[wp-xmlrpc] Any interest in OAuth?

Joseph Scott joseph at randomnetworks.com
Wed Jun 18 19:12:32 GMT 2008

On Jun 18, 2008, at 12:02 PM, Joe Cheng wrote:

>> While perhaps not the ideal situation that everyone would like,
>> having XML-RPC not require HTTP authentication has made it much
>> easier to support in a variety of server environments.
> That's a laudable goal and I agree it would've been a mistake to  
> require HTTP auth. X-WSSE grew out of exactly the same set of  
> constraints. Other than the fact that it requires the server to  
> know the password, it seems like it would've been perfect for WP.
> http://www.xml.com/pub/a/2003/12/17/dive.html

I can appreciate what WSSE was trying to accomplish, but in the end  
requiring clear text password to be stored in the database is just a  
bad idea.  Making WSSE an non-starter.

> I don't claim to have a solution but at least it would be good to  
> get to consensus about whether we even have a security problem  
> right now.

I think it's pretty fair to say that there's a problem right now.  As  
I mentioned, there's actually two.  First one is solved by SSL/TLS,  
if you've got it, use it.  I'll be working to promote this on the  
WordPress.com side of things.  For the greater WordPress community  
though, it's optional and can't be enforced unfortunately.  Bummer,  
but that's where things are at and right now.  If things change,  
great, and we can even help promote that.  The second problem is one  
of username/password request proliferation by applications and  
services.  I see these as two different problems, with this thread  
(hopefully) being focused on the second problem.

>> I'm not claiming that XML-RPC is perfect, or even the best, but it
>> shouldn't be blamed for what people built on top of it.
> Yes, I've been using XML-RPC to mean "The family of blogging  
> protocols based on XML-RPC". However, since the same guy invented  
> XML-RPC and MetaWeblog, I don't feel too bad painting with a broad  
> brush ;)

:-)  I think that's a common feeling.

Joseph Scott
joseph at randomnetworks.com

More information about the wp-xmlrpc mailing list