On Sun, Jan 31, 2010 at 08:04, Josh Roesslein <[email protected]> wrote:
> I wonder if Twitter could provide developers with an URL for > dynamically generating additional consumer tokens for their > applications. When the user installs a new application it will contact > the developer's server to download its own consumer key/secret. The > developer's server will use its "master" consumer key/secret to post > to the Twitter URL to fetch a new consumer key/secret. The consumer > pair will then be sent to the application via a secure channel > (HTTPS?) to prevent man in the middle attacks. The application will > then use this new consumer pair to perform all signing of requests. > Another option is to package the dynamically generated consumer pair > in the application download package. Each new download will have its > own unique consumer pair ready for use once the user has downloaded > the application. > How is it better or more secure to have crackers misappropriated your sub key to mimic your application instead of your primary key? They are still pretending to be your application and users won't know any different. If each sub key had its own listing on https://twitter.com/account/connectionsthen there would be some differentiation but then if users install an application five times it would be listed five times. Abraham -- Abraham Williams | Community Advocate | http://abrah.am Project | Out Loud | http://outloud.labs.poseurtech.com This email is: [ ] shareable [x] ask first [ ] private. Sent from Seattle, WA, United States
