I already don't trust it just because of where the co-authors are from. There are so many ways a scheme like this could go badly wrong. That's a 'nope' from me.
'OAuth please do grow up' say IETF boffins
OAuth is a standard, but like so many standards, there's a lot of implementations to choose from and that can make it hard to pass around tokens. Ideally, to help thin out the number of passwords a user needs, they can authenticate to one OAuth service, which can verify a user to other servers. A bunch of IETF 'net boffins …
COMMENTS
-
-
Monday 11th January 2016 06:57 GMT P. Lee
>wouldn't the OAuth server basically know every single website I go to as it logs me in?
Which is why we need presence management systems.
Given that most people tie identities to email, we need smtp auto-responders which can provide presence data or (more likely) a url for presence data. Then you can use your email client + address book to separate work, friends and acquaintances and strangers in terms of what they can know about. Maybe provide different pki keys by email to each and use that to identify them.
-
Monday 11th January 2016 08:39 GMT Paul Crawford
Its fine for a handful of work-related sites where you might, say, want to have a corporate tool for local and remote site password management.
But not for personal stuff for exactly this reason, just like Farcebook wanting to provide log-in and tracking so it can whore you more effectively to any advertisers (and, of course, the US gov). What is needed is something like a password manager that makes 3rd party tracking hard because its not "owned" by anyone other then yourself. So something, for example, like a bluetooth dongle built in to a (otherwise dumb) watch that also needs a master password each pairing time so its mostly with you and not terribly useful if found/stolen.
-
-
Tuesday 12th January 2016 07:22 GMT DropBear
Admittedly, SQRL sounds intriguing, I'll have to keep an eye on this. Gibson on the other hand is somewhat notorious in not exactly a good way, sort of McAfee-style - let's not forget this is the same guy who thinks you need a discombobulator to stay safe, who was running around in circles headless chicken style in panic predicting The End Of The Internet As We Know It when raw socket support appeared in Windows...
-
-
-
-
Monday 11th January 2016 10:42 GMT Christoph
And another problem
Besides the tracking problem as described above, there's another.
Single point of failure.
It's like using the same password on multiple sites - any bug anywhere in the system lets an attacker onto every site that you use (and possibly other sites that you have never been near).
-
-
-
-
-
Tuesday 12th January 2016 20:15 GMT Anonymous Coward
Re: Why is oauth needed anyway?
"You've seriously misunderstood what OAuth is going."
I've certainly misunderstood your fucked up english. You get 10 minutes to edit your post FFS. As for oauth its just another authentication mechanism. Which brings me back to my original point. Care to answer it?
-
-
-
-