If it were a phishing scam, I'd still have to give the phisher a thumbs up for using sproutcore & CSS3 techniques on the site. There's a significant amount of javascript for a phishing page.

Indeed. A site asking for my apple.com password that isn't apple.com? No thanks.

You'd think oauth would just be part of implementing logins, and apple wouldn't be encouraging people to give their passwords to other sites.

It looks good to me, but don't just take my word for it [1].

[1] http://img833.imageshack.us/img833/6318/looksgood.png

Yes. http://news.cnet.com/8301-13579_3-20068165-37.html