On 22/12/09 14:11, John Smith wrote: > When does anyone plan to use SSL to protect passwords and users on OSM?
It's on my to do list to create a CSR and give to it to Grant. There are some issues to work out with regard to what we protect though as we don't really want to be using SSL for all the API requests though so we would prefer to encourage clients to move to using OAuth so we can then just protect the initial exchange when the application is authorised. > I noticed the other day about how JOSM puts this in it's MOTD: > > "Your username and password are sent to the server unencrypted. If you > do not like this, do not upload." > > While I'm aware that this is occurring, many others may not and may be > put off with statements like the above. While removing that statement > from JOSM might fix some of the image problems, it doesn't do anything > for real security. Well if the JOSM authors want to help then they should switch to OAuth ;-) > As has been pointed out on the trac ticket, OSM should be eligible for > a free cert from godaddy, then there is ideological reasons for > supporting other options like CAcert, just like many support OSM for > ideological reasons rather than Google. I don't think I'm cced on that ticket so I hadn't seen that, but we were planning to get a wildcard certificate anyway. Tom -- Tom Hughes (t...@compton.nu) http://www.compton.nu/ _______________________________________________ talk mailing list talk@openstreetmap.org http://lists.openstreetmap.org/listinfo/talk