On Wed, Apr 29, 2009 at 3:46 PM, Nat Sakimura <[email protected]> wrote: > > The other approach is to make it clear that OAuth is Grant (S:V:Data to C:*) > so that the users will be fully aware of the consequence. That will keep our > problem rather contained. Perhaps that's what is needed perhaps instead of > bolting up the security. But wait: this policy will not pass the Japanese > Privacy Law. The use purpose and place is not specific enough to be legal.
OAuth is definitely Grant (Service Provider - User - [possibly scoped] Data to Consumer - *), with the caveat that the users of the consumer have a trust and possibly (probably) legal understanding with the consumer that it's not to abuse its privilege, i.e., that the consumer is acting on behalf of a specific user. If this policy doesn't pass Japanese privacy law, then email and just about every social network in existence are illegal in Japan. When I send you a private email, I have to trust that your email provider will deliver it to you, and not another of its users. When we create a private relationship on Facebook, we both have to trust that Facebook won't cross wires and expose our private data to its other users. The same is true of OAuth-negotiated relationships. b. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
