Re: [OAUTH-WG] Native clients & 'confidentiality'
Michael Thomas <mike@mtcc.com> Mon, 19 December 2011 18:00 UTC
Return-Path: <mike@mtcc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3839A21F8BAE for <oauth@ietfa.amsl.com>; Mon, 19 Dec 2011 10:00:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0mKCCbWK9deE for <oauth@ietfa.amsl.com>; Mon, 19 Dec 2011 10:00:07 -0800 (PST)
Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id 7A8CD21F8BAA for <oauth@ietf.org>; Mon, 19 Dec 2011 10:00:07 -0800 (PST)
Received: from takifugu.mtcc.com (takifugu.mtcc.com [50.0.18.224]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id pBJI05Ou018620 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Mon, 19 Dec 2011 10:00:05 -0800
Message-ID: <4EEF7BA4.80907@mtcc.com>
Date: Mon, 19 Dec 2011 10:00:04 -0800
From: Michael Thomas <mike@mtcc.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.22) Gecko/20090605 Thunderbird/2.0.0.22 Mnenhy/0.7.5.0
MIME-Version: 1.0
To: Paul Madsen <paul.madsen@gmail.com>
References: <4EEF2BC4.7020409@gmail.com> <4EEF71EA.3080200@mtcc.com> <4EEF797D.4020608@gmail.com>
In-Reply-To: <4EEF797D.4020608@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=2699; t=1324317606; x=1325181606; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20<mike@mtcc.com> |Subject:=20Re=3A=20[OAUTH-WG]=20Native=20clients=20&=20'co nfidentiality' |Sender:=20 |To:=20Paul=20Madsen=20<paul.madsen@gmail.com> |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=Prv82I7B1KHpu5KBOH71CCm3WhjFXT7PbZAdXZfjfb8=; b=EDLW9WcGo7wW21tm8Tllm+36JS2/D17Mj/QkRrMB2TETH0b52sRs3mNhMw y6NLp6ENRkRC7mpGtDqNjJtM+q6ceHRdtGvdffu9UxrMuUrXXmeuYHlA+P19 gutX42VwNf4Ew/OE8sMNjjvkoy/i/KyR4qRsd86Up93O2lsS63hhs=;
Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Native clients & 'confidentiality'
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Dec 2011 18:00:08 -0000
On 12/19/2011 09:50 AM, Paul Madsen wrote: > Hi Mike, to some extent I think my question is not about specific > security characteristics, but rather whether its realistic for our > group to mandate that both server & native clients have the *same* > security characteristics - particularly the ability to 'securely' > authenticate to the AS on the token endpoint. Well given the explanation Justin just gave, they do not. As I understand your initial query, redefining a native/embedded app as "confidential" doesn't alter that reality. But my first question about requirements still is relevant: what are you trying to protect from whom, and what is the level of risk that your profile of oauth is willing to tolerate? Mike > > thanks > > paul > > On 12/19/11 12:18 PM, Michael Thomas wrote: >> On 12/19/2011 04:19 AM, Paul Madsen wrote: >>> Hi, the Online Media Authorization Protocol (OMAP) is a (as yet >>> unreleased) profile of OAuth 2.0 for online delivery of video >>> content based on a user's subscriptions (the TV Everywhere use case) >>> >>> We want to support both server & native mobile clients. It is for >>> the second class of clients that I'd appreciate some clarification >>> of 'confidentiality' as defined in OAuth 2. >>> >>> OAuth 2 distinguishes confidential & public clients based on their >>> ability to secure the credentials they'd use to authenticate to an >>> AS - confidential clients can protect those credentials, public >>> clients can't. >>> >>> Notwithstanding the above definition, the spec gives a degree of >>> discretion to the AS >>> >>> The client type designation is based on the authorization server's >>> definition of secure authentication and its acceptable exposure >>> levels of client credentials. >>> >>> >>> Give this discretion, is it practical for the OMAP spec to stipulate >>> that 'All Clients (both server & native mobile), MUST be >>> confidential', ie let each individual OMAP AS specify its own >>> requirements of clients and their ability to securely authenticate? >> >> Hi, >> >> Can you say exactly what your security requirements are before trying >> to determine which >> (if either) is the right answer? I've got some concerns in this area >> that I'm trying to understand >> and am not sure if they're related to your concern or not. Part of >> this is that I really don't >> understand what the difference is between a "public" client and a >> "confidential client" and >> rereading the draft isn't helping me. In particular, can a iPhone app >> with a UIWebView *ever* >> be a "confidential" client, and if so how? >> >> Mike
- [OAUTH-WG] Native clients & 'confidentiality' Paul Madsen
- Re: [OAUTH-WG] Native clients & 'confidentiality' Michael Thomas
- Re: [OAUTH-WG] Native clients & 'confidentiality' Justin Richer
- Re: [OAUTH-WG] Native clients & 'confidentiality' Paul Madsen
- Re: [OAUTH-WG] Native clients & 'confidentiality' Michael Thomas
- Re: [OAUTH-WG] Native clients & 'confidentiality' Michael Thomas
- Re: [OAUTH-WG] Native clients & 'confidentiality' Paul Madsen
- Re: [OAUTH-WG] Native clients & 'confidentiality' Paul Madsen
- Re: [OAUTH-WG] Native clients & 'confidentiality' Michael Thomas
- Re: [OAUTH-WG] Native clients & 'confidentiality' Anthony Nadalin
- Re: [OAUTH-WG] Native clients & 'confidentiality' George Fletcher
- Re: [OAUTH-WG] Native clients & 'confidentiality' Justin Richer
- Re: [OAUTH-WG] Native clients & 'confidentiality' John Kemp
- Re: [OAUTH-WG] Native clients & 'confidentiality' John Kemp
- Re: [OAUTH-WG] Native clients & 'confidentiality' Paul Madsen
- Re: [OAUTH-WG] Native clients & 'confidentiality' Paul Madsen
- Re: [OAUTH-WG] Native clients & 'confidentiality' John Kemp
- Re: [OAUTH-WG] Native clients & 'confidentiality' Paul Madsen
- Re: [OAUTH-WG] Native clients & 'confidentiality' George Fletcher
- Re: [OAUTH-WG] Native clients & 'confidentiality' zhang.ruishan
- Re: [OAUTH-WG] Native clients & 'confidentiality' Eran Hammer
- Re: [OAUTH-WG] Native clients & 'confidentiality' Paul Madsen