Allen Tom wrote: > Martin Atkins wrote: >> Indeed, but if for example I take the oauth consumer key and secret out >> of the Movable Type FireEagle plugin and use it in my service then I can >> use FireEagle without agreeing to the legal terms > > Sure, but the developer that was issued the CK had agreed to the terms, > and is legally bound to them. For instance, the developer might have > agreed to not be abusive, or to not use the CK for commercial purposes. >
So if I use MT's key to be abusive, would Yahoo! shut off every MT instance that's using FireEagle and/or sue Six Apart? (Assuming, for the sake of this argument, that I'm not a Six Apart employee.) As long as it's possible to make requests without agreeing to the terms -- which is quite obviously is -- the terms are worthless. I'm not arguing that consumer credentials should be removed entirely -- they do clearly have value in situations where they can be kept secret -- but they ought to be used only in situations where a special level of access is granted, and the business agreement in that case should include a requirement that the credentials be kept secret. Ultimately it's up to the user to make the final decision about whether to trust the calling application; it's not like allowing unregistered apps would create a security free-for-all. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
