[OSM-dev] API suggestion - "authorise"?
Lambertus
osm at na1400.info
Sat Nov 17 16:20:29 GMT 2007
I agree, but on the other hand, how paranoid do you want to be?
Anyway, changing the forum to use a future HTTPS API authentication is
simple. Dunno if the forum authentication itself is easy to change to HTTPS.
Maybe 3rd parties need to allow users to choose between using OSM API auth
or a specific auth for that 3rd party service. That way, if you do not trust
the 3rd party you can use a separate account for that service.
----- Original Message -----
From: "DavidD" <thewinch at gmail.com>
To: "Lambertus" <osm at na1400.info>
Cc: <dev at openstreetmap.org>
Sent: Saturday, November 17, 2007 16:25
Subject: Re: [OSM-dev] API suggestion - "authorise"?
> On 17/11/2007, Lambertus <osm at na1400.info> wrote:
>
>> As a sidenote, I agree that using plain HTTP for authentication is not
>> very
>> secure. But common sense dictates the use of different passwords for
>> every
>> account, so in case the OSM authentication request gets intercepted it
>> won't
>> do much harm.
>
> I think a bigger problem is the third party site itself could
> potentially log valid user credentials.
> OSM logins themselves are probably not that valuable but how many
> would you need before you found one that was also a paypal login? Sure
> people should use different passwords but remembering lots of
> passwords is hard so there will always be people who don't.
>
> I guess it makes me a bit uncomfortable because it appears to
> undermine the general message of never using login credentials on a
> third party site.
>
> --
> DavidD
>
More information about the dev
mailing list