> oauth. the caveat is that i stated that xauth will not be allowed for "web > applications", but i can think of a few creative ways around that.
Raffi, I assume that would be as a general rule for day-to-day operations of web apps. But, for web apps you are still going to allow the one-time bulk conversion of existing users with xauth, correct?