[Prev] Thread [Next]  |  [Prev] Date [Next]

[oauth] Re: Security through obscurity? Eran Hammer-Lahav Mon Mar 30 05:01:28 2009

Comparison with OpenID at this stage is not that relevant because while OAuth 
protects real data and resources, OpenID at most reveal some silly information 
about you (SREG). So it is ok to let the use decide how they share some minimal 
set of data about them, read only, and without updates. Not so much when you 
can access their electronic wallet...


On 3/26/09 1:58 PM, "Martin Atkins" <[EMAIL PROTECTED]> wrote:

Eran Hammer-Lahav wrote:
> You are looking at it wrong.
> (insert IANAL disclaimer here)
> Yahoo! Issues client credentials to a specific, authenticated user. That
> user has accepted our legal terms which include not sharing those
> credentials with anyone else. If you break this agreement (which is a
> legally binding contract), and someone abuses Yahoo! Or a Yahoo! User
> using those credentials, you are liable and if Yahoo! Gets sued, you are
> likely to get involved in this...
> So while the legal agreement cannot stop you, it takes care of the risks
> Yahoo! Cares about which is liability and a way to protect our users
> within the framework the law allows.

If the Yahoo! developer agreement prohibits sharing the consumer
credentials then I have no problem with that, since Yahoo! is
effectively saying that desktop apps are not allowed, which is fine.

All I'm arguing is that if you're going to allow desktop apps (in other
words, if you're going to allow app developers to share their consumer
credentials with third parties) then you might as well not require
consumer credentials at all, since at that point they are providing no

There is also the issue that requiring application pre-registration
prevents OpenID-style ad-hoc service discovery, which is actually what I
care more about. The OpenID model is to trust the user to make the call
about whether they trust the consumer, but I'll concede that some people
consider this model to be flawed because the user is somehow unfit to
make this decision.

You received this message because you are subscribed to the Google Groups 
"OAuth" group.
To post to this group, send email to [EMAIL PROTECTED]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/oauth?hl=en