[OSM-talk] Why doesn't OSM implement a simple measure to protect it's users and passwords?

Florian Lohoff flo at rfc822.org
Tue Dec 22 18:14:13 GMT 2009


On Tue, Dec 22, 2009 at 02:30:38PM +0000, Tom Hughes wrote:
> On 22/12/09 14:11, John Smith wrote:
> 
> > When does anyone plan to use SSL to protect passwords and users on OSM?
> 
> It's on my to do list to create a CSR and give to it to Grant.
> 
> There are some issues to work out with regard to what we protect though 
> as we don't really want to be using SSL for all the API requests though 
> so we would prefer to encourage clients to move to using OAuth so we can 
> then just protect the initial exchange when the application is authorised.

My guess is that the API server is fully I/O bound and has massive spare CPU.
So encrypting all API calls shouldnt be much of a problem - There is not that
much data transferred anyway, just a lot of connected with little data in them.

I'd like to see SSL encrypted connections for everything, there are a lot of
employees spying on their staff,  governments on their population and people
each other. I am not afraid in loosing my password to someone as its a unique
for OSM but the world is full of privacy black holes and we want to support
our users/mappers against any breach of confidentiality.

Flo
-- 
Florian Lohoff                                         flo at rfc822.org
"Es ist ein grobes Missverständnis und eine Fehlwahrnehmung, dem Staat
im Internet Zensur- und Überwachungsabsichten zu unterstellen."
- - Bundesminister Dr. Wolfgang Schäuble -- 10. Juli in Berlin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.openstreetmap.org/pipermail/talk/attachments/20091222/0f0a9641/attachment.pgp>


More information about the talk mailing list