Re: [OAUTH-WG] Issue 15, new client registration

Torsten Lodderstedt <torsten@lodderstedt.net> Sat, 23 July 2011 11:25 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E8E521F8747 for <oauth@ietfa.amsl.com>; Sat, 23 Jul 2011 04:25:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[AWL=0.149, BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_IMAGE_RATIO_08=0.001, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ksAkHuGbmPvZ for <oauth@ietfa.amsl.com>; Sat, 23 Jul 2011 04:25:01 -0700 (PDT)
Received: from smtprelay05.ispgateway.de (smtprelay05.ispgateway.de [80.67.31.100]) by ietfa.amsl.com (Postfix) with ESMTP id 3534521F873A for <oauth@ietf.org>; Sat, 23 Jul 2011 04:24:59 -0700 (PDT)
Received: from [79.253.42.18] (helo=[192.168.71.34]) by smtprelay05.ispgateway.de with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1QkaKH-0002Oh-E3; Sat, 23 Jul 2011 13:24:58 +0200
Message-ID: <4E2AAF88.4050807@lodderstedt.net>
Date: Sat, 23 Jul 2011 13:24:56 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11
MIME-Version: 1.0
To: Eran Hammer-Lahav <eran@hueniverse.com>
References: <4E2740E9.5000209@lodderstedt.net> <4E274191.6020207@lodderstedt.net> <90C41DD21FB7C64BB94121FBBC2E72345021F377AA@P3PW5EX1MB01.EX1.SECURESERVER.NET> <64930E85-923B-4811-8A6B-6A677B95F904@kiva.org> <90C41DD21FB7C64BB94121FBBC2E72345021F377C3@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72345021F377C3@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Content-Type: multipart/alternative; boundary="------------070203000907050103050900"
X-Df-Sender: torsten@lodderstedt-online.de
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Issue 15, new client registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Jul 2011 11:25:03 -0000

Am 22.07.2011 23:49, schrieb Eran Hammer-Lahav:
>
> In many cases you can verify a public client using a registered 
> redirection URI.
>

I'm in doubt regarding "many". This kind of verification makes the 
assumption that the evildoer uses a web application which requires a 
correct refering to his site.

I think client secrets (or other authentication schemes) are much more 
effective way of verifiying client identities.

Or let me put it the other way around. If redirect uri verification is 
sufficient in many cases. Why do we need a client secret?

regards,
Torsten.

> EHL
>
> *From:*Skylar Woodward [mailto:skylar@kiva.org]
> *Sent:* Friday, July 22, 2011 2:46 PM
> *To:* Eran Hammer-Lahav
> *Cc:* Torsten Lodderstedt; OAuth WG
> *Subject:* Re: [OAUTH-WG] Issue 15, new client registration
>
> Looks like Torsten already has capture my suggestion which is also 
> what the Kiva documentation uses... Verifiable/Forgeable identity. 
>  It's precise and avoids making a statement about trust, etc.
>
> But only developers need such simple one-word classifications.  For 
> end users (e.g., people w/ accounts who approve access for an app) 
> we're be providing much more verbose explanations. For example. "This 
> application's identity has ben verified... still (caution, caution, 
> caution)"  or  "This application's identity cannot be verified. Only 
> approve this application if you absolutely trust the application or 
> link that sent you this page..."
>
> App users can't discern the significance of public vs. private 
> credentials.
>
> To me, public credentials are not credentials at all. Yet another term 
> to define. Better to be precise.
>
> Another option (and terminology we use to help developers) Can Keep 
> Secrets / Can't Keep Secrets.
>
> Attached screenshots in case anyone is interested in how this plays 
> out in real-world UI (vs. specs).
>
> On Jul 22, 2011, at 11:12 PM, Eran Hammer-Lahav wrote:
>
>
>
>
>
>
> -----Original Message-----
>
>     From: oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org>
>     [mailto:oauth-bounces@ietf.org]
>     <mailto:[mailto:oauth-bounces@ietf.org]> On Behalf
>
>     Of Torsten Lodderstedt
>
>     Sent: Wednesday, July 20, 2011 1:59 PM
>
>     To: OAuth WG
>
>     Subject: Re: [OAUTH-WG] Issue 15, new client registration
>
>     2.1 Client types
>
>     I'm struggeling with the new terminology of "private" and "public"
>
>     clients. In my perception, the text just distinguishes clients
>     which can be
>
>     authenticated and such which cannot. This is fine but I consider
>     the wording
>
>     misleading. I would suggest to change it to something like
>     trusted/untrusted
>
>     or authenticated/unauthenticated or Verifiable/Forgeable.
>
>
> I'm open to changing the names.
>
> I don't like trusted/untrusted because OAuth does not define trust. 
> The authenticated/unauthenticated pair is also not ideal because the 
> terms describe the outcome, not the nature of the client. As for 
> verifiable/forgeable, I think these terms are too complicated for a 
> casual reader.
>
> My intention with public/private is to identify the nature of the 
> client credentials. So a more verbose version would be 'public 
> credentials/private credentials'. This also works with 'code' instead 
> of 'credentials'.
>
> It's clear from the past year of discussions that we need terminology 
> to describe these two types.
>
> Any other suggestions?
>
> EHL
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth
>