> > No, there's really not a good solution for open source developers. :( > > If there really isn't a good solution for open source developers, there > isn't a good solution for *any* developers unless you're running through > a private proxy (and even that has problems). > > I think that the PIN solution is about as workable as anything at the > present, and haven't seen any solid ideas for improving upon it without > breaking the core principles of OAuth. As far as app reputation and > source reporting goes, the OAuth solution is no less secure than basic > auth source parameters (there's no verification that an application is > authorized to use a given source parameter).
No less secure, but the problem I haven't seen an answer to is whether Twitter plans to use keys to lock out badly behaved applications. If that's true, then a rogue app can effectively DOS out an innocent unrelated app by masquerading as it and doing naughty things, and getting its key suspended. If they have no plans to do this, then I agree that it's no different than Basic Auth source parameters. -- ------------------------------------ personal: http://www.cameronkaiser.com/ -- Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckai...@floodgap.com -- In memory of DeForest Kelley -----------------------------------------------
