I wholeheartedly agree with Jesse. IF users spread misinformation about 3rd party apps that request passwords ALL being evil then we are all in the same sinking boat.
Oauth is one part of the solution enabling serivce authentication. It made me wonder will twitter also add in support for openid for better user authentication? Better still will twitter offer a "Twitter Connect" service like Facebook Connect an Google Friend Connect? As a 3rd party developer we could support Twitter Connect to authenticate the user and then use Oauth for the service(s). Personally I would like to offer my users the option to authenticate with their preferred ID service - see http://www.janrain.com/products/rpx - and then use oauth to request access to their services. The one thing that prevents me using RPX or creating my own version of the service is the lack of twitter support for openid. Scenario: User logins in via Google Friend Connect to our service. I now have an authenticated user but how do I associate them to their twitter account? Today I would still need them to give me their username/password but when/if oauth via twitter existed I could request authorisation to their twitter account and any other services they use that supports oauth. On Jan 5, 8:32 am, "Jesse Stay" <jesses...@gmail.com> wrote: > On Sun, Jan 4, 2009 at 11:20 PM, Alex Payne <a...@twitter.com> wrote: > > > Getting worked up into hysterics about boycotts is just, as security > > expert Bruce Schenier is fond of saying, "security theater". It's the > > equivalent of an apartment building's tenants telling their landlord > > they refuse to use keys because someone's place got broken into. > > Alex, sorry, but this is more than just security - this is getting ready to > put a whole lot of businesses out of business, thanks to the lack of such a > mechanism. Regardless of whether it's the solution or not (I still argue it > would have helped), if users boycott, our apps don't get used. If our apps > stop getting used, Twitter stops getting used. There are entire groups of > users out there right now asking what apps could be the culprit. I've heard > some mention my app. I've heard others mention TweetDeck. I've heard some > mention Twhirl. All these apps, whether they have any chance of being the > culprit (I realize they don't, but your users don't have any way of knowing > - all these apps collected their passwords), all have the chance of getting > cut off of Twitter here real soon by the users if something isn't done. > Didn't you guys say at one point the majority of your traffic comes from the > API? This is more than just not using keys - this is about telling the > landlord you won't pay them for the month because they refuse to install > locks. > > This issue is huge for us as developers, and I don't sense that urgency from > Twitter. > > Jesse
