Re: [OAUTH-WG] Client Instances of An Application - Was: Re: Last call review of draft-ietf-oauth-dyn-reg-10
George Fletcher <gffletch@aol.com> Tue, 04 June 2013 18:32 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1BE921F9C5A for <oauth@ietfa.amsl.com>; Tue, 4 Jun 2013 11:32:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G6eX2WzRso9Z for <oauth@ietfa.amsl.com>; Tue, 4 Jun 2013 11:32:54 -0700 (PDT)
Received: from omr-d02.mx.aol.com (omr-d02.mx.aol.com [205.188.109.194]) by ietfa.amsl.com (Postfix) with ESMTP id 8BC2C21F9678 for <oauth@ietf.org>; Tue, 4 Jun 2013 11:10:18 -0700 (PDT)
Received: from mtaout-da03.r1000.mx.aol.com (mtaout-da03.r1000.mx.aol.com [172.29.51.131]) by omr-d02.mx.aol.com (Outbound Mail Relay) with ESMTP id 6C0D070065983 for <oauth@ietf.org>; Tue, 4 Jun 2013 14:10:16 -0400 (EDT)
Received: from palantir.local (unknown [10.172.2.235]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-da03.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 67ADDE00019A; Tue, 4 Jun 2013 14:10:15 -0400 (EDT)
Message-ID: <51AE2D85.4040101@aol.com>
Date: Tue, 04 Jun 2013 14:10:13 -0400
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: George Fletcher <gffletch@aol.com>, "oauth@ietf.org WG" <oauth@ietf.org>
References: <85AA2C66-108B-4276-92EE-2D7566E54990@oracle.com> <6AF52CCD-4D6B-4696-8465-3345FFFDBE9C@mitre.org> <A1F47E63-DFE6-41A2-9F91-2DB44091D94C@oracle.com> <8EFC7565-0E81-4688-9AEB-459E7503F609@mitre.org> <6D11C230-31F6-4206-8F29-B1F2BFB5C17E@oracle.com> <4E1F6AAD24975D4BA5B16804296739436773435C@TK5EX14MBXC283.redmond.corp.microsoft.com> <B0C50AAD-97F0-4E55-A30D-C011B012A3DB@oracle.com> <519A42B4.2020803@mitre.org> <2B22BE68-6903-4C5B-8B0F-A10EB5BA74FE@oracle.com> <519B7AA5.3070908@mitre.org> <D4A8CBBB-2929-4B8D-BE05-086F895F0930@oracle.com> <519B9623.8030403@mitre.org> <C7C4CA9B-1C34-452A-B3C3-0BBE9EF1ECB7@oracle.com> <sjmr4gi4o3a.fsf@mocana.ihtfp.org> <13631B8F-D3FA-47E6-9176-812840BA507F@oracle.com> <c842d056-82f1-4d23-b130-4bd7f6ea0057@email.android.com> <1AB6F2B5-BBDE-476C-B30E-33510EAA024C@oracle.com> <51AE19BA.1090806@mitre.org> <51AE2A50.4030800@aol.com>
In-Reply-To: <51AE2A50.4030800@aol.com>
Content-Type: multipart/alternative; boundary="------------070405050103060807020207"
x-aol-global-disposition: G
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20121107; t=1370369416; bh=oP2DF3QNo5wEUj3nwG2ZUaMNRtlgqMU2dk3nh52t3q4=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=c2m1tA7jvyVCSIJdom0TEL8skEC13pH57Jq1GM0O16FY7QLQXwSRALIxq9XUX6xe2 ZTj639myYmEq0LmMekoo+qSPKa8/iBeuBS70qHcB5xbZGgQkdsXf2XNeaSL0dJEgPT 8NdfDPq88I6r51dN6V2S4d+nIboxfqFDj1G4wn6E=
X-AOL-SCOLL-SCORE: 0:2:466582368:93952408
X-AOL-SCOLL-URL_COUNT: 0
x-aol-sid: 3039ac1d338351ae2d862c8e
X-AOL-IP: 10.172.2.235
Subject: Re: [OAUTH-WG] Client Instances of An Application - Was: Re: Last call review of draft-ietf-oauth-dyn-reg-10
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jun 2013 18:33:00 -0000
Argh! Typos (due to iPhone? no bad brain <-> hand connections). Sorry Justin! On 6/4/13 1:56 PM, George Fletcher wrote: > +1 for leaving dyn reg as is and working on a profile that enables > this more domain specific scenario. I agree with Phil and Justine that > it's important... I just don't think it should be put in the core dyn > reg spec. > > Thanks, > George > > On 6/4/13 12:45 PM, Justin Richer wrote: >> I agree with the goal of standardizing on identifying software >> instances, but I think it's out of scope to do so inside of dynamic >> registration when most dynamic registration use cases don't need it >> and won't use it. I think that you've got to define discovery, >> assertion contents, and a few other things in order to make it work >> and interoperable across different services. Do we really want to >> define assertion formats and server/client discovery and processing >> rules inside of dynamic registration? I really don't think that's >> beneficial, either to dynamic registration itself or to the problem >> that the software instance tracking is trying to solve. >> >> If this gets proposed as a separate document, I will support it and I >> will help work on it. Heck, I'll even help edit the thing (or things) >> if people want. But I strongly believe that it's a separate concern >> from dynamic client registration, and I think it needs to have its >> own proper discussion apart from that. >> >> -- Justin >> >> On 06/04/2013 02:28 AM, Phil Hunt wrote: >>> Yes. However the contents and format are out of scope. >>> >>> Phil >>> >>> On 2013-06-03, at 22:32, Torsten Lodderstedt >>> <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> wrote: >>> >>>> Hi Phil, >>>> >>>> isn't the initial registration token such a credential, which >>>> allows to co-relate different instances of the same software? >>>> >>>> regards, >>>> Torsten. >>>> >>>> >>>> >>>> Phil Hunt <phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>> >>>> schrieb: >>>> >>>> Finally i believe the bb+ doesn't have the issue because they are solving with an initial authn credential that contains