sknebel!tell aaronpk: re that oauth draft, details on how *exactly* one is supposed to verify the signature seems missing. I guess without it there is a small loss (no registered callback url, but at least same domain could still be enforced/warned about)
