Re: [OAUTH-WG] Motivation for OAuth 2.0 Dynamic Client Registration Protocol
Justin Richer <jricher@mit.edu> Wed, 11 March 2015 14:18 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 261661ACDCC for <oauth@ietfa.amsl.com>; Wed, 11 Mar 2015 07:18:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2eh2VvWawrqG for <oauth@ietfa.amsl.com>; Wed, 11 Mar 2015 07:18:40 -0700 (PDT)
Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6869F1ACDCB for <oauth@ietf.org>; Wed, 11 Mar 2015 07:18:40 -0700 (PDT)
X-AuditID: 1209190d-f792d6d000001fc7-44-55004ebe98e1
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP id F0.F8.08135.EBE40055; Wed, 11 Mar 2015 10:18:38 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id t2BEIbf7002407; Wed, 11 Mar 2015 10:18:38 -0400
Received: from artemisia.richer.local (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t2BEHgEv001753 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 11 Mar 2015 10:18:36 -0400
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
Content-Type: multipart/signed; boundary="Apple-Mail=_D777F494-D79A-41A5-BFA9-ED8B50C279FE"; protocol="application/pgp-signature"; micalg="pgp-sha1"
X-Pgp-Agent: GPGMail 2.5b5
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <F4D7BA5F-346B-4875-9ADD-D1989BFFA879@ve7jtb.com>
Date: Wed, 11 Mar 2015 10:18:35 -0400
Message-Id: <75F490CD-2770-4E98-A198-32329ABC5339@mit.edu>
References: <CAOahYUx8zGRy7f7ZisRh8=tco1LYFKHxcy1iwKX8hfqt+3EfzQ@mail.gmail.com> <7CDF2772-18FA-46EE-9E65-8D2740460FD1@mit.edu> <F4D7BA5F-346B-4875-9ADD-D1989BFFA879@ve7jtb.com>
To: John Bradley <ve7jtb@ve7jtb.com>
X-Mailer: Apple Mail (2.2070.6)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrPKsWRmVeSWpSXmKPExsUixCmqrbvPjyHUoH2FicXObT9ZLU6+fcVm sfruXzYHZo8lS34yeUyY+IPF4/btjSwBzFFcNimpOZllqUX6dglcGR+3TGUqmB5cManpHXsD Y7tHFyMnh4SAicSjd+eYIGwxiQv31rN1MXJxCAksZpLoa5vPDpIQEtjIKLHxayhE4iGTxPJp BxlBEsICoRIrTpwHs3kFDCTmnvrCBFLELDCJUeL35J2MEGOlJB7cXgNmswmoSkxf0wK2jlPA TuJw81FmEJsFKD6naQFYDbNAmsSztlvMEEOtJFovbGaGu6KzjQ/EFhFQkdi37xFQPQfQfHmJ nk3pExgFZyE5YxayM2aBjU2S+DvlKguErS2xbOFrZghbU2J/93Is4hoSnd8mskLY8hLb386B iltKLJ55A6reVuJW3wImCNtO4tG0RawLGLlXMcqm5Fbp5iZm5hSnJusWJyfm5aUW6Rrp5WaW 6KWmlG5iBMelJO8OxncHlQ4xCnAwKvHwOsz4HyLEmlhWXJl7iFGSg0lJlJfZlSFUiC8pP6Uy I7E4I76oNCe1+BCjCtCuRxtWX2CUYsnLz0tVEuEV9wGq401JrKxKLcqHKZPmYFES5930gy9E SCA9sSQ1OzW1ILUIJivDwaEkwbscpFGwKDU9tSItM6cEIc3EwXmIUYKDB2j4TbDhxQWJucWZ 6RD5U4yKUuK870ASAiCJjNI8uF5YOn3FKA70ljCvuy9QFQ8wFcN1vwIazAQ0mMUa6GHe4pJE hJRUA6P0e50MRffM2GCNSa4VbMdVTuQcSgretFOxyLfgrVfoviqlY8o7lxg77pomyHCqs10v YeEtxflbaiuaPjY/2VJz5uWx5El33TcVPt9kk/9TLEeYRXptdWrQ1WhLn9w1N8/+Z8vddlB7 79u6wzULfpc+Mv7Rc7rNa5uGGtshm+M3Vuv9LRD+ck2JpTgj0VCLuag4EQCBukjJggMAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/AuC9uSwAsjewRaSWD3oQl6XZqEg>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Motivation for OAuth 2.0 Dynamic Client Registration Protocol
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2015 14:18:43 -0000
Right, everything from a client needs to be taken with a grain of salt, it’s the nature of the protocol. — Justin > On Mar 11, 2015, at 9:59 AM, John Bradley <ve7jtb@ve7jtb.com> wrote: > > The other thing to consider is that software statements in native apps are only a hint from "good" clients. > > To know for sure that it is a instance of some software you need a agent on the device to check the signature and bundle_id, otherwise anyone could extract the software statement and put it in some other client. > > The NAAPS work in the OIDF is looking at how some of that can work. > > John B. > >> On Mar 11, 2015, at 9:04 AM, Justin Richer <jricher@MIT.EDU <mailto:jricher@MIT.EDU>> wrote: >> >> Hi Adam, >> >> Yes, in fact that use case is the motivation behind allowing the initial access token mechanism, where the developer goes and gets a pre-registration token and passes that in through the application itself: >> >> https://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-24#appendix-A.1.2 <https://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-24#appendix-A.1.2> >> >> What we don’t specify is *how* the deployment organization finds out about the client developer, since that’s so far been something that’s pretty tightly tied in to deployments. In BlueButton+ we used a combination of a structured initial access tokens and a registry service (think of it like a trust root with discovery components) to get this kind of information across the wire. Within your deployment umbrella you could do something similar, or use the software statement mechanism to carry similar information. Nobody’s sought to have that specific part standardized yet, but you can absolutely deploy it within the Dynamic Client Registration spec. >> >> — Justin >> >>> On Mar 11, 2015, at 1:26 AM, Adam Lewis <Adam.Lewis@motorolasolutions.com <mailto:Adam.Lewis@motorolasolutions.com>> wrote: >>> >>> Hi, >>> >>> I am curious about the use cases that inspired this draft, as the terminology that is defined within fits like a glove a use case that I have, though the draft doesn't solve it it completely. >>> >>> Namely the use case as I have is for the "client developer" to be able to create a developer account with the "software API publisher" via developer portal, and to then make their client available for download on an app store (e.g. Google Play), where it would be downloaded by a "deployment organization" and finally run the client registration protocol. This fits our use case 90%, but we have a further use case that the "software API deployment" is able to identify the "client developer" of the application when executing in a "deployment organization." >>> >>> I'm curious if that last part was ever identified as a use case for the draft? >>> >>> >>> >>> tx >>> adam >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Motivation for OAuth 2.0 Dynamic Clien… Adam Lewis
- Re: [OAUTH-WG] Motivation for OAuth 2.0 Dynamic C… Justin Richer
- Re: [OAUTH-WG] Motivation for OAuth 2.0 Dynamic C… John Bradley
- Re: [OAUTH-WG] Motivation for OAuth 2.0 Dynamic C… Justin Richer