Wednesday, May 06, 2009

OAuth & OpenID CX

Nat Sakimura lays out the similarities and differences between OAuth and the proposed OpenID Contract Exchange extension, and argues that CX, even though using a similar protocol flow, is not vulnerable to OAuth's Session Fixation attack - this because CX makes identities explicit where OAuth doesn't.

Of course, making identities explicit is pretty straight forward when you're using a global identifier - gets alot messier if you want to inhibit correlation through pairwise pseudonyms.

No comments: