Skip to Content.
Sympa Menu

cacert-devel - Re: Security of OAuth and OpenID

Subject: CAcert Code Development list.

List archive

Re: Security of OAuth and OpenID


Chronological Thread 
  • From: Mario Lipinski <mario AT cacert.org>
  • To: cacert-devel AT lists.cacert.org
  • Subject: Re: Security of OAuth and OpenID
  • Date: Sat, 11 Jul 2009 02:45:37 +0200
  • Authentication-results: lists.cacert.org; dkim=pass (1024-bit key) header.i= AT cacert.org; dkim-asp=none
  • Organization: CAcert Events, CAcert Organisation Assurance Germany

Michael,

thanks for your comments.

This is a point we really need to think about. However, this should not change the design of the software. We only should consider having a strict policy on external applications.

Am 11.07.2009 1:56 Uhr, schrieb Michael Tänzer:
Additionally we should not only have application accounts but also
assign data access rights to them. For example the geo/social app should
only be able to access the primary email address in order to send
announcements, maybe the name (the user could also enter this separately
as e.g. he might want to omit middle names) and possibly the number of
experience points while the web frontend needs wider access to the data
(in order to let the user tweak preferences, request certs etc.).

I think, this was already planned that way.


Mario


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature




Archive powered by MHonArc 2.6.16.

Top of Page