[iRail] Authentication and online identity management - thoughts

Sat Jul 28 21:20:08 UTC 2012

http://www.theregister.co.uk/2012/07/28/oauth_editor_quits/ :)

--
Kind regards,
Yeri Tiete
FlatTurtle

Avenue du port, 86c - 18, 1000 Brussels

m: +32 (0) 474 61 0139
t:   +32 (0) 2 669 1001
f:   +32 (0) 2 669 1002


On 28 Jul 2012, at 11:14, François REMY wrote:

> Pieter,
> 
> For being the person who shared the article first, I think I have to disagree with you.
> 
> The main reason why the original authors of OAuth dislike OAuth 2.0 is that it's not a protocal anymore; it has become a framework. This means that it provides guidelines on how to build a credential system, but doesn't really provide a reference implementation nor strong requirements about, for example, token size and revokability; that means that even incorrectly secured or badly engineered implementations can be OAuth 2.0 compilant. As their initial intent with OAuth was to have a simple protocol that everybody could use and that was secure by default, they can't agree with what OAuth 2.0 has become. To give authors more extensibility and compatibility with existing credentials systems, it was however nearly impossible for their vision to become concrete; welcome to the real world. OAuth 1.0 didn't scale well to big services and was asking too much to the average developer.
> 
> On the other hand, secure OAuth 2.0 implementations are possible (Facebook and others wouldn't have used it otherwise) and have the advantage of being compatible with the many available OAuth 2.0 clients implementations. Also, by forcing the use of HTTPS, OAuth 2.0 makes implementations much easier by deffering the security concerns to the transport layer instead of the application layer like OAuth 1.0 did (which is globally a good thing).
> 
> For what it's worth, WebID doesn't seem to provide any modern notion of identity management (revokable tokens, partial access...) and the draft seems to be unmaintained for at some time already; given how old the proposal is you can think about it as a dead protocol for now. But, again, both WebID and OpenID doesn't provide revokable tokens and all those things that made identity management possible and secure by default. OAuth originated from this faillure of OpenID to provide access delegation.
> 
> BTW, like it's said in the original article, I think that we shall not need to wait too long before people share stronger guidelines atop of the current specification as reference implementations; it's also worth to note that many OAuth 2.0 implementations out there are actually evolved OAuth 1.0 implementations which means they kept most if not all of the security and conformance requierements of OAuth 1.0.
> 
> All in all, I personnally don't think replacing OAuth with anything else is opportunate at this time.
> François
> 
> 
> 
> 
> -----Message d'origine----- From: Pieter Colpaert
> Sent: Saturday, July 28, 2012 2:03 AM
> To: iRail mailing list
> Subject: [iRail] Authentication and online identity management - thoughts
> 
> Hi all,
> 
> Context: for iRail 3.0, we're building a single sign on system for all
> applications built at iRail. This means you will have one identity which
> is connected to all iRail apps. What we are building can be viewed in
> (pre-)alpha stage over here: https://id.iRail.be.
> 
> Yesterday I came across an interesting read concerning identity
> management, single sign-on systems and OAuth [1]. It pretty much states
> that OAuth2.0 failed doing what it should have done.
> 
> Building further upon OAuth2.0 seems like a bad idea in the long run for
> PlugID [2]. Concerning iRail 3.0 and https://id.iRail.be, I still think
> OAuth is the way to go as there won't be any de facto standard
> alternative any time soon. For the open-source project PlugID I think we
> should slowly start to look at viable alternatives, such as WebID [3].
> 
> What are your thoughts on this one?
> 
> [1] http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/
> [2] http://github.com/iRail/PlugID
> [3] http://www.w3.org/wiki/WebID
> 
> Kind regards,
> 
> Pieter
> 
> -- 
> iRail vzw/asbl
> +32 (0) 486/747122
> _______________________________________________
> iRail mailing list
> iRail at list.irail.be
> http://lists.rootspirit.com/mailman/listinfo/irail 
> _______________________________________________
> iRail mailing list
> iRail at list.irail.be
> http://lists.rootspirit.com/mailman/listinfo/irail

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/irail/attachments/20120728/23a671e2/attachment-0003.html>