All This Twitter OAuth Security Nonsense

By Eran Hammer-Lahav Thursday September 2, 2010

3 Comments

In a wordy article that could have been much shorter and a lot less sensational, Ryan Paul of ArsTechnica throws mud mostly at Twitter, but saves plenty to throw at OAuth. Unfortunately, Ryan Paul (who clearly is a smart guy) is heavy on the accusation but light on the arguments. Typically, I would go over this article an item at a time, but I’m right in the middle of draft 11 of OAuth 2.0 which is a much better use of my time. If you want to read a great rebuttal, Ben Adida’s response (as always) is a great read.

Continue Reading

An Introduction to OExchange

By Will Meyer Wednesday June 9, 2010

1 Comment

OExchange is a newly-introduced protocol stack that allows users to share URL-based content with any service on the web. It covers posting links to social networks as well as sending content to things like online translation and printing services.

The protocol — driven by the folks at Clearspring (where I work) with the support of a long list of online services — builds on several existing open web specifications.  It is backed by an open development list, tools for developers, and lots of additional resources.

Continue Reading

How the Open Community Can Beat Facebook

By Eran Hammer-Lahav Tuesday June 8, 2010

4 Comments

Well, the open community can’t beat Facebook.

But companies using open technologies can – by building better products. Outside the echo chamber of web standards fanatics, the vast majority of web users don’t care about how the web works. They care about their user experience, where their friends are, and when something goes wrong, protecting their privacy.

When I read about Google Buzz (and other open-based products), it is repeatedly described as the open alternative to Facebook. Does this information help me (as a consumer) make a better decision about which product to use? No. That’s like telling the average cell phone buyer that the difference between the iPhone and Android is that the latter uses an open source operating system. When it comes to selling phones, Google relies on their search reputation and brand, not the openness of their platform.

Continue Reading

XAuth – a Terrible, Horrible, No Good, Very Bad Idea

18 Comments

A few weeks ago, a handful of web companies lead by Meebo and Google (with moral support from Yahoo!) announced their support for a new protocol called XAuth. The idea is very simple and seemingly appealing – create a sort of shared-cookie service for sites to use to store and find which identity providers a [...]

Continue Reading

Open vs. Fast, Good vs. Evil, Google vs. Facebook

6 Comments

The landscape of the community-engineered social web, the one based on open technologies, has changed dramatically over the past few months. If you took a year off and just came back, you would probably not recognize it at all. The movement that started with protocols such as OpenID, OAuth, and Activity Streams, is now mostly [...]

Continue Reading

Introducing OAuth 2.0

14 Comments

Two weeks ago, the IETF OAuth Working Group published the first draft of the OAuth 2.0 protocol. OAuth is a security protocol that enables users to grant third-party access to their web resources without sharing their passwords. OAuth 1.0 was published in December 2007 and quickly become the industry standard for web-based access delegation. A [...]

Continue Reading

JRD, the Other Resource Descriptor

21 Comments

(Yes, that was a LRDD-inspired pun.) XRD 1.0 is the result of 5 years of community development and actual deployment experience. It represents the most concise, yet extensible way to describe web resources using well understood constructs such as links. It uses XML as its extensible backbone, enabling protocols to extend pretty much every element [...]

Continue Reading

The Light at the End of the Discovery Tunnel

3 Comments

After almost three years working on various discovery proposals, I’m finally starting to see the light at the end of the tunnel. While slow, good progress is being made and the drafts are reaching maturity and gaining popularity. Just a quick update on the status of the various parts of the discovery stack (aka The [...]

Continue Reading

Metalink/HTTP

Metalink is an XML format for describing downloads. Publishers pack information about a download into a Metalink XML file, such as mirrors and checksums, to overcome many common download problems like a server going down or file corruption. Other useful information can be included as well. Metalink/HTTP, or mirrors & hashes in HTTP Headers, is [...]

Continue Reading

RFC 5785: Defining Well-Known URIs

1 Comment

This first piece of the discovery stack was published today as an RFC. RFC 5785 defines a registry for new well-known URIs which will provide a standard location for the host-meta document. This work started a year and a half ago as a well-known document called /site-meta, and slowly evolved into a simple registry. While [...]

Continue Reading

Open Questions About OAuth 2.0 Authentication

5 Comments

In an effort to resume work on the OAuth 2.0 protocol at the IETF OAuth Working Group, I posed three questions about the authentication half of the protocol. From my perspective as the specification editor, these questions are the main open issues currently standing between us and a draft covering the authentication process in OAuth [...]

Continue Reading

What’s going on with OAuth?

1 Comment

This post was written as a collaboration between Chris Messina (Google), Dick Hardt (Microsoft), David Recordon (Facebook), and I, and was originally published on O’Reilly Radar. The OAuth protocol and community have seen a lot of changes over the past couple of years. With the recent introduction of WRAP, the IETF working group, and discussions [...]

Continue Reading

Who Needs Open When You Have Twitter?

1 Comment
Continue Reading