On Wed, 7 Oct 2009 14:23:41 +0200, Lars Francke <[email protected]> wrote: >> It could result in an upload session takeover. >> It depends on the implementation if these tokens are valid for things >> other >> than map data upload. > > If you are taking about OAuth tokens I can only reiterate that these > tokens alone are not helpful at all. One has to know the token secret, > too. And that has to be transmitted only once from the server to the > client. Every subsequent request is signed using this secret. So if > one is concerned about the CPU resources it would suffice to use SSL > for the authentication process if OAuth is used. No upload session can > be taken over without knowing the secret. In other words: You can > announce your token to the world if you wish and the process would > still be secure. >
No, I meant the tokens which would be used if authentication is done with https and data transmission without. Somehow these two parts have to be connected, a token transfered with the authentication would be one solution. This token could be intercepted and used to send unauthenticated map data, but only as long as the session lasts. Stefan _______________________________________________ josm-dev mailing list [email protected] http://lists.openstreetmap.org/listinfo/josm-dev
