Re: [OAUTH-WG] Client Instances of An Application - Was: Re: Last call review of draft-ietf-oauth-dyn-reg-10
Phil Hunt <phil.hunt@oracle.com> Tue, 04 June 2013 07:27 UTC
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA3F421E810B for <oauth@ietfa.amsl.com>; Tue, 4 Jun 2013 00:27:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.69
X-Spam-Level:
X-Spam-Status: No, score=-4.69 tagged_above=-999 required=5 tests=[AWL=0.512, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kzgkNvdisEhl for <oauth@ietfa.amsl.com>; Tue, 4 Jun 2013 00:27:42 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id D59AE21F9B7D for <oauth@ietf.org>; Mon, 3 Jun 2013 23:28:57 -0700 (PDT)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r546SrLS015945 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 4 Jun 2013 06:28:54 GMT
Received: from userz7022.oracle.com (userz7022.oracle.com [156.151.31.86]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r546SrD2013967 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 4 Jun 2013 06:28:54 GMT
Received: from abhmt105.oracle.com (abhmt105.oracle.com [141.146.116.57]) by userz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r546Srvf023555; Tue, 4 Jun 2013 06:28:53 GMT
Received: from [192.168.1.125] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 03 Jun 2013 23:28:53 -0700
References: <85AA2C66-108B-4276-92EE-2D7566E54990@oracle.com> <6AF52CCD-4D6B-4696-8465-3345FFFDBE9C@mitre.org> <A1F47E63-DFE6-41A2-9F91-2DB44091D94C@oracle.com> <8EFC7565-0E81-4688-9AEB-459E7503F609@mitre.org> <6D11C230-31F6-4206-8F29-B1F2BFB5C17E@oracle.com> <4E1F6AAD24975D4BA5B16804296739436773435C@TK5EX14MBXC283.redmond.corp.microsoft.com> <B0C50AAD-97F0-4E55-A30D-C011B012A3DB@oracle.com> <519A42B4.2020803@mitre.org> <2B22BE68-6903-4C5B-8B0F-A10EB5BA74FE@oracle.com> <519B7AA5.3070908@mitre.org> <D4A8CBBB-2929-4B8D-BE05-086F895F0930@oracle.com> <519B9623.8030403@mitre.org> <C7C4CA9B-1C34-452A-B3C3-0BBE9EF1ECB7@oracle.com> <sjmr4gi4o3a.fsf@mocana.ihtfp.org> <13631B8F-D3FA-47E6-9176-812840BA507F@oracle.com> <c842d056-82f1-4d23-b130-4bd7f6ea0057@email.android.com>
Mime-Version: 1.0 (1.0)
In-Reply-To: <c842d056-82f1-4d23-b130-4bd7f6ea0057@email.android.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-6E69AAC9-6BAF-466F-B80A-48D96F025037"
Content-Transfer-Encoding: 7bit
Message-Id: <1AB6F2B5-BBDE-476C-B30E-33510EAA024C@oracle.com>
X-Mailer: iPhone Mail (10B329)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Mon, 03 Jun 2013 23:28:49 -0700
To: Torsten Lodderstedt <torsten@lodderstedt.net>
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
Cc: Derek Atkins <derek@ihtfp.com>, "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Client Instances of An Application - Was: Re: Last call review of draft-ietf-oauth-dyn-reg-10
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jun 2013 07:27:57 -0000
Yes. However the contents and format are out of scope. Phil On 2013-06-03, at 22:32, Torsten Lodderstedt <torsten@lodderstedt.net> wrote: > Hi Phil, > > isn't the initial registration token such a credential, which allows to co-relate different instances of the same software? > > regards, > Torsten. > > > > Phil Hunt <phil.hunt@oracle.com> schrieb: >> >> Finally i believe the bb+ doesn't have the issue because they are solving with an initial authn credential that contains the same info. >> >> My feeling is that this functionality needs to be standardized one way or another. >> >> Phil >> >> On 2013-06-03, at 19:16, Derek Atkins <derek@ihtfp.com> wrote: >> >>> Phil, >>> >>> Phil Hunt <phil.hunt@oracle.com> writes: >>> >>>> Not quite. I will call you. >>>> >>>> I am saying we are transitioning from the old public client model. The new >>>> model proposes quasi-confidential characteristics but in some respects is >>>> missing key information from the public m! >>>> odel. >>>> Namely that a group of clients >>>> are related and there have common behaviour and security characteristics. >>>> >>>> We need to add to the self-asserted model an assertion equiv to the old common >>>> client_id. That is all. >>>> >>>> I am NOT looking for a proof of