Ross Singer wrote:
> Agreed on this assessment, Jonathan. MJ, can you extrapolate on your
> concerns, because that Ars Technica article is not going to cut it for
> anything more than to avoid the choices that Twitter made.
I've just sent another message trying to do that. Hope it helps.
> And even by the standards of that article, I'm not sure that OAuth is
> inappropriate for the ILS-DI's use cases which are:
>
> 1) server-to-server communication as the first priority
> 2) something relatively standardized and abstracted enough to allow
> for institutions' local authentication mechanisms.
I think FOSS servers would be affected by the published-key spoofing
flaw too, wouldn't they?
Some of the projects that want to support ILS-DI are FOSS - one of the
Koha support companies signed some ILS-DI announcement IIRC, while
another wrote some of the code to implement it.
> Which basically spells out the problem the ILS-DI group is facing: an
> incomplete, but evolving standard with heavy industry support, or...
> nothing.
Glad to see it's recognised that OAuth is incomplete.
I've heard as much opposition as support among developers. On the one
hand, it's more work to sell. On the other, they're now even more at
the mercy of big service providers who can break their applications
(and so eat their support budgets) at will.
> We are still very much in the fact-gathering stage, so any suggestions
> are welcome. [...]
If the problem that the group is trying to solve was explained on this
list, readers might be able to offer suggestions.
Hope that helps,
--
MJ Ray (slef), member of www.software.coop, a for-more-than-profit co-op.
Webmaster, Debian Developer, Past Koha RM, statistician, former lecturer.
In My Opinion Only: see http://mjr.towers.org.uk/email.html
Available for hire for Koha work http://www.software.coop/products/koha
|