Re: [OAUTH-WG] client secret used in Native App profile
Bouiaw <bouiaw@gmail.com> Fri, 25 June 2010 14:16 UTC
Return-Path: <bouiaw@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7A02D3A6A28 for <oauth@core3.amsl.com>; Fri, 25 Jun 2010 07:16:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.321
X-Spam-Level:
X-Spam-Status: No, score=-2.321 tagged_above=-999 required=5 tests=[AWL=0.278, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IOprPeJC6Zn3 for <oauth@core3.amsl.com>; Fri, 25 Jun 2010 07:15:57 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by core3.amsl.com (Postfix) with ESMTP id AA23728B797 for <oauth@ietf.org>; Fri, 25 Jun 2010 07:15:51 -0700 (PDT)
Received: by wye20 with SMTP id 20so2376799wye.31 for <oauth@ietf.org>; Fri, 25 Jun 2010 07:15:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=NlyOva4+ta1H2QDXTR1m7I6wRDWUoNxpzMitCzdLvn4=; b=JwdQDFf44WDyrH2195sErU/FrtzStcwPSzFIO8bF/r1gk3+3h9gGFYIy0rKBDJrI/T SyoJSLtu95azDGt5JcSmgBrJJQfj4FtNtcJen5LNeqheKKEWNMCZKZmFu7/tGIe+BQlx 28oCtkUh6L+Zq+CLE7JgzPhz39av7K6/dCjVE=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=ZEpdg4yStCZb/yfQkJhZZXl1TVAPhbjUtlZO5udgeuvmLagBk7o6KbIs4bBi6fNXaO JE9ayzO6nIc2wGW7MAPmWqb3DRxV5RALjzOcKqXV6UuOKVxCsEDjgZQUslubn3e+50XW XkMnZataOsXsyb3aReXTB2CjpTUIvoM33mYP0=
MIME-Version: 1.0
Received: by 10.216.154.210 with SMTP id h60mr5161287wek.50.1277474904398; Fri, 25 Jun 2010 07:08:24 -0700 (PDT)
Received: by 10.216.181.78 with HTTP; Fri, 25 Jun 2010 07:08:24 -0700 (PDT)
In-Reply-To: <AANLkTimvvwzUhCBS3Nlq6Q5odfGTJkv-AYGoUGfS47SJ@mail.gmail.com>
References: <AANLkTikbz5zmILsegGXoj6YjdC8h4TPfscqDMqFCB7l-@mail.gmail.com> <AANLkTimvvwzUhCBS3Nlq6Q5odfGTJkv-AYGoUGfS47SJ@mail.gmail.com>
Date: Fri, 25 Jun 2010 16:08:24 +0200
Message-ID: <AANLkTinzJdhKYYyD77ueXrePoLtz6czFkjsyUNAi6hbC@mail.gmail.com>
From: Bouiaw <bouiaw@gmail.com>
To: Marius Scurtescu <mscurtescu@google.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: Brian Dunnington <briandunnington@gmail.com>, oauth@ietf.org
Subject: Re: [OAUTH-WG] client secret used in Native App profile
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Jun 2010 14:16:01 -0000
If we consider HTML5 browser, I am not sure there is a clear separation betweeen native apps and user agent clients. What is the technical difference between a native app and a browser that support HTML 5 localStorage ? On Fri, Jun 25, 2010 at 9:22 AM, Marius Scurtescu <mscurtescu@google.com> wrote: > I think the main difference is that User-Agent clients (aka JavaScript > clients) cannot store a secret while Native Apps can safely store a > secret, but the secret cannot be distributed (or, even if it can be > distributed, it may not have much value). > > The difference is important. Each native app instance could require a > registration phase that would provide a unique secret and possibly Id. > This registration phase could be completely automatic or could involve > the end user. There have been proposals for both. How much value there > is in such a registration is not clear to me. > > Marius > > > > On Thu, Jun 24, 2010 at 6:50 PM, Brian Dunnington > <briandunnington@gmail.com> wrote: >> In the 'User-Agent' profile, it says: >> >> "This user-agent profile does not utilize the client secret since the >> client executables reside on the end-user's computer or device which >> makes the client secret accessible and exploitable" >> >> However, the 'Native Apps' profile does not include such verbiage and >> in fact specifically requires the use of the client secret. Native >> apps' executables also reside on the end-user's computer or device, >> making the client secret just as accessible and exploitable, so why >> the difference? >> >> Specifically, as a native app developer, there is no good (secure) way >> to distribute the client secret without it being compromised. Any >> open-source application would have even more problems keeping their >> secret secure, but even complied apps are easily exploitable. in this >> scenario, there is no single, secure repository to keep the client >> secret safe, so I would expect that the requirement of the client >> secret for native apps be removed and made conformant with the >> user-agent profile. >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] client secret used in Native App profi… Brian Dunnington
- Re: [OAUTH-WG] client secret used in Native App p… Marius Scurtescu
- Re: [OAUTH-WG] client secret used in Native App p… Bouiaw
- Re: [OAUTH-WG] client secret used in Native App p… Brian Dunnington
- Re: [OAUTH-WG] client secret used in Native App p… Eran Hammer-Lahav