On 9/6/11 6:33 PM, Michael Thomas wrote: > On 09/06/2011 05:23 PM, Peter Saint-Andre wrote: >> On 9/6/11 4:22 PM, Melinda Shore wrote: >> >>> On 09/06/2011 12:59 PM, John Kemp wrote: >>> >>>> The point is that you have a point. >>>> >>> He does, and that's in some large part why I don't >>> fully understand the temperature of the responses. >>> I do not think it's a particularly big deal to stick >>> a couple of sentences in the security considerations >>> underscoring the fact that OAUTH can't do anything >>> about a compromised host or a malicious application. >>> I've learned to live with the fact that sometimes >>> people implementing or deploying security technologies >>> don't fully understand them and it's my impression that >>> there's some number of people out there who think that >>> OAUTH and other third-party protocols provide sufficient >>> protection against password snagging. >>> >> I just looked at the most recent specifications for TLS (RFC 5246) and >> secure shell (RFC 4253), which I think we'd all agree are two quite >> successful security technologies. Neither of those specs says anything >> about not protecting humans users from malicious clients that perform >> keylogging to capture security-critical data the user might enter. Not >> only is OAuth "not a superhero" as John Kemp said, but I fail to see why >> we need to document exactly which superhero powers OAuth lacks (given >> that it's not reasonable to expect *any* security protocol to have those >> powers). IMHO this is gilding the documentation lily. >> > > That is because neither TLS or SSH are trying to allow access > but protect you from a third party that is not necessarily > trustworthy. OAuth is. When the eve literally has access to > the to-be protected data in many cases, that's noteworthy. > That is not the case of either TLS or SSH.
TLS and ssh are controlling access to things like my bank account and my VPS. Those are less important than my Flickr photos? Peter -- Peter Saint-Andre https://stpeter.im/ _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
