IETF Logo Mail Archive

Re: [OAUTH-WG] Client Instances of An Application - Was: Re: Last call review of draft-ietf-oauth-dyn-reg-10

Phil Hunt <phil.hunt@oracle.com> Tue, 04 June 2013 04:37 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CA0621E80F9 for <oauth@ietfa.amsl.com>; Mon, 3 Jun 2013 21:37:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.633
X-Spam-Level:
X-Spam-Status: No, score=-4.633 tagged_above=-999 required=5 tests=[AWL=0.570, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ssuYnn9gAk8C for <oauth@ietfa.amsl.com>; Mon, 3 Jun 2013 21:36:58 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 33FA521E8159 for <oauth@ietf.org>; Mon, 3 Jun 2013 20:39:46 -0700 (PDT)
Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r543dcqa008062 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 4 Jun 2013 03:39:39 GMT
Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r543dbnI008344 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 4 Jun 2013 03:39:38 GMT
Received: from abhmt114.oracle.com (abhmt114.oracle.com [141.146.116.66]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r543dbf9019662; Tue, 4 Jun 2013 03:39:37 GMT
Received: from [192.168.1.125] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 03 Jun 2013 20:39:37 -0700
References: <85AA2C66-108B-4276-92EE-2D7566E54990@oracle.com> <6AF52CCD-4D6B-4696-8465-3345FFFDBE9C@mitre.org> <A1F47E63-DFE6-41A2-9F91-2DB44091D94C@oracle.com> <8EFC7565-0E81-4688-9AEB-459E7503F609@mitre.org> <6D11C230-31F6-4206-8F29-B1F2BFB5C17E@oracle.com> <4E1F6AAD24975D4BA5B16804296739436773435C@TK5EX14MBXC283.redmond.corp.microsoft.com> <B0C50AAD-97F0-4E55-A30D-C011B012A3DB@oracle.com> <519A42B4.2020803@mitre.org> <2B22BE68-6903-4C5B-8B0F-A10EB5BA74FE@oracle.com> <519B7AA5.3070908@mitre.org> <D4A8CBBB-2929-4B8D-BE05-086F895F0930@oracle.com> <519B9623.8030403@mitre.org> <C7C4CA9B-1C34-452A-B3C3-0BBE9EF1ECB7@oracle.com> <sjmr4gi4o3a.fsf@mocana.ihtfp.org>
Mime-Version: 1.0 (1.0)
In-Reply-To: <sjmr4gi4o3a.fsf@mocana.ihtfp.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Message-Id: <13631B8F-D3FA-47E6-9176-812840BA507F@oracle.com>
X-Mailer: iPhone Mail (10B329)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Mon, 03 Jun 2013 20:39:34 -0700
To: Derek Atkins <derek@ihtfp.com>
X-Source-IP: ucsinet21.oracle.com [156.151.31.93]
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Client Instances of An Application - Was: Re: Last call review of draft-ietf-oauth-dyn-reg-10
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jun 2013 04:37:14 -0000

Finally i believe the bb+ doesn't have the issue because they are solving with an initial authn credential that contains the same info. 

My feeling is that this functionality needs to be standardized one way or another. 

Phil

On 2013-06-03, at 19:16, Derek Atkins <derek@ihtfp.com> wrote:

> Phil,
> 
> Phil Hunt <phil.hunt@oracle.com> writes:
> 
>> Not quite. I will call you. 
>> 
>> I am saying we are transitioning from the old public client model. The new
>> model proposes quasi-confidential characteristics but in some respects is
>> missing key information from the public model.  Namely that a group of clients
>> are related and there have common behaviour and security characteristics. 
>> 
>> We need to add to the self-asserted model an assertion equiv to the old common
>> client_id. That is all. 
>> 
>> I am NOT looking for a proof of application identity here. That is too far.
>> But certainly what we define here can open that door. 
>> 
>> Phil
> 
> I think I understand what you're saying here.  In the "old way", a
> public client had a constant client_id amongst all instances of that
> public client, whereas in the "new way", a public client will have
> different client_ids amongst all instances of that client.  You feel
> this is a loss, whereas it seems most people seem to feel this change is
> okay.
> 
> Since you are effectively the lone dissenter on this one topic, let me
> ask you a question: What is a technical reason that you need to have a
> constant, assertion that would bind together (in a non-authenticated
> way) multiple instances of a client?
> 
> I believe that Justin has provides some attacks against this; so I'm
> trying to understand, (with my chair hat on), why you need this
> functionality?
> 
> With my security-mafia hat on, I feel like the old way was bad, and I
> much prefer the newer way where each instance of a client gets its own
> ID and a locally-stored secret.
> 
> -derek
> 
> -- 
>       Derek Atkins                 617-623-3745
>       derek@ihtfp.com             www.ihtfp.com
>       Computer and Internet Security Consultant

v2.23.0 | Report a Bug | By Email