November 2009

and we like it!

OAuth is an open protocol to allow secure API authorization in a simple and standard method from desktop and web applications, as stated on the OAuth web site.

Why do we like OAuth?

  1. It is simple.  Most of the bad security implementations are done by people with good intentions and low skill.  Understanding the issues involved greatly improves the changes of making the right choices.
  2. It solves a real hard problem: giving access to your stuff without sharing your identity.
  3. Plays well with others.  OAuth has built in support for desktop applications, mobile devices, set-top boxes, and of course websites.

OAuth helps delegating rights to a process acting as you, without losing privacy or compromising security.  And the specification is short and possible to understand.  Replacing shared secrets is a really good idea.  Replacing hardcoded application-based passwords is an even better idea.  Replacing spoofing of user by logging in as root/admin and then emulating the actual user is a great idea.  And all of this may be done by OAuth.

One use case is getting access to your data on your behalf, but on a different site while not giving away your identity from the first site. Another is the TCS eScience Personal Portal (aka Confusa) that will use OAuth to authenticate a command line client tool to a web-based service that issues short-lived certificate. Then they will extend it further using OAuth for web-based delegation of proxy-certificates; collaborating with a Norwegian University.  Some other use cases that people in my neighbourhood has been playing with so far

My house was tagged with a little RFID tag yesterday.  It sits quietly inside the door jamb, under a sticker with the logo of the cleaning company.   When I got the CTO job, a condition from the family was to get cleaning help, and we got a company to come and clean the house.  They do a good job, and they work hard.

I suspect that the reason for the tag is to be able to change our bill if the cleaning of our house consistently runs over time, and to keep track of employees who slack off compared to others.  The latter is related to privacy, the first is economics.

The company sent us a letter two weeks before the sticker was applied.  The main topic of the letter was informing us about the sticker, since it sticks to stuff in our house and they would like us not to remove it by accident.  The main text was about how this RFID was not in any way an invasion of our privacy, and that it had been cleared with the Data Inspectorate.

On one hand, this was encouraging, since privacy obviously was a major topic that needed more text than the simple fact of redecorating our entrance hall.  On the other hand this was discouraging as the privacy invasion is on the part of the company employees who will now be monitored on how much time they use in each house, and this was not the focus.