Re: [OAUTH-WG] Client Instances of An Application - Was: Re: Last call review of draft-ietf-oauth-dyn-reg-10

Phil Hunt <> Tue, 04 June 2013 04:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2591321E80EA for <>; Mon, 3 Jun 2013 21:33:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.471
X-Spam-Status: No, score=-4.471 tagged_above=-999 required=5 tests=[AWL=0.732, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id eblqd+z3N0KJ for <>; Mon, 3 Jun 2013 21:33:09 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 5C17621E8124 for <>; Mon, 3 Jun 2013 20:35:04 -0700 (PDT)
Received: from ( []) by (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r543Z2dM005235 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 4 Jun 2013 03:35:03 GMT
Received: from ( []) by (8.14.4+Sun/8.14.4) with ESMTP id r543Z1jo002463 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 4 Jun 2013 03:35:02 GMT
Received: from ( []) by (8.14.4+Sun/8.14.4) with ESMTP id r543Z1AY001361; Tue, 4 Jun 2013 03:35:01 GMT
Received: from [] (/ by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 03 Jun 2013 20:35:01 -0700
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <>
Mime-Version: 1.0 (1.0)
In-Reply-To: <>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
X-Mailer: iPhone Mail (10B329)
From: Phil Hunt <>
Date: Mon, 03 Jun 2013 20:34:44 -0700
To: Derek Atkins <>
X-Source-IP: []
Cc: " WG" <>
Subject: Re: [OAUTH-WG] Client Instances of An Application - Was: Re: Last call review of draft-ietf-oauth-dyn-reg-10
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 04 Jun 2013 04:33:26 -0000

From an operational security and change management perspective it is absolutely critical to know what clients should be of the same software type and version. 

We have customers that will want to be able to approve what 3rd party software is used on their service. 

If the spec doesn't support it, i *will* force another standard. It seems trivial to maintain the notion of software is rather than another draft for two attributes. 

I have agreed to make this optional. 

Those that are arguing for are oidc and only google has production deployment. 

Finally when we did 6819 we were hammered by the iesg on the notion of authenticating legit software. I believe they will send the draft back if it leaves that issue entirely out of scope. 


On 2013-06-03, at 19:16, Derek Atkins <> wrote:

> Phil,
> Phil Hunt <> writes:
>> Not quite. I will call you. 
>> I am saying we are transitioning from the old public client model. The new
>> model proposes quasi-confidential characteristics but in some respects is
>> missing key information from the public model.  Namely that a group of clients
>> are related and there have common behaviour and security characteristics. 
>> We need to add to the self-asserted model an assertion equiv to the old common
>> client_id. That is all. 
>> I am NOT looking for a proof of application identity here. That is too far.
>> But certainly what we define here can open that door. 
>> Phil
> I think I understand what you're saying here.  In the "old way", a
> public client had a constant client_id amongst all instances of that
> public client, whereas in the "new way", a public client will have
> different client_ids amongst all instances of that client.  You feel
> this is a loss, whereas it seems most people seem to feel this change is
> okay.
> Since you are effectively the lone dissenter on this one topic, let me
> ask you a question: What is a technical reason that you need to have a
> constant, assertion that would bind together (in a non-authenticated
> way) multiple instances of a client?
> I believe that Justin has provides some attacks against this; so I'm
> trying to understand, (with my chair hat on), why you need this
> functionality?
> With my security-mafia hat on, I feel like the old way was bad, and I
> much prefer the newer way where each instance of a client gets its own
> ID and a locally-stored secret.
> -derek
> -- 
>       Derek Atkins                 617-623-3745
>       Computer and Internet Security Consultant