[cap-talk] OAuth vs. CapDoc contrast
Jonathan S. Shapiro
shap at eros-os.com
Sun Sep 30 20:30:10 EDT 2007
On Mon, 2007-10-01 at 00:22 +0000, Karp, Alan H wrote:
> Ben Laurie wrote:
> >
> > Many service providers are reluctant to use HTTPS for all their
> > traffic because of the load it imposes.
> >
> That means that the content you're trying to limit access to is being
> sent in the clear. Somehow that doesn't seem compatible with the
> complexity of the protocol intended to protect access. If the webkeys
> are single use, you're only risking the webkey to the extent that OAuth
> is risking your data.
I am coming into this conversation out of context, and I will drop out
just as quickly. I don't know anything about the specific protocols
under discussion. I offer the following anecdote in case it is useful.
Several weeks ago, I tried to explain to the Drupal folks that
encrypting passwords is a useful step even if you do not use HTTPS for
everything. In brief: if I compromise your site with cookie spoofing,
only the site is compromised. If I compromise the user's password,
*every* site they talk to gets compromised along with all of their
private state (mainly because users just cannot remember all that many
distinct passwords).
I do not know if this particular observation applies in the context of
OAuth vs. CapDoc. The metacomment I wanted to put on the table is that
the degree of protection required is a function of both risk and value
of the data being protected, and also a tradeoff between the cost of
protection and the importance of scalability/availability. Sometimes it
really does make sense to use a weaker mechanism on content than on
security-relevant metadata.
shap
More information about the cap-talk
mailing list