.org> wrote:
> On Tue, Dec 22, 2009 at 02:30:38PM +0000, Tom Hughes wrote:
>> On 22/12/09 14:11, John Smith wrote:
>> > When does anyone plan to use SSL to protect passwords and users on OSM?
>> It's on my to do list to create a CSR and give to it to Grant.
>> There are some issues to work out with regard to what we protect though
>> as we don't really want to be using SSL for all the API requests though
>> so we would prefer to encourage clients to move to using OAuth so we can
>> then just protect the initial exchange when the application is authorised.
> My guess is that the API server is fully I/O bound and has massive spare CPU.
> So encrypting all API calls shouldnt be much of a problem - There is not that
> much data transferred anyway, just a lot of connected with little data in them.
Can we please stop guessing / explaining how easy it is, and believe
that the sysadmin team aren't mindless idiots and actually know what
they're doing? Please? It would make this list a heck of a lot easier
to read if every other e-mail wasn't utter rubbish.
More information about the talk