> The subject does not want just **anybody** to verify his identity; he only
>> wants the **relying party** to be able to verify his identity.
> If I understand correctly, a URL signed using OAuth can be accessed
> successfully only once, because of the oauth-nonce parameter. Or atleast, it
> is possible to implement such a restriction at the identity provider's end.
yup - that's the case. the nonce prevents the call from being used twice,
and you can't delay verification (to an extent) because the timestamp on the
signature will fall out of bounds.
Twitter Platform Team