>> If HTTPS is ever offered we have two options (as we do now): > > A third option with a non-standard auth token being generated was discussed > in this thread, and that's probably what Stefan was referring to.
I must have overlooked that. In that case I'm sorry Stefan, seems as if _I_ was the one misunderstanding you after all. But I'd vehemently object another (custom/non-standard) token mechanism to be implemented for OSM. OAuth is 'battle proven' and it is very hard to do these things right. >> And yes OAuth is implemented for OSM[5]. [...] > > But until HTTPS is offered it doesn't really make sense to >> >> switch/implement it. > > Assuming that all environments are equally unsafe and that the attacker > watches your every step, yes. But if you, like the original poster, are > concerned about your password being sniffed while using a public network, > then OAuth would protect you from that because you do the unencrypted > password authorisation only once, e.g. from home. That is of course correct and I hadn't thought of that before. Thanks, good idea! In that case I hope someone feels like implementing OAuth for JOSM right now :) Lars _______________________________________________ josm-dev mailing list josm-dev@openstreetmap.org http://lists.openstreetmap.org/listinfo/josm-dev