IETF Logo Mail Archive

[OAUTH-WG] client secret used in Native App profile

Brian Dunnington <briandunnington@gmail.com> Fri, 25 June 2010 01:50 UTC

Return-Path: <briandunnington@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 72E303A6A0C for <oauth@core3.amsl.com>; Thu, 24 Jun 2010 18:50:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.299
X-Spam-Level:
X-Spam-Status: No, score=-1.299 tagged_above=-999 required=5 tests=[AWL=-1.300, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id earIcu91XbgT for <oauth@core3.amsl.com>; Thu, 24 Jun 2010 18:50:35 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id 94BA93A6A03 for <oauth@ietf.org>; Thu, 24 Jun 2010 18:50:35 -0700 (PDT)
Received: by iwn37 with SMTP id 37so551288iwn.31 for <oauth@ietf.org>; Thu, 24 Jun 2010 18:50:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=LAEXSoq7GjE3yvkTOIH7h13fpjmaEohU+X+VpAk/0YQ=; b=MNm+2M3oxIu6lH3IhLoFFSmpIZzGqtIUqKggUIbA8Lhr85wnlrMFqTAKVH7e/Epkv3 GtGIboGXOzDQNN27JkHGr/iHF1wXfGnlHY4miwwTPIhj9waoCO+pvjwXSxilkJ82Xc7b 5jZfdndR1RTHjEzBkz2oCKPSyqNO4AbTHdRGs=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=x2e2wTmZLEuRD+pLgpDH4pRCjK/O+5fowOEjCX8M7dVWDlb3mULl6bj3m3zV8NWluX eZBiYNqGIfXQ4HVam3u4HrRoPWAJ7wUgVEt4ut4hWZYZNEbpsL5N5visET0BZXxFRVad 06w3BYafq6ykIXnzXr+Tq7RvI1fk/YjyVTbSI=
MIME-Version: 1.0
Received: by 10.231.114.144 with SMTP id e16mr11823212ibq.188.1277430644162; Thu, 24 Jun 2010 18:50:44 -0700 (PDT)
Received: by 10.231.152.15 with HTTP; Thu, 24 Jun 2010 18:50:44 -0700 (PDT)
Date: Thu, 24 Jun 2010 18:50:44 -0700
Message-ID: <AANLkTikbz5zmILsegGXoj6YjdC8h4TPfscqDMqFCB7l-@mail.gmail.com>
From: Brian Dunnington <briandunnington@gmail.com>
To: oauth@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Subject: [OAUTH-WG] client secret used in Native App profile
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Jun 2010 01:58:29 -0000

In the 'User-Agent' profile, it says:

"This user-agent profile does not utilize the client secret since the
   client executables reside on the end-user's computer or device which
   makes the client secret accessible and exploitable"

However, the 'Native Apps' profile does not include such verbiage and
in fact specifically requires the use of the client secret. Native
apps' executables also reside on the end-user's computer or device,
making the client secret just as accessible and exploitable, so why
the difference?

Specifically, as a native app developer, there is no good (secure) way
to distribute the client secret without it being compromised. Any
open-source application would have even more problems keeping their
secret secure, but even complied apps are easily exploitable. in this
scenario, there is no single, secure repository to keep the client
secret safe, so I would expect that the requirement of the client
secret for native apps be removed and made conformant with the
user-agent profile.

v2.46.0 | Report a Bug | By Email | System Status