CAcert Code Development list.

[Ian G <iang AT iang.org>]

On 13/7/09 00:34, Michael Tänzer wrote:

> I think the new design is good (as far as I'm able to tell) but using
> techniques like OAuth and OpenID might have some security implications
> which have to be considered. If we keep the number of third party
> applications low and make them look like they are not separate systems
> but one (same design and same domain) these risks would be minimized.


Right, we are on the same page.  OpenID won't be used, period.  It might 
or might not be offered, but only to infrastructure systems (like the 
wiki, etc).  That decision is out of scope for Birdshack.

OAuth might be used.  When I read the basic architecture, it claimed it 
would do crypto authentication using fixed public key pairs.  If this is 
what it does, we'll be fine.  If not we'll likely replace it with 
something that does.

In my mind, for now, this probably means that the only apps that can 
access the API will need to be registered.  It won't be totally open.



iang