I agree with Greg here. Signatures complicate life for our clients, they are not browser friendly, and I'm not really convinced that we need them. If we are going to have a default (and I think that we should) it should be dead simple to integrate with. I would vote for basic auth with https.
-jOrGe W. On Mar 3, 2011, at 9:40 AM, Greg wrote: > On Mar 2, 2011, at 8:30 PM, Jesse Andrews wrote: > >> I would prefer a signature based approach as the default (as signatures >> limits replay attacks; tokens allow an eavesdropper to make arbitrary >> requests if they obtain a token). > > On the other hand, signatures make simple things difficult, such as quick > curl requests, dev testing, etc. The usual tradeoff of security and > convenience. > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : openstack@lists.launchpad.net > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
