Re: [OAUTH-WG] Native clients & 'confidentiality'

Michael Thomas <> Mon, 19 December 2011 17:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7A40D21F8A4E for <>; Mon, 19 Dec 2011 09:18:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id c3UTHc8aG1K4 for <>; Mon, 19 Dec 2011 09:18:36 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id D0AFB21F84C5 for <>; Mon, 19 Dec 2011 09:18:36 -0800 (PST)
Received: from ( []) (authenticated bits=0) by (8.14.3/8.14.3) with ESMTP id pBJHIYKF016930 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Mon, 19 Dec 2011 09:18:34 -0800
Message-ID: <>
Date: Mon, 19 Dec 2011 09:18:34 -0800
From: Michael Thomas <>
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv: Gecko/20090605 Thunderbird/ Mnenhy/
MIME-Version: 1.0
To: Paul Madsen <>
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1775; t=1324315115; x=1325179115; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version;;; z=From:=20Michael=20Thomas=20<> |Subject:=20Re=3A=20[OAUTH-WG]=20Native=20clients=20&=20'co nfidentiality' |Sender:=20 |To:=20Paul=20Madsen=20<> |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=zLaOYHMkDQiFwc/K99M+mKqfxAsMJOvkTwqqRq35yUs=; b=uUxy8DQcEaIBn3boYq3Ue4YLqHw7tRg+986S0OFiemIMU0pTLI0eN83QXT S1OYhLHHK6ZX/GCoAWeTnfcBps0LthwwHVfrZ3sHPCFktWvnLkm/xrymFHGQ 55/ldGQx0Z8UDQKHk2u0o7JRJwESnzeuODB3V94y+ECOB1IuMMsyU=;
Authentication-Results: ; v=0.1; dkim=pass ( sig from verified; ); dkim-asp=pass
Subject: Re: [OAUTH-WG] Native clients & 'confidentiality'
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 19 Dec 2011 17:18:37 -0000

On 12/19/2011 04:19 AM, Paul Madsen wrote:
> Hi, the Online Media Authorization Protocol (OMAP) is a (as yet 
> unreleased) profile of OAuth 2.0 for online delivery of video content 
> based on a user's subscriptions (the TV Everywhere use case)
> We want to support both server & native mobile clients. It is for the 
> second class of clients that I'd appreciate some clarification of 
> 'confidentiality' as defined in OAuth 2.
> OAuth 2 distinguishes confidential & public clients based on their 
> ability to secure the credentials they'd use to authenticate to an AS 
> - confidential clients can protect those credentials, public clients 
> can't.
> Notwithstanding the above definition, the spec gives a degree of 
> discretion to the AS
>     The client type designation is based on the authorization server's
>     definition of secure authentication and its acceptable exposure
>     levels of client credentials.
> Give this discretion, is it practical for the OMAP spec to stipulate 
> that 'All Clients (both server & native mobile), MUST be 
> confidential', ie let each individual OMAP AS specify its own 
> requirements of clients and their ability to securely authenticate?


Can you say exactly what your security requirements are before trying to 
determine which
(if either) is the right answer? I've got some concerns in this area 
that I'm trying to understand
and am not sure if they're related to your concern or not. Part of this 
is that I really don't
understand what the difference is between a "public" client and a 
"confidential client" and
rereading the draft isn't helping me. In particular, can a iPhone app 
with a UIWebView *ever*
be a "confidential" client, and if so how?