application identity here. That is too far. >>>> But certainly what we define here can open that door. >>>> >>>> Phil >>> >>> I think I understand what you're saying here. In the "old way", a >>> public client had a constant client_id amongst all instances of that >>> public client, whereas in the "new way", a public client will have >>> different client_ids amongst all instances of that client. You feel >>> this is a loss, whereas it seems most people seem to feel this change is >>> okay. >>> >>> Since you are effectively the lone dissenter on this one topic, let me >>> ask you a question: What is a technical reason that you need to have a >>> constant, assertion that would bind to! >>> gether >>> (in a non-authenticated >>> way) multiple instances of a client? >>> >>> I believe that Justin has provides some attacks against this; so I'm >>> trying to understand, (with my chair hat on), why you need this >>> functionality? >>> >>> With my security-mafia hat on, I feel like the old way was bad, and I >>> much prefer the newer way where each instance of a client gets its own >>> ID and a locally-stored secret. >>> >>> -derek >>> >>> -- >>> Derek Atkins 617-623-3745 >>> derek@ihtfp.com www.ihtfp.com >>> Computer and Internet Security Consultant >> >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Last call review of draft-ietf-oauth-d… Phil Hunt
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Richer, Justin P.
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Phil Hunt
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Richer, Justin P.
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Phil Hunt
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Richer, Justin P.
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Phil Hunt
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Justin Richer
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Mike Jones
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Phil Hunt
- [OAUTH-WG] Client Instances of An Application - W… Phil Hunt
- Re: [OAUTH-WG] Client Instances of An Application… Mike Jones
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Mike Jones
- Re: [OAUTH-WG] Client Instances of An Application… Phil Hunt
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Justin Richer
- Re: [OAUTH-WG] Client Instances of An Application… Justin Richer
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… John Bradley
- Re: [OAUTH-WG] Client Instances of An Application… Phil Hunt
- Re: [OAUTH-WG] Client Instances of An Application… Justin Richer
- Re: [OAUTH-WG] Client Instances of An Application… Phil Hunt
- [OAUTH-WG] Charter- was Re: Client Instances of A… Phil Hunt
- Re: [OAUTH-WG] Charter- was Re: Client Instances … Justin Richer
- Re: [OAUTH-WG] Client Instances of An Application… Justin Richer
- Re: [OAUTH-WG] Client Instances of An Application… Phil Hunt
- Re: [OAUTH-WG] Charter- was Re: Client Instances … Mike Jones
- Re: [OAUTH-WG] Charter- was Re: Client Instances … Phil Hunt
- Re: [OAUTH-WG] Charter- was Re: Client Instances … Mike Jones
- Re: [OAUTH-WG] Charter- was Re: Client Instances … John Bradley
- Re: [OAUTH-WG] Charter- was Re: Client Instances … Eve Maler
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Derek Atkins
- Re: [OAUTH-WG] Client Instances of An Application… Derek Atkins
- Re: [OAUTH-WG] Client Instances of An Application… Phil Hunt
- Re: [OAUTH-WG] Client Instances of An Application… Phil Hunt
- Re: [OAUTH-WG] Client Instances of An Application… Phil Hunt
- Re: [OAUTH-WG] Client Instances of An Application… Torsten Lodderstedt
- Re: [OAUTH-WG] Client Instances of An Application… Phil Hunt
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Justin Richer
- Re: [OAUTH-WG] Client Instances of An Application… Justin Richer
- Re: [OAUTH-WG] Client Instances of An Application… George Fletcher
- Re: [OAUTH-WG] Client Instances of An Application… George Fletcher
- Re: [OAUTH-WG] Client Instances of An Application… Anganes, Amanda L
- Re: [OAUTH-WG] Client Instances of An Application… Justin Richer
- Re: [OAUTH-WG] Client Instances of An Application… John Bradley