I don't dispute that there are scenarios in which I need short-term credentials, especially in the 3-legged scenarios!
But there are 2-legged scenarios (e.g. updating my twitter status) where I need long-lived credentials and sending an HMAC of my password (and nonce, timestamp, etc) is better than sending my password in the clear (as at least one twitter client seems to do). I know that I can login on twitter over SSL but OAuth would be, IMO, nicer. For example, from a Java ME MIDlet on a mobile phone: (1) It would be faster (the SSL handshakes can be pretty slow from a mobile device). (2) I wouldn't have to worry about the phone having twitter's CA key installed since mobile phones are notorious for having bizarre choices of CA keys. On Mar 9, 7:36 am, JR Conlin <[email protected]> wrote: > > <snip> > If your OAuth credentials are your username and password, you kinda lose > the ability to reset things should they go horribly wrong. > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
