Hi, Frederik Ramm schrieb: > One could use the newly provided OAuth mechanism for authentication. > This would then not transmit your password but a token; the token > however would still be transmitted in plain text, would have unlimited > validity until revoked (just like a password) and would allow anyone who > sees it to make edits in your name, so this wold fall more unter > "security by obscurity" than under proper security.
Why not this way: A token gets gets generated on the database server (or transmitted to it) and it gets transmitted to the user via HTTPS. The token will encode the password on the user's side and transmit it in plaintext to the server. The server will encode it using the token. That sounds secure to me and shouldn't slow down any process. Best regards, Tobias _______________________________________________ josm-dev mailing list [email protected] http://lists.openstreetmap.org/listinfo/josm-dev
