On 1/18/2010 8:45 PM, Marc Mims wrote:
* Isaiah Carew<isa...@me.com> [100118 19:02]:
If every person that uses an app accesses the API with their own personal app
credentials that would mean the app would appear to Twitter as hundreds, or
potentially thousands, of individual applications.
One goal of application registration is to control application privileges en
masse. So that when malware is found it's privileges can be revoked quickly.
Or even in the more banal case: an app doing something taxing to the API. The
privileges could be revoked/modified until the problem was fixed and then
reenabled -- all while the users are blissfully unaware.
If each person who uses an app registers it themselves then Twitter no longer
has the ability to monitor the app as a whole, essentially crippling one of
OAuth's most compelling reasons for being.
Hopefully twitter suspends user accounts, not application access, when
malicious activity is detected. Otherwise, all desktop apps, whether
closed or open source, are vulnerable.
It isn't difficult to extract the consumer key and secret from any
desktop application that ships with them and use them in malicious code.
Registering a consumer key/secret for every instance of a desktop
application seems like an unreasonable requirement to place on users.
So, I agree that isn't the solution. I certainly want to see the user
count on my OAuth apps page for the desktop apps I release. Per user
consumer keys not only prevent Twitter from application tracking, they
also prevent the application developer from tracking it as well.
Consider the consumer key and secret public for desktop apps. They are.
-Marc
I don't even like the term "secret". I'd prefer the term keypair.
