Kiva is in the process of implementing OAuth for our API. The current 2.0 draft
lacks signatures which we determined as a necessary layer of protection for
some of our transactions. However, 1.0 is unnecessarily complex and offers a
misleading sense of security for apps that can't keep secrets. We've decided on
a hybrid approach for now that uses 2.0 mechanics but 1.0 signatures
(leveraging existing libraries and know-how). We've posted our plans here:
http://developers.wiki.kiva.org/OAuth-1_5k
Hopefully another real-world provider implementation can help put some
decisions in context as work continues to finalize the spec.
Recently, there have been discussions of both formal and informal meetings on
this list. This Saturday, October 30, at La Cantine in Paris, we're expecting
to have a lively session on OAuth, the evolving 2.0 spec, and where it's
headed. Anyone who is in the area or otherwise able to make it is welcome to
join - no one who shows up will be refused (regardless of what the registration
pages say):
http://barcamp.org/WebWorkersCamp10
Cheers,
skylar
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
