Re: [OAUTH-WG] items for the Vancouver agenda

Tim Bray <twbray@google.com> Fri, 25 October 2013 21:08 UTC

Return-Path: <twbray@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A511111E8218 for <oauth@ietfa.amsl.com>; Fri, 25 Oct 2013 14:08:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pGrTaqGiE7Rv for <oauth@ietfa.amsl.com>; Fri, 25 Oct 2013 14:08:23 -0700 (PDT)
Received: from mail-wi0-x230.google.com (mail-wi0-x230.google.com [IPv6:2a00:1450:400c:c05::230]) by ietfa.amsl.com (Postfix) with ESMTP id 18F1411E8220 for <oauth@ietf.org>; Fri, 25 Oct 2013 14:08:15 -0700 (PDT)
Received: by mail-wi0-f176.google.com with SMTP id l12so1677058wiv.3 for <oauth@ietf.org>; Fri, 25 Oct 2013 14:08:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=yduVZ64DRD4i2ELe4vx+iKiF0tSIWDbUGxsPgaD9dW8=; b=b3yPFWt6Silm07vNE2P/4/1mKxEx3XKSGRZQJ7vaAl2GAL+Ld/j2VM+al5ahABYSfx 0EEn79Qw6MTc5j5m7vbfaHUBoKt0ZuH+UsqUiWedJenAnCz2ABItCoI7DW2OLSc/qo9W YNxDsqqp0jw1irqxhoSzGoI0NqVb9sXpTMQjiG/RuOyEtCk5tWWN2YQgdtg87dEjxu51 mxdxqeIBgiAC+Nc8p7sqgcR1VPykWk83ZhUBy8F4LubP2Bh/RGrJr2nhJKuqKJcVDSZu mezwZ1EUgCAc6iHFIwPKS3pvPlDneSB8ZTBvpmsdYBNuGYPl+9SO97Mo5XemH7CjW3VY mLUw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=yduVZ64DRD4i2ELe4vx+iKiF0tSIWDbUGxsPgaD9dW8=; b=liJXNu7asrWutOPGd58OWUfeokMYaVHMlRswtOWYillooQlngSLom2NxGIGFf85hs1 xAQa/2It2cZ0qzpHmdRAcZUC8S/8UBpyK3WSTnOKhmcZH2xFmdlgZizCqE/98ZKw1fVh lm1EQNmyRwsOyhDyHs5A8RjWo4jNdiMndXxP+FH3F7s5mkh9H1fwFHGVdNf6gA9nwGrO lZkaLb5b7N8dDFJH6xdyWubzcXlOsKVoOB9AGEUtCUAUXQ6BpuBSwa2coNgLrFfeihEd cuopPpcZzgySpv/rqoNcpdAV/FyySdFMjNL96O1Xb4ymGktk//077caVtmA/FwruTzuA n8Fg==
X-Gm-Message-State: ALoCoQkV/EqkHTbu9XNA33LgXzem0HNM3vrsWGgPpbftCrgOnTV2Fk8cIVn1iBLh1NQ9gWhGHzPiTSDzqzKLoNweFdrk9jVbN/SpSk2HYc+Qv9/R2WPUDKWc6djVwDL81ne/Sb1OCrJ/U1kscGbxpKOtqfCbDu9iKu2iXr0f5MUiNI9AkkEIyBhJtI17dIQEbfycgVqzBPFl
X-Received: by 10.181.12.75 with SMTP id eo11mr215228wid.24.1382735294266; Fri, 25 Oct 2013 14:08:14 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.227.12.7 with HTTP; Fri, 25 Oct 2013 14:07:44 -0700 (PDT)
In-Reply-To: <CA6AC362-0A04-4C9F-BFFA-A0190858D73F@oracle.com>
References: <CA6AC362-0A04-4C9F-BFFA-A0190858D73F@oracle.com>
From: Tim Bray <twbray@google.com>
Date: Fri, 25 Oct 2013 14:07:44 -0700
Message-ID: <CA+ZpN25Ld8dqKwonC+EcFDBcTw9VB3Mvrcwkjyg1cgDQ3kR73w@mail.gmail.com>
To: Phil Hunt <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary=f46d043c7c56089efc04e997264f
Cc: oauth list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] items for the Vancouver agenda
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Oct 2013 21:08:24 -0000

On Fri, Oct 25, 2013 at 1:41 PM, Phil Hunt <phil.hunt@oracle.com> wrote:

> Finally, I'm not sure who might be able to lead this (Tim?), but there was
> some interesting views expressed by Google staffers at this weeks IIW in
> Mountain View that seem to indicate that the need for client credentials in
> mobile apps may not need to be as strong as we thought or needed at all.
> This has interesting implications for the registration drafts we are
> discussing.
>

We hear lots of developers saying they want to know for sure the identity
of the client, and that’s what we use the azp claim in the ID Token for,
but it’s very fragile in the face of a determined attacker, more so than
the other claims.  Not sure how much there is to talk about...



>
>

> Phil
>
> @independentid
> www.independentid.com
> phil.hunt@oracle.com
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>