Not that I have a solution, but I just wanted to point out that your criticism of OAuth basically holds for just about all forms of client-side token solutions in some form or another. Folks like Adobe and Microsoft have invested a lot in DRM to try to solve this problem, but if there's motivation, nothing is really 100% secure — or 100% scalable.
The question is whether OAuth makes things better — and I think, generally it does. For a different take on your point, at least in the desktop case, your credentials can't be sold unless you sell the containing computer (see Twollow, for sale on Sitepoint for $1000, including its database with Twitter credentials: http://tr.im/twollow). Lastly, for an example of someone who's doing something LIKE what you're talking about... check out Multiplex: http://multiplexapp.com/ >From what I understand, every download is shipped with a unique key that can be upgraded for access to the full version of the app... In that way, the download itself has a new consumer key embedded in it. I don't know how this scales across multiple machines or reinstallations, but at least someone is doing it... it's from the folks at Indy Labs: http://labs.indyhall.org/ Chris On Sun, Apr 12, 2009 at 10:57 PM, John Kristian <jmkrist...@gmail.com>wrote: > > I don't see how OAuth was designed for this. OAuth assumes that the > consumer can keep a secret. > > If the consumer can't keep a secret, then the service provider can't > really authenticate the consumer, and should inform the user of this > fact. The user must decide whether to trust the consumer without help > from the service provider. > > Why not just assume that the consumer secret won't be secret? All > copies of the consumer would use the same consumer key and secret > (baked into the software). Seems like this would fit better into a > service provider's system for identifying consumers and users. > Security would revolve around the access token and token secret. Each > user/consumer pair would have its own access token and token secret. > The service provider would enable a user to revoke her access tokens, > e.g. in case they're stolen. > > Users sharing a computer complicates things. Can other users of the > computer access my credentials (and abuse them)? As a rule, I > wouldn't like other users to be able to revoke my access: they might > abuse the privilege. > > > -- Chris Messina Citizen-Participant & Open Web Advocate factoryjoe.com // diso-project.org // vidoop.com This email is: [ ] bloggable [X] ask first [ ] private --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---