On 1/18/2010 8:45 PM, Marc Mims wrote:
* Isaiah Carew<isa...@me.com>  [100118 19:02]:
If every person that uses an app accesses the API with their own personal app 
credentials that would mean the app would appear to Twitter as hundreds, or 
potentially thousands, of individual applications.

One goal of application registration is to control application privileges en 
masse.  So that when malware is found it's privileges can be revoked quickly.  
Or even in the more banal case: an app doing something taxing to the API. The 
privileges could be revoked/modified until the problem was fixed and then 
reenabled -- all while the users are blissfully unaware.

If each person who uses an app registers it themselves then Twitter no longer 
has the ability to monitor the app as a whole, essentially crippling one of 
OAuth's most compelling reasons for being.

Hopefully twitter suspends user accounts, not application access, when
malicious activity is detected.  Otherwise, all desktop apps, whether
closed or open source, are vulnerable.

It isn't difficult to extract the consumer key and secret from any
desktop application that ships with them and use them in malicious code.

Registering a consumer key/secret for every instance of a desktop
application seems like an unreasonable requirement to place on users.
So, I agree that isn't the solution.  I certainly want to see the user
count on my OAuth apps page for the desktop apps I release.  Per user
consumer keys not only prevent Twitter from application tracking, they
also prevent the application developer from tracking it as well.

Consider the consumer key and secret public for desktop apps.  They are.


I don't even like the term "secret".  I'd prefer the term keypair.

Reply via email to