> > > Another hunch: desktop apps are negligible and the real load comes
> > > from web apps who spider asynchronously 24/7. Should the load be
> > > differentiated across client and web apps? Client apps are typically
> > > only one user per device at a time, whereas the web app may be
> > > spidering on behalf of who knows how many people.
> >
> > The problem here is distinguishing the two. OAuth doesn't (and I was
> > told this by one of the people on the OAuth committee) specifically
> > allow you to unambiguously and securely identify an application just
> > because it has a certain app key, and Twitter's Basic Auth implementation
> > uses source keys pretty much purely cosmetically.
> 
> Not really that hard to distinguish between 5 IPs making 20k API hits and
> 20k IPs making 5 API hits each...

But it's not a guaranteed one either. Also, it doesn't allow you to
distinguish between equally popular services, one which might be kosher
and the other not.

-- 
------------------------------------ personal: http://www.cameronkaiser.com/ --
  Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckai...@floodgap.com
-- BOND THEME NOW PLAYING: The James Bond Theme from "Dr. No" -----------------

Reply via email to