You are looking at it wrong. (insert IANAL disclaimer here)
Yahoo! Issues client credentials to a specific, authenticated user. That user has accepted our legal terms which include not sharing those credentials with anyone else. If you break this agreement (which is a legally binding contract), and someone abuses Yahoo! Or a Yahoo! User using those credentials, you are liable and if Yahoo! Gets sued, you are likely to get involved in this... So while the legal agreement cannot stop you, it takes care of the risks Yahoo! Cares about which is liability and a way to protect our users within the framework the law allows. EHL On 3/26/09 12:15 PM, "Martin Atkins" <m...@degeneration.co.uk> wrote: Allen Tom wrote: > Martin Atkins wrote: >> Indeed, but if for example I take the oauth consumer key and secret out >> of the Movable Type FireEagle plugin and use it in my service then I can >> use FireEagle without agreeing to the legal terms > > Sure, but the developer that was issued the CK had agreed to the terms, > and is legally bound to them. For instance, the developer might have > agreed to not be abusive, or to not use the CK for commercial purposes. > So if I use MT's key to be abusive, would Yahoo! shut off every MT instance that's using FireEagle and/or sue Six Apart? (Assuming, for the sake of this argument, that I'm not a Six Apart employee.) As long as it's possible to make requests without agreeing to the terms -- which is quite obviously is -- the terms are worthless. I'm not arguing that consumer credentials should be removed entirely -- they do clearly have value in situations where they can be kept secret -- but they ought to be used only in situations where a special level of access is granted, and the business agreement in that case should include a requirement that the credentials be kept secret. Ultimately it's up to the user to make the final decision about whether to trust the calling application; it's not like allowing unregistered apps would create a security free-for-all. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---