Tuesday, April 15, 2008

Tradesman's Entrance

Niall Kennedy describes schemes like OAuth for attribute sharing authorization as 'Using the Front Door'.

Actually, I think of the current default model of a site requesting login credentials in order to access a user's attributes as already entering through 'the front door' - and that's the problem. By impersonating them with their account & password, the requesting site enters as if they were the customer themself, with consequently no granularity possible as to what they are allowed to do once in the candy store.

The proprietary Google (AuthSub), Yahoo! BBAuth, and standardized OAuth & ID-WSF effectively have the requesting site enter through the tradesman's entrance - their own affiliation displayed clearly on their company shirt, and watched closely by store personnel and security cameras.

No comments: