On 6/27/05, Brion Vibber brion@pobox.com wrote: ...
quite an interesting problem. And I don't think there is "The Solution" that you are all hoping for. It sounds a little bit like the problem of distributing keys in any encryption technology, but actually it is way worse than that. Any key, user-agent-string, or other authentication method would have to be written down somewhere in the source code of the application that is using the API. And since one of the primary aims of the API are going to be open source applications, everything "hidden" in the source code, is publicly accessible. So whatever is the method for an application to say "Hi, it's really me!", it can be copied, thus another application can fake it.
It would work with closed source applications, but offering the API only to closed source application isn't really an option.
So, there isn't any way to identify the individual applications. But there is a way to identify the individuals who are using the application which is using the API. Why do you want to block the application? Just limit the use of the API to 1000 accesses an hour by IP-adress (replace with different numbers as you see more fit). That blocks any application, that is misbehaving.
Ok, it would also block any other application that runs on the same machine (or over the same proxy), but I think that is acceptable, if it's to keep the whole thing running.
There could also be an option to still have user-agent-strings, and limit the access by application (a low number) and have an overall limit (a resonably larger number). That would keep one application from stopping all other access, but also protect against any misbehaving application that changes user-agent-strings.
hmmm...that sounds to easy...what did I miss? :-)
regards Henning Jungkurth