> I wonder if Twitter could provide developers with an URL for
> dynamically generating additional consumer tokens for their
> applications. When the user installs a new application it will contact
> the developer's server to download its own consumer key/secret. The
> developer's server will use its "master" consumer key/secret to post
> to the Twitter URL to fetch a new consumer key/secret. The consumer
> pair will then be sent to the application via a secure channel
> (HTTPS?) to prevent man in the middle attacks. The application will
> then use this new consumer pair to perform all signing of requests.
> Another option is to package the dynamically generated consumer pair
> in the application download package. Each new download will have its
> own unique consumer pair ready for use once the user has downloaded
> the application.

I like those ideas. They match up maintaining a consistent application
identity with better key security. The first one seems more workable.

------------------------------------ personal: http://www.cameronkaiser.com/ --
  Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckai...@floodgap.com
-- I couldn't care less about apathy. -----------------------------------------

Reply via email to