the same info. >>>> >>>> My feeling is that this functionality needs to be standardized one way or another. >>>> >>>> Phil >>>> >>>> On 2013-06-03, at 19:16, Derek Atkins <derek@ihtfp.com <mailto:derek@ihtfp.com>> wrote: >>>> >>>> Phil, Phil Hunt <phil.hunt@oracle.com >>>> <mailto:phil.hunt@oracle.com>> writes: >>>> >>>> Not quite. I will call you. I am saying we are >>>> transitioning from the old public client model. The new >>>> model proposes quasi-confidential characteristics but >>>> in some respects is missing key information from the >>>> public m! odel. Namely that a group of clients are >>>> related and there have common behaviour and security >>>> characteristics. We need to add to the self-asserted >>>> model an assertion equiv to the old common client_id. >>>> That is all. I am NOT looking for a proof of >>>> application identity here. That is too far. But >>>> certainly what we define here can open that door. Phil >>>> >>>> I think I understand what you're saying here. In the "old >>>> way", a public client had a constant client_id amongst all >>>> instances of that public client, whereas in the "new way", >>>> a public client will have different client_ids amongst all >>>> instances of that client. You feel this is a loss, whereas >>>> it seems most people seem to feel this change is okay. >>>> Since you are effectively the lone dissenter on this one >>>> topic, let me ask you a question: What is a technical >>>> reason that you need to have a constant, assertion that >>>> would bind to! gether (in a non-authenticated way) multiple >>>> instances of a client? I believe that Justin has provides >>>> some attacks against this; so I'm trying to understand, >>>> (with my chair hat on), why you need this functionality? >>>> With my security-mafia hat on, I feel like the old way was >>>> bad, and I much prefer the newer way where each instance of >>>> a client gets its own ID and a locally-stored secret. >>>> -derek -- Derek Atkins 617-623-3745 derek@ihtfp.com >>>> <mailto:derek@ihtfp.com> www.ihtfp.com >>>> <http://www.ihtfp.com> Computer and Internet Security >>>> Consultant >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> OAuth mailing list >>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] Last call review of draft-ietf-oauth-d… Phil Hunt
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Richer, Justin P.
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Phil Hunt
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Richer, Justin P.
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Phil Hunt
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Richer, Justin P.
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Phil Hunt
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Justin Richer
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Mike Jones
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Phil Hunt
- [OAUTH-WG] Client Instances of An Application - W… Phil Hunt
- Re: [OAUTH-WG] Client Instances of An Application… Mike Jones
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Mike Jones
- Re: [OAUTH-WG] Client Instances of An Application… Phil Hunt
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Justin Richer
- Re: [OAUTH-WG] Client Instances of An Application… Justin Richer
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… John Bradley
- Re: [OAUTH-WG] Client Instances of An Application… Phil Hunt
- Re: [OAUTH-WG] Client Instances of An Application… Justin Richer
- Re: [OAUTH-WG] Client Instances of An Application… Phil Hunt
- [OAUTH-WG] Charter- was Re: Client Instances of A… Phil Hunt
- Re: [OAUTH-WG] Charter- was Re: Client Instances … Justin Richer
- Re: [OAUTH-WG] Client Instances of An Application… Justin Richer
- Re: [OAUTH-WG] Client Instances of An Application… Phil Hunt
- Re: [OAUTH-WG] Charter- was Re: Client Instances … Mike Jones
- Re: [OAUTH-WG] Charter- was Re: Client Instances … Phil Hunt
- Re: [OAUTH-WG] Charter- was Re: Client Instances … Mike Jones
- Re: [OAUTH-WG] Charter- was Re: Client Instances … John Bradley
- Re: [OAUTH-WG] Charter- was Re: Client Instances … Eve Maler
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Derek Atkins
- Re: [OAUTH-WG] Client Instances of An Application… Derek Atkins
- Re: [OAUTH-WG] Client Instances of An Application… Phil Hunt
- Re: [OAUTH-WG] Client Instances of An Application… Phil Hunt
- Re: [OAUTH-WG] Client Instances of An Application… Phil Hunt
- Re: [OAUTH-WG] Client Instances of An Application… Torsten Lodderstedt
- Re: [OAUTH-WG] Client Instances of An Application… Phil Hunt
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Justin Richer
- Re: [OAUTH-WG] Client Instances of An Application… Justin Richer
- Re: [OAUTH-WG] Client Instances of An Application… George Fletcher
- Re: [OAUTH-WG] Client Instances of An Application… George Fletcher
- Re: [OAUTH-WG] Client Instances of An Application… Anganes, Amanda L
- Re: [OAUTH-WG] Client Instances of An Application… Justin Richer
- Re: [OAUTH-WG] Client Instances of An Application… John Bradley