On 9/1/2010 7:47 PM, Julio Biason wrote:
OAuth certainly makes sense as a model for "never type your password in some weird site 'cause you don't know when they say that they couldn't connect to Twitter is really that or they are just storing your login and password to abuse the ecosystem". The whole problem with it is the revocation of keys when it's believed that the app is not behaving properly because one single point abuses it. In that case, the point should be blocked, not the application itself.
Now on that point I can agree, and the revocation model should give application designers the chance to prove that they deserve the benefit of the doubt. How you do that while letting Twitter run a secure system is the problem. In terms of Open Source applications perhaps some sort of "verification" process for applications to submit their source code (not an approval process per se). Verified apps would be given the benefit of the doubt and the individual users would be shut down (or at least the authentications for those individual users).
-- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en