> > > Another hunch: desktop apps are negligible and the real load comes > > > from web apps who spider asynchronously 24/7. Should the load be > > > differentiated across client and web apps? Client apps are typically > > > only one user per device at a time, whereas the web app may be > > > spidering on behalf of who knows how many people. > > > > The problem here is distinguishing the two. OAuth doesn't (and I was > > told this by one of the people on the OAuth committee) specifically > > allow you to unambiguously and securely identify an application just > > because it has a certain app key, and Twitter's Basic Auth implementation > > uses source keys pretty much purely cosmetically. > > Not really that hard to distinguish between 5 IPs making 20k API hits and > 20k IPs making 5 API hits each...
But it's not a guaranteed one either. Also, it doesn't allow you to distinguish between equally popular services, one which might be kosher and the other not. -- ------------------------------------ personal: http://www.cameronkaiser.com/ -- Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckai...@floodgap.com -- BOND THEME NOW PLAYING: The James Bond Theme from "Dr. No" -----------------