[OSM-dev] oAuth vs. SSL
cbro at semperpax.com
Tue Feb 15 01:15:49 GMT 2011
I tend to think that oAuth is not a great solution for desktop client vs net
server, and kind of reinventing the wheel vs. SSL.
Key benefit of oAuth are, IMHO, the revoking ability, which is a bit
pointless for a desktop app, and the fact that men-in-the-middle do not know
your credential (also pointless for point-to-point api connection).
Re security, it is certainly better than basic auth but still no match for
script kiddie without HTTPS (see, e.g., firesheep +
The only real benefit is to prevent local storage of the password.
Is there a specific reason why HTTPS is not enabled for the API and/or
- Chris -
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dev