The Windows Registry is NOT "secure" -- it is at best "obscure."
Is it a good place to store information? Maybe. Matter of opinion. Consider a secured machine datastore as well. However anyone with physical access to the machine has everything they need to access anything they want, given a little patience and tech skill. Why do you need a "secure" location for a user token? It's just the user who has access, right? Or are you referring to your application's key, and not the user key? If so, there's really no good way to secure that with current iterations of OAuth. The mechanism is fallible for desktop apps. 2.0 may address some of that. ∞ Andy Badera ∞ +1 518-641-1280 Google Voice ∞ This email is: [ ] bloggable [x] ask first [ ] private ∞ Google me: http://www.google.com/search?q=andrew%20badera On Thu, Apr 15, 2010 at 10:43 AM, Rich <richard.frain...@gmail.com> wrote: > My question is similar to this post <http://groups.google.com/group/ > twitter-development-talk/browse_thread/thread/ > 5d37e76f8efed028/2052210d4cd2bcea?lnk=gst&q=token#2052210d4cd2bcea>. > > I am using TweetSharp 1.0 with a WPF 3.0 C# application. > > I request that the user allow the desktop application to update their > status at certain times in our application workflow. If the user > grants permission, I store the access token and access token secret in > the registry for use in future sessions. > > I could encrypt the token secret before persisting in the registry, > and decrypt before using in my call to Twitter, but the encryption key > would still be in the desktop application. This seems a bit better > than not encrypting the token secret, but is the gain in security > significant? > > > -- > To unsubscribe, reply using "remove me" as the subject. >