It's different from basic auth in the way that oauth was primarily designed
to be different -- the app need not know your password (thus preventing a
rogue app from stealing it) and it need not send it over the wire with every
request (thus preventing a rogue entity from monitoring and trapping it over
the wire).

On Sat, Jul 11, 2009 at 12:54, Cameron Kaiser <spec...@floodgap.com> wrote:

>
> > > No, there's really not a good solution for open source developers. :(
> >
> > If there really isn't a good solution for open source developers, there
> > isn't a good solution for *any* developers unless you're running through
> > a private proxy (and even that has problems).
> >
> > I think that the PIN solution is about as workable as anything at the
> > present, and haven't seen any solid ideas for improving upon it without
> > breaking the core principles of OAuth.  As far as app reputation and
> > source reporting goes, the OAuth solution is no less secure than basic
> > auth source parameters (there's no verification that an application is
> > authorized to use a given source parameter).
>
> No less secure, but the problem I haven't seen an answer to is whether
> Twitter plans to use keys to lock out badly behaved applications. If that's
> true, then a rogue app can effectively DOS out an innocent unrelated app by
> masquerading as it and doing naughty things, and getting its key suspended.
> If they have no plans to do this, then I agree that it's no different than
> Basic Auth source parameters.
>
> --
> ------------------------------------ personal:
> http://www.cameronkaiser.com/ --
>   Cameron Kaiser * Floodgap Systems * www.floodgap.com *
> ckai...@floodgap.com
> -- In memory of DeForest Kelley
> -----------------------------------------------
>



-- 
Internets. Serious business.

Reply via email to