[OAUTH-WG] Kiva OAuth design decisions

Skylar Woodward <skylar@kiva.org> Wed, 27 October 2010 07:58 UTC

Return-Path: <skylar@kiva.org>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 41D6D3A677E for <oauth@core3.amsl.com>; Wed, 27 Oct 2010 00:58:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id 8qJMsLMP4n-v for <oauth@core3.amsl.com>; Wed, 27 Oct 2010 00:58:51 -0700 (PDT)
Received: from mail-ww0-f42.google.com (mail-ww0-f42.google.com []) by core3.amsl.com (Postfix) with ESMTP id E86D03A6887 for <oauth@ietf.org>; Wed, 27 Oct 2010 00:58:50 -0700 (PDT)
Received: by wwi18 with SMTP id 18so1216643wwi.1 for <oauth@ietf.org>; Wed, 27 Oct 2010 01:00:39 -0700 (PDT)
Received: by with SMTP id o4mr459112wek.7.1288166439230; Wed, 27 Oct 2010 01:00:39 -0700 (PDT)
Received: from [] (dan75-7-88-166-184-189.fbx.proxad.net []) by mx.google.com with ESMTPS id p4sm5684785wej.28.2010. (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 27 Oct 2010 01:00:38 -0700 (PDT)
From: Skylar Woodward <skylar@kiva.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Date: Wed, 27 Oct 2010 10:00:35 +0200
Message-Id: <525AA51F-7DD3-4789-8DE1-63B0A8B2CBA4@kiva.org>
To: OAuth WG <oauth@ietf.org>
Mime-Version: 1.0 (Apple Message framework v1081)
X-Mailer: Apple Mail (2.1081)
Subject: [OAUTH-WG] Kiva OAuth design decisions
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Oct 2010 07:58:52 -0000

Kiva is in the process of implementing OAuth for our API. The current 2.0 draft lacks signatures which we determined as a necessary layer of protection for some of our transactions.  However, 1.0 is unnecessarily complex and offers a misleading sense of security for apps that can't keep secrets. We've decided on a hybrid approach for now that uses 2.0 mechanics but 1.0 signatures (leveraging existing libraries and know-how).  We've posted our plans here:


Hopefully another real-world provider implementation can help put some decisions in context as work continues to finalize the spec.

Recently, there have been discussions of both formal and informal meetings on this list.  This Saturday, October 30, at La Cantine in Paris, we're expecting to have a lively session on OAuth, the evolving 2.0 spec, and where it's headed.  Anyone who is in the area or otherwise able to make it is welcome to join - no one who shows up will be refused (regardless of what the registration pages say):