[OSM-talk] Why doesn't OSM implement a simple measure to protect it's users and passwords?

[John Smith]

2009/12/23 Tom Hughes <tom at compton.nu>:
> It's on my to do list to create a CSR and give to it to Grant.

 openssl req -nodes -new -keyout private.key -out server.csr

> There are some issues to work out with regard to what we protect though as
> we don't really want to be using SSL for all the API requests though so we
> would prefer to encourage clients to move to using OAuth so we can then just
> protect the initial exchange when the application is authorised.

Why can't you protect everything if people want that? Encryption used
to be expensive in terms of hardware now it's relatively cheap,
especially with some of the kit you guys are running for much more CPU
intensive things. I'm not suggesting to make SSL compulsary for
everything or even enabled by default, but at least give us the option
to have it protect everything we submit to OSM especially if we aren't
in the UK and able to do anything about what the UK government is
planning.

> Well if the JOSM authors want to help then they should switch to OAuth ;-)

Protecting passwords is only part of the problem, why would I want to
submit GPS traces privately if you don't wish to properly safe guard
my privacy?