Hi, Karl Guggisberg wrote: > I think that people would be disappointed if one explained them how OAuth > would work from JOSM. > My understanding is, that it would work along the following steps:
Probably right although I'm sure a way can be found to save the user from having to cut+paste the token. > The request token can be saved in the JOSM-profile (agreed, that this avoids > having userid/password > unencrypted in the profile) and it will be used to get another access token > the next time JOSM > is started, but using OAuth doesn't protect us from sending uid/password in > cleartext over the net. The difference is that since the token is valid forever, the unencrypted transfer of username and password will take place only once, and not with every request. (Requests would still contain the unencrypted token which would allow others to make edits in your name though.) But as I said before, I don't currently consider OSM accounts to be a valuable asset. I have many of them and should one be compromised then I'll create another. Any account created anonymously from the web page has the same privileges as my account so why should a hacker bother to hijack my account when he can just sign up for one? Thus I think the whole security question is more a kind of knee-jerk security paranoia thing than a real concern. (And anyone who cares so little about security that he uses the same password for OSM that he uses elsewhere does not really deserve that we make an effort to protect his data, does he?) This would however change if OSM accounts had special privileges. If my account could to things that yours cannot then that might make a difference. Bye Frederik -- Frederik Ramm ## eMail [email protected] ## N49°00'09" E008°23'33" _______________________________________________ josm-dev mailing list [email protected] http://lists.openstreetmap.org/listinfo/josm-dev
