How We Interact With the Unknown

Human ArmRobot ArmDiscovery discussions tend to be very technical and detail-oriented. I have been looking for ways to explain how the basic elements in my discovery proposals are based on simple concepts taken directly from how humans interact with the unknown. Our brain is nothing but a big pattern-matching machine, and machine discovery works in a very similar way.

The basic idea is that discovery is the combination of three concepts:

Discovery = Patterns + Interfaces + Descriptors Continue reading

The Discovery Protocol Stack, Redux

What started as a small, simple specification ended up spread over 5 (and counting) documents. Given that these are still moving targets, at least for a little bit longer, it can get very confusing for people trying to follow this work. A few months ago I wrote about the new discovery stack which included XRD, LRDD, and the three links. Since then, the design has changed to include new components and some shuffling of the existing ones. Continue reading

Explaining the OAuth Session Fixation Attack

Broken-TokenThere is a pretty good story behind this. That is, how we found and managed the OAuth protocol security threat identified last week. In many ways, the story is much more important and interesting than the actual technical details of the exploit.

For everyone involved, this was a first-of-a-kind experience: managing a specification security hole (as opposed to a software bug) in an open specification, with an open community, and no clear governance model. Where do you even begin?

But right now, I know you want the technical details.

Continue reading

Introducing ‘Sign-in with Twitter’, OAuth-Style “Connect”

Yesterday Twitter released ‘Sign-in with Twitter’, the ability to use Twitter as a delegated sign-in provider for third-party websites. The cool thing about this new feature, which is part of their OAuth API beta, is that it is completely standard OAuth. No extensions, not secret sauce, and not another proprietary provider (yes, I’m looking at you Facebook).

Sign in with Twitter

It is Open done right.

With this small enhancement of the Twitter OAuth API, Twitter created a product that directly competes with Facebook Connect. The implementation details are significantly different (and there are some technical shortcoming on both sides), but there is little you can do with one and not the other. There is no reason why ‘Sign-in with Twitter‘ cannot be used anywhere Facebook Connect is offered, including blog posts and activity streaming.

Continue reading