[darklajid]

Which is the whole point of the argument:

OAuth makes sense for browser based applications/access from one web application to another. It makes no sense for native apps since those can still grab your credentials in a wild variety of ways.

If you agree with that, then you should see that the change from

"Choose xAuth or OAuth, based on preference and usage"

to

"Use OAuth unless you are the official Twitter client, if it makes sense or not"

is questionable.

[Getahobby]

These two arguments are separate. A malicious app that steals credentials (wait, in Gruber's world these apps are vetted, right?) is going to steal credentials whether it uses xauth or oauth. A non malicious app that uses xauth could in theory be exploited to reveal credentials whereas if it just used oauth it wouldn't be an issue of the same magnitude. It is a security win. You can argue the magnitude of the win all you want.