[OSM-dev] API suggestion - "authorise"?

[Robert (Jamie) Munro]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thomas Walraet wrote:
> Nick Whitelegg wrote:
>> One guy emailed me privately recommending I shouldn't do this sort of thing 
>> (i.e. take login details on my site then forward them to OSM)  for security 
>> reasons though I have to admit that despite not being a security expert I'm 
>> not convinced - I don't really see a major problem with it, no more than 
>> using non-HTTPS communication in general (and OSM doesn't currently use 
>> HTTPS).
> 
> The problem with this sort of thing is that you can log the user login 
> and plain password. Ok, you don't do it, but you can. And someone who 
> break into your server can.

This discussion reminds me of some of the discussion here:

Gears and the Mashup Problem

"Mashups are the most interesting innovation in software development in
decades. Unfortunately, the browser's security model did not anticipate
this development, so mashups are not safe if there is any confidential
information in the page. Since virtually every page has at least some
confidential information in it, this is a big problem. Google Gears may
lead to the solution."

http://video.google.com/videoplay?docid=452089494323007214

It's an interesting lecture about mashups and cross site security type
issues, if you've got a spare hour to watch it.

OSM moving OpenID would help a bit, and it is a good thing for other
reasons, but what we really need would be a Javascript api that OSMAJAX
would use and would mediate what was passed between OSMAJAX and the OSM
servers. The technology needed to make this all work securely isn't
there yet, however.

Robert (Jamie) Munro

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHQFi6z+aYVHdncI0RAimuAKDhrjxHMZE9UeKyUfL8hQmtXhNK4QCfYm6t
efjwvOeFizerIXwcu+dsyGk=
=HghD
-----END PGP SIGNATURE-----