Thanks for commenting. I agree with you — this (“is great”, “sucks”). A bad thing was discovered, a bad thing will get fixed; lather, rinse, repeat. It’s just unfortunate that a project with such bold and beautiful ambitions now stands to potentially get some awful press, not to mention it’s one more fodder for the folks who view “open standards” as bad. Add a dash or two of confusion around “open standard” vs “open source”, and we’ve got another disgusting pot of Proprietary Stew.

Thanks for the comment. As Eran Hammer-Lahav (from OAuth) told CNET, Twitter “basically took the PR hit in order to allow other companies to address it”. I can sort of get behind that — Twitter does have the sort of momentum and growth that allows them to make such a move.

1) One of the benefits of an open standard is to get many eyes on it to vet it and secure it. Now, the more eyes the better, and exposure via Twitter is great! In fact, finding this vuln is great! The sad part is that for many, this one mistake could influence their view of the project for a long time. It’s strange. We work in a world of fallible humans and we’re surrounded with security mistakes all the time that, while important, are better found and fixed than not found and get worse. But general publics (and business) tend to close the lid after just one mistake.

2) I’m skeptical about things like openid and oauth because of the normal American capitalist culture. Our business culture promotes profiting off ’stuff’ and competition. The very things we don’t need if we ever want to hope for more universal id/auth. We need cooperation and no entity charging licensing or patent use fees or something. That OpenID and OAuth have gotten as far as they have may dash my opinion, but I’ll stick to it for now.

Seconded. My curiousity would be, who didn’t make the OAuth patching deadline?