On 24 Nov 2008, at 15:13, fastest963 wrote:
A better alternative would be to just create an API key for every user. Instead of entering username/password, they would enter their secret API key?
This is far less secure than OAuth and is actually not much better than requiring a username and password.
One of the core benefits of OAuth is the ability to be very specific regarding what each authorised application is allowed to do, on a per application basis. It also allows you to selectively revoke the permissions of any specific application without needing to ask or even tell the application about it. To do this with the API key system you effectively need to re-authorise every app you use when you want to block just one of them. No real difference between this and having to change your password.
I would much prefer that the guys (and gals) at Twitter concentrate on getting OAuth properly implemented (which is harder than it sounds) than their attention gets diverted by developers too impatient to wait for the right solution to the problem.
-Stut -- http://stut.net/
