On Apr 24, 11:01 am, Luca Mearelli <[email protected]> wrote:
> On Fri, Apr 24, 2009 at 5:50 PM, Zachary Voase
>
> <[email protected]> wrote:
> > Isn't it better to spend the time and effort educating users on when
> > to give access to third party applications and when to deny it?
>
> yep, this should be the primary concern of the consumer and service
> providers but i think that any tool that helps build confidence for
> the user is welcome (perhaps not required, but these could be subject
> of extensions to the protocol, no?)
I'm all for user education and security extensions are a good idea
(perhaps the key idea). But dismissing the authentication need (or
implicitly denying it exists?) strikes me as wishful thinking and
risks the protocol not being taken seriously. I've been trying to
figure out if this whole process is about the OAuth protocol maturing
(essentially a right of passage) or being unmasked as "not really a
serious protocol." Sorry for the strong language (and esp. from an
outsider to this group!) -- I really hope it's the former. The OAuth
spec being really explicit about its weaknesses and where they exists
would be to my mind a v. good thing. And while I love the "let's ship
product" and "think of the user" ethic here, security is an awfully
important checkbox. Somehow emphasizing "we offer great user
experience w/ these caveats..." maybe?
Sorry if I am prologing a bikeshed argument (not my intention!).
--peter
>
> Luca
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [email protected]
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~----------~----~----~----~------~----~------~--~---
