On Sun, Jan 31, 2010 at 08:04, Josh Roesslein <jroessl...@gmail.com> wrote:

> I wonder if Twitter could provide developers with an URL for
> dynamically generating additional consumer tokens for their
> applications. When the user installs a new application it will contact
> the developer's server to download its own consumer key/secret. The
> developer's server will use its "master" consumer key/secret to post
> to the Twitter URL to fetch a new consumer key/secret. The consumer
> pair will then be sent to the application via a secure channel
> (HTTPS?) to prevent man in the middle attacks. The application will
> then use this new consumer pair to perform all signing of requests.
> Another option is to package the dynamically generated consumer pair
> in the application download package. Each new download will have its
> own unique consumer pair ready for use once the user has downloaded
> the application.

How is it better or more secure to have crackers misappropriated your sub
key to mimic your application instead of your primary key? They are still
pretending to be your application and users won't know any different. If
each sub key had its own listing on
https://twitter.com/account/connectionsthen there would be some
differentiation but then if users install an
application five times it would be listed five times.


Abraham Williams | Community Advocate | http://abrah.am
Project | Out Loud | http://outloud.labs.poseurtech.com
This email is: [ ] shareable [x] ask first [ ] private.
Sent from Seattle, WA, United States

Reply via email to