launchpad-dev team mailing list archive

[William Grant <wgrant@xxxxxxxxxx>]

On Fri, 2010-06-25 at 08:28 +0200, Didier Roche wrote:
> Le vendredi 25 juin 2010 à 16:16 +1000, William Grant a écrit :
> > The code of the basic write implementation is simple. However,
> > difficulty arises when we consider that normal API applications probably
> > shouldn't be able to touch other authentication tokens. It is intended
> > that one should be able to stop a rogue application by simple revoking
> > its OAuth token; if applications were permitted to add new SSH and
> > OpenPGP keys, they could add backdoors that would not be closed using
> > normal means.
> > 
> 
> My point is that people are already able to do to that with
> screenscrapping (see GoundControl for instance), I don't really
> understand why exposing those to API is more or less a security issue
> there when people click on "change everything".
> Or do you mean that adding gpg or ssh key writable to API is opening
> other backdoor than the site itself doesn't enable?

If I give an application my SSO email address and password, I expect
them to be able to do anything at all. But applications aren't meant to
request that information -- one reason is that it's a lot harder to
revoke access granted that way, and those credentials have access to a
lot more than just Launchpad. OAuth is meant to be a solution to this.

I think perhaps an additional access mode which permits alteration of
authentication tokens could work. We already need more flexibility in
that area.