On Tue, Apr 28, 2009 at 9:47 AM, Dossy Shiobara <[email protected]> wrote: > > On 4/28/09 9:27 AM, Peter Keane wrote: >> As an analogy, imagine if banks allowed withdrawals w/o a user typing >> a PIN. The bank can guarantee that I am the one who was issued the >> card AND it can guarantee that is the same card being used to withdraw >> money. And you can do all kinds of things to guard against anyone but >> the legitimate card owner to get ahold of it. But unless you take >> that extra step (the PIN entered at the ATM) you never create >> sufficiant linkages to "verify" authenticity. That's why PIN can be >> short& easy to remember (but should NOT be written on the card! ;-)). >> Since it is an out-of-band arrangement, it offers a high level of >> assurance. > > Although, the banks have known for a long time that their implementation > is without security. Hackers today are compromising the MDS crypto > blocks and are stealing PINs en masse. Basically, the banks implemented > a system that assumed that the secret would remain secret and could > never be compromised, similar to OAuth's dependency on the secrets > remaining secret. > > The banks are due for a huge overhaul of their ATM transaction platform > or continue to lose serious money to the hackers. >
I would actually be perfectly happy with a protocol that was as secure as debit card + PIN. Whether that is adequate or not is (to my mind) out of scope and beyond the reach of OAuth. But as it stands now, I don't think it is at that level of assured security. I'll add: two-legged OAuth does indeed achieve that level of assured security (as far as I can tell) and I'll be happy to use it. (I'll note, re: Blaine's previous comment -- this *does* rest on the trust relationship between SP and consumer and that is fine, since that is all it is attempting). --peter > Fortunately, no one implementing OAuth has anything so valuable, yet. > However, OAuth's inherent similar flaw will likely mean that no service > that does have anything valuable will expose those resources using > OAuth. It's a very sad, built-in limiting factor for something with > such potential. > > -- > Dossy Shiobara | [email protected] | http://dossy.org/ > Panoptic Computer Network | http://panoptic.com/ > "He realized the fastest way to change is to laugh at your own > folly -- then you can let go and quickly move on." (p. 70) > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
