Security Alerts for the Week Ending 9/5/2010

Following Up for the Week Ending 5/23/2010

More on OAuth and Its Future

Ryan Paul has a good expansion at Ars of an O’Reilly Radar piece I noticed a little while back. Ryan backs up a bit to give a background on existing authentication systems and the problems inherent in using them effectively on the web. He then charts out the current and future versions of OAuth on a trajectory starting with addressing what he describes as the password anti-pattern on through streamlining this potentially more secure scheme into the same sort of simplicity HTTP’s native authentication schemes enjoy.

Part of how the stop-gap OAuth WRAP achieves its streamlining is by pushing encryption to lower down in the stack, taking advantage of the tried and true SSL/TLS commonly available on most web servers. Ryan provides some more links to supplement David Recordon’s explanation of this stop-gap solution to OAuth’s complexity. WRAP is meant to serve in the meantime as the various stakeholders work on the 2.0 version of OAuth in cooperation with the IETF.

Ryan Paul has some decent coding chops under his belt, in addition to working as a tech journalist. I enjoy his detailed coverage, like this article, of new and updated technologies from the perspective of the hacker struggling to use them. If he is optimistic about WRAP and OAUth 2.0, I think there is genuine cause to look forward to future developments.

The State of OAuth

David Recordon has a good state of OAuth post on O’Reilly Radar which he developed with Chris Messina, Dick Hardt and Eran Hammer-Lahav, leading lights in Identity 2.0 all. He clarifies some of the recent concerns over the authentication system as well as tours recent developments and the roadmap ahead.

In particular, the development of OAuth WRAP sounds like the solid sort of grok-and-simplify step that is critical to the maturation not just of a technology but of a specification. Streamlining is key to further pressing adoption and in this case driving up the median security of cooperating web applications.

David and company clearly understand this, given how it clearly informs the incremental progress through WRAP on into the spin up of version 2.0. Here’s to more and better OAuth in 2010.