On Sun, Jan 31, 2010 at 1:36 PM, Isaiah Carew <isa...@me.com> wrote:
> Also, I think you have it right, that distribution of the source sans keys
> and the binary with keys is the way to go.  I completely agree that it's the
> obvious practical solution.  It's the one that took myself for my OSS OAuth
> code.

I'm not convinced that distributing *any* oAuth capability to end
users, even in binary form - even in a form where said binary
interfaces in secure ways with the underlying desktop / mobile ways to
persist the consumer key and secret - is the "way to go". I personally
think the "way to go" is to deploy applications as servers with the
thinnest possible client imaginable. If ChromeOS netbooks actually
existed today, that's what I'd be building - servers that interacted
with Twitter on behalf of users with ChromeOS netbooks.

Given what I know now about oAuth, I'm not planning on releasing any
oAuth desktop applications. I never *was* planning mobile ones - the
kind of processing I have in mind flat out can't be done on a mobile,
so I'd have to have a server anyway to deploy to mobile users.

> I'd say its a pretty reasonable bet that one of the major desktop clients
> will be compromised within a year or so of implementing OAuth -- and will
> probably result in a lot of user frustration.  It seems like their will be
> ample motivation and little to prevent them.
> Only time will tell, you're free to come and laugh at me if it doesn't
> happen.  Bookmark this email, we'll check back in 18 months.  ;-)
> Isaiah

Well ... the motivation is there now, with or without oAuth. And oAuth
doesn't make it *easier* to compromise a desktop application. As far
as desktop "user frustration" is concerned, though, there are so many
other sources of desktop user frustration already - botnets, weekly
virus scans that take hours, browser vulnerabilities, 15-30 minute
waits before the machine is "open for business", and, of course, the
hundreds of dollars one pays per year for just a license to use the
desktop software - that I think a compromised Twitter desktop platform
isn't going to get much attention unless it does something really
nasty, like a DDOS against Twitter.

M. Edward (Ed) Borasky

"I've always regarded nature as the clothing of God." ~Alan Hovhaness

Reply via email to