On Wed, 2010-09-08 at 11:09 -0700, Brion Vibber wrote: > Clients connecting with a dummy key would be given the same level of > trust as clients connecting with HTTP basic auth: we know they're acting > on behalf of the user since they have his/her credentials, but we can't > know for sure what software they are -- so eg the 'source' parameter > saying 'Mustard' or 'StatusNet Mobile' could be faked, so we know we > can't reliably use it to throttle or limit particular clients. > > Any thoughts?
I'm dubious; seems the opportunity for phishing is really high. I wonder if using OAuth 2.0, or a dynamic-key generation system like CCK would make more sense. http://developer.yahoo.com/oauth/guide/create-consumer-key-guide.html -Evan ________________________________________________________________________ Evan Prodromou, CEO StatusNet Inc., 1124 rue Marie-Anne Est #32, Montreal, QC H2J 2T5 T: 438-380-4801 x101 C: 514-554-3826 W: http://evan.status.net/ E: [email protected]
_______________________________________________ StatusNet-dev mailing list [email protected] http://lists.status.net/mailman/listinfo/statusnet-dev
