[OSM-talk] Why doesn't OSM implement a simple measure to protect it's users and passwords?
Lars Francke
lars.francke at gmail.com
Sat Dec 26 01:52:17 GMT 2009
On Sat, Dec 26, 2009 at 01:21, John Smith <deltafoxtrot256 at gmail.com> wrote:
> 2009/12/26 Matt Amos <zerebubuth at gmail.com>:
>> On Fri, Dec 25, 2009 at 9:38 AM, John Smith <deltafoxtrot256 at gmail.com> wrote:
>>> I don't think OAuth is a valid security method.
>>
>> why not?
>
> If you hadn't snipped my email you would have read the answer.
Well here it is, your answer:
> In this day and age we should have moved to mutual cryptographic
> authentication a long ago.
Hmmm one of us doesn't understand OAuth or we have a different
understanding of what _mutual cryptographic authentication_ is.
The client and server verify each other using shared secrets which
should normally happen using HMAC-SHA1[1] (while plain text is
supported)[2][3].
The Resource Owner Authorization[4] as well as the exchange of the
shared secret will need to be done using a secure method (SSL/TLS) but
that doesn't mean that OAuth 1.0a or OAuth WRAP aren't valid
authentication/authorization mechanisms. It just means that there is a
way to implement it in an insecure way.
Cheers,
Lars
[1] http://en.wikipedia.org/wiki/HMAC
[2] http://tools.ietf.org/html/draft-hammer-oauth-08#section-3.2
[3] http://tools.ietf.org/html/draft-hammer-oauth-08#section-3
[4] http://tools.ietf.org/html/draft-hammer-oauth-08#section-2.2
More information about the talk
mailing list