> - signing and checking a signature is essentally encrypting and > decrypting (CPU?), but with less data
Indeed. But as far as I know HMAC-SHA1 is reasonably quick and shouldn't be a performance hit. Even more so because it needs to be done only once for each 'consumer' (JOSM in this case). > - even OAuth relies on certificates for authentication of peers > (once, in the request process), but it's optional I've never heard anyone doing this with OAuth and as you say it's optional. So it shouldn't be a problem :) > - it's protecting data which doesn't need to be protected (map data) I don't understand this one? Only certain requests require authentication with the API. Requests modifying map data for example. And in my opinion those should be protected. > Also a last question remains, at least for me: If the Access Token is > valid for a long time, and also the Token secret doesn't change and > only the Token is signed and not the data, what prevents replay > attacks with changed data? http://oauth.net/core/1.0a#nonce > PS: Yes I admit, doing a selective HTTPS with unencrypted data and a > new form of token is more like a non-standard OAuth > than a true HTTPS. So it's probably better to fiddle with OAuth, > especially if it's partly implemented already. We won't need any 'fiddling' - it is already implemented _and_ usable. We can only make it _more secure_ by using HTTPS for certain steps and by switching to OAuth 1.0a. But I think that's what you meant :) Bye, Lars _______________________________________________ josm-dev mailing list [email protected] http://lists.openstreetmap.org/listinfo/josm-dev
