On Wed, Feb 11, 2015 at 5:07 AM, This, that and the other at.light@live.com.au wrote:
How does a user prove that they're using a particular tool a way that can't be faked? Something like OAuth comes to mind. All edits made via an OAuth consumer are already tagged with a unique tag, and I would assume that it is not possible to falsely represent an OAuth consumer.
This is usually correct-- right now we discourage what Auth2 calls "public consumers." Apps where the shared secret we setup with the app owner can't really be considered private, e.g., it's embedded in code that is actually running on the end user's device, either a native application or a rich javascript application. But it's really just a discouragement, and we leave it up to the app owner if they want to setup things like IP whitelisting, for IP's that are allowed to use their secret.
I've been thinking that we might implement a flag to mark some apps as public (Petr has been wanting to use it for huggle since the beginning), but taking the opposite approach and flagging some as "known private", where we've verified the owner is intending to keep the secret private, and we've limited it's use to a very small number of IP's, might make more sense. Then we could flag the ones where this assumption holds.
I'm not sure whether this could work for common tools like AWB or Twinkle, though:
- I don't know whether OAuth works for client-side downloadable programs
like AWB.
- JavaScript tools edit as the user from the user's browser, and as such,
OAuth is not relevant to them. In any case, anything they do (like adding a specific string to edit summaries, adding a tag to their edits, or the like) can be easily spoofed or faked by a tech-savvy user.
So like I said, it's just by peer pressure right now. If anyone has strong opinions about it, let me know.