IETF Logo Mail Archive

Re: [OAUTH-WG] Native clients & 'confidentiality'

John Kemp <john@jkemp.net> Mon, 19 December 2011 19:35 UTC

Return-Path: <john@jkemp.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C99D11E80B8 for <oauth@ietfa.amsl.com>; Mon, 19 Dec 2011 11:35:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.265
X-Spam-Level:
X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wyiCqwQ4sY8h for <oauth@ietfa.amsl.com>; Mon, 19 Dec 2011 11:35:06 -0800 (PST)
Received: from oproxy3-pub.bluehost.com (oproxy3-pub.bluehost.com [69.89.21.8]) by ietfa.amsl.com (Postfix) with SMTP id 9A32F11E80B7 for <oauth@ietf.org>; Mon, 19 Dec 2011 11:35:06 -0800 (PST)
Received: (qmail 3603 invoked by uid 0); 19 Dec 2011 19:34:45 -0000
Received: from unknown (HELO box320.bluehost.com) (69.89.31.120) by oproxy3.bluehost.com with SMTP; 19 Dec 2011 19:34:45 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=jkemp.net; s=default; h=To:References:Message-Id:Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Content-Type:Mime-Version:Subject; bh=Nz1tMWMf5zpf/sUbNQGDGVIFowHR8hSjOt1EiA4Y4wU=; b=C9TM8/sipBRJjA3rDfDbBnQ8+fosW7qC7ULwjvfW0t0OIwHuDtnLZBASMShGhGTcghVvyIsHUdfljFCE58ZKflgs22TbuIttd8RVVjqTtlgFuBhdj+fAMtgpXNNnBaXq;
Received: from cpe-74-67-30-101.nycap.res.rr.com ([74.67.30.101] helo=[192.168.1.104]) by box320.bluehost.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.76) (envelope-from <john@jkemp.net>) id 1Rciyz-00026R-3U; Mon, 19 Dec 2011 12:34:45 -0700
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: text/plain; charset="windows-1252"
From: John Kemp <john@jkemp.net>
In-Reply-To: <4EEF797D.4020608@gmail.com>
Date: Mon, 19 Dec 2011 13:21:20 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <941C10F0-2769-427A-8B65-7D28087E66EE@jkemp.net>
References: <4EEF2BC4.7020409@gmail.com> <4EEF71EA.3080200@mtcc.com> <4EEF797D.4020608@gmail.com>
To: Paul Madsen <paul.madsen@gmail.com>
X-Mailer: Apple Mail (2.1251.1)
X-Identified-User: {1122:box320.bluehost.com:jkempnet:jkemp.net} {sentby:smtp auth 74.67.30.101 authed with john+jkemp.net}
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Native clients & 'confidentiality'
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Dec 2011 19:35:07 -0000

Hi Paul,

On Dec 19, 2011, at 12:50 PM, Paul Madsen wrote:

> Hi Mike, to some extent I think my question is not about specific security characteristics, but rather whether its realistic for our group to mandate that both server & native clients have the *same* security characteristics - particularly the ability to 'securely' authenticate to the AS on the token endpoint.

Well… from your description of your case (e.g. "based on a user's subscriptions"), I'm not sure whether the client (software) designation makes much difference. Am I correct in thinking that the credentials which really need to be protected are those assigned to a user, rather than those assigned to a client? In which case, wouldn't it be possible for even a 'public' OAuth client to acquire them from the user dynamically (rather than storing them on the device) and pass them encrypted or hashed to the server?

Cheers,

- John

> 
> thanks
> 
> paul
> 
> On 12/19/11 12:18 PM, Michael Thomas wrote:
>> On 12/19/2011 04:19 AM, Paul Madsen wrote: 
>>> Hi, the Online Media Authorization Protocol (OMAP) is a (as yet unreleased) profile of OAuth 2.0 for online delivery of video content based on a user's subscriptions (the TV Everywhere use case) 
>>> 
>>> We want to support both server & native mobile clients. It is for the second class of clients that I'd appreciate some clarification of 'confidentiality' as defined in OAuth 2. 
>>> 
>>> OAuth 2 distinguishes confidential & public clients based on their ability to secure the credentials they'd use to authenticate to an AS - confidential clients can protect those credentials, public clients can't. 
>>> 
>>> Notwithstanding the above definition, the spec gives a degree of discretion to the AS 
>>> 
>>>    The client type designation is based on the authorization server's 
>>>    definition of secure authentication and its acceptable exposure 
>>>    levels of client credentials. 
>>> 
>>> 
>>> Give this discretion, is it practical for the OMAP spec to stipulate that 'All Clients (both server & native mobile), MUST be confidential', ie let each individual OMAP AS specify its own requirements of clients and their ability to securely authenticate? 
>> 
>> Hi, 
>> 
>> Can you say exactly what your security requirements are before trying to determine which 
>> (if either) is the right answer? I've got some concerns in this area that I'm trying to understand 
>> and am not sure if they're related to your concern or not. Part of this is that I really don't 
>> understand what the difference is between a "public" client and a "confidential client" and 
>> rereading the draft isn't helping me. In particular, can a iPhone app with a UIWebView *ever* 
>> be a "confidential" client, and if so how? 
>> 
>> Mike 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email