On Thu, Sep 24, 2009 at 11:49 AM, Frederik Ramm <[email protected]> wrote: > One could use the newly provided OAuth mechanism for authentication. > This would then not transmit your password but a token; the token > however would still be transmitted in plain text, would have unlimited > validity until revoked (just like a password) and would allow anyone who > sees it to make edits in your name, so this wold fall more unter > "security by obscurity" than under proper security.
On OSM.org you can give out tokens that allow the holder to *only* edit the map data. As opposed to also getting access to your private GPX tracks, making diary entries / comments etc. So transfering plaintext OAuth tokens would be more secure as in the event of a breach the access the attacker would gain to OSM.org in your name would at least be compartmentalized. Not to mention that the OAuth token would *only* work on OSM.org whereas users are likely to supply the same email/password pair for multiple websites that they're using. _______________________________________________ josm-dev mailing list [email protected] http://lists.openstreetmap.org/listinfo/josm-dev
