John Meyer wrote: > okay, forgive me if I'm wrong, but wasn't the whole point of oAuth > that the application didn't need to know the username/password? That > the user would grant access to the application and then the > application would store that rather than the actual > username/password. Or am I missing the point of going to an oAuth > system? Yes, that's the point of OAuth. However, the dynamics of a web-based application vs. a desktop application complicate things. If the user is trusting an application to run natively on their desktop, that application already has access to their username and password (it can read them from config files, do a keyboard grab when it spawns the browser, go snooping around in Firefox's memory space, any number of things). Thus, in the desktop application case, allowing the user to input their username and password does not decrease security except perhaps by not always enforcing "don't give away your password". The web case is different - a web site doesn't have the user's credentials unless they explicitly provide them.
I'm ignoring for the present sandboxed or sandboxable environments such as Java and AIR. The runtime may prevent the local application from having access to the username/password as used by other applications. - Michael -- mouse, n: A device for pointing at the xterm in which you want to type. Confused by the strange files? I cryptographically sign my messages. For more information see <http://www.elehack.net/resources/gpg>.
signature.asc
Description: OpenPGP digital signature
