[openspending-dev] api key

fukami odn at foo.io
Tue Aug 20 07:49:05 UTC 2013

Hi Tryggvi!

On 19.08.2013, at 19:02, Tryggvi Björgvinsson <tryggvi.bjorgvinsson at okfn.org> wrote:
> On mán 19.ágú 2013 16:28, fukami wrote:
>> Implementing homebrew public key crypto is actually rather difficult, and most developers don't even get symmetric key crypto right which is far less complex. I see this almost every day, even from experienced developers who should know better. Why not just use OAuth straight away? Not that I'm a very big fan of it, but it's better than building something from scratch and it's widely used.

> I agree that crypto is hard to do right but just out of curiosity why
> don't you like OAuth? Is there anything else you'd recommend instead?

I basically share the concerns of Eran Hammer, especially about OAuth2.0,
see http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/

In my point of view OpenID seems to be more robust. It's also better 
understood by devs and users (although it has also problems, i.e. it's
more susceptible to stuff like phishing).

> Maybe you could help us out doing this correctly from the get-go? I
> think we'd all appreciate your help (since you seem to have some
> experience/knowledge of the area). Would you be up for that?

As always it's much easier to criticize than to implement and I'm way 
better in breaking than making things ^^

But I can help with a review if you like.


More information about the openspending-dev mailing list