Comparison with OpenID at this stage is not that relevant because while OAuth protects real data and resources, OpenID at most reveal some silly information about you (SREG). So it is ok to let the use decide how they share some minimal set of data about them, read only, and without updates. Not so much when you can access their electronic wallet...
EHL On 3/26/09 1:58 PM, "Martin Atkins" <m...@degeneration.co.uk> wrote: Eran Hammer-Lahav wrote: > You are looking at it wrong. > > (insert IANAL disclaimer here) > > Yahoo! Issues client credentials to a specific, authenticated user. That > user has accepted our legal terms which include not sharing those > credentials with anyone else. If you break this agreement (which is a > legally binding contract), and someone abuses Yahoo! Or a Yahoo! User > using those credentials, you are liable and if Yahoo! Gets sued, you are > likely to get involved in this... > > So while the legal agreement cannot stop you, it takes care of the risks > Yahoo! Cares about which is liability and a way to protect our users > within the framework the law allows. > If the Yahoo! developer agreement prohibits sharing the consumer credentials then I have no problem with that, since Yahoo! is effectively saying that desktop apps are not allowed, which is fine. All I'm arguing is that if you're going to allow desktop apps (in other words, if you're going to allow app developers to share their consumer credentials with third parties) then you might as well not require consumer credentials at all, since at that point they are providing no value. There is also the issue that requiring application pre-registration prevents OpenID-style ad-hoc service discovery, which is actually what I care more about. The OpenID model is to trust the user to make the call about whether they trust the consumer, but I'll concede that some people consider this model to be flawed because the user is somehow unfit to make this decision. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---