Re: [OAUTH-WG] Native clients & 'confidentiality'
Michael Thomas <mike@mtcc.com> Mon, 19 December 2011 17:55 UTC
Return-Path: <mike@mtcc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C8A221F8BA6 for <oauth@ietfa.amsl.com>; Mon, 19 Dec 2011 09:55:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mTqTfvyjMyhu for <oauth@ietfa.amsl.com>; Mon, 19 Dec 2011 09:55:22 -0800 (PST)
Received: from mtcc.com (mtcc.com [50.0.18.224]) by ietfa.amsl.com (Postfix) with ESMTP id 3971D21F8BA8 for <oauth@ietf.org>; Mon, 19 Dec 2011 09:55:22 -0800 (PST)
Received: from takifugu.mtcc.com (takifugu.mtcc.com [50.0.18.224]) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id pBJHtJTA018423 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Mon, 19 Dec 2011 09:55:20 -0800
Message-ID: <4EEF7A87.5090100@mtcc.com>
Date: Mon, 19 Dec 2011 09:55:19 -0800
From: Michael Thomas <mike@mtcc.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.22) Gecko/20090605 Thunderbird/2.0.0.22 Mnenhy/0.7.5.0
MIME-Version: 1.0
To: Justin Richer <jricher@mitre.org>
References: <4EEF2BC4.7020409@gmail.com> <4EEF77E7.6030808@mitre.org>
In-Reply-To: <4EEF77E7.6030808@mitre.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1379; t=1324317320; x=1325181320; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20<mike@mtcc.com> |Subject:=20Re=3A=20[OAUTH-WG]=20Native=20clients=20&=20'co nfidentiality' |Sender:=20 |To:=20Justin=20Richer=20<jricher@mitre.org> |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=U1FTfLCZZ1z/Om2JPul9SNvU9bgK/ZRzefFVnwvy/xM=; b=myp9UdQuYJv3VfLhPJb7fooEJBGE+g6rkMMCFAfXiad+I/arQVPlsWAMOO SZPFcdRse/NwEKRcSs3RahWLyl0lL8ToqMQwNOt30upqN/friiMKDAw2VYLe 3tww1Ln7yUpB6DnB4dCfdoU7tTOsIxgKrCyqpmEbYbRG140SwPLjI=;
Authentication-Results: ; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Native clients & 'confidentiality'
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Dec 2011 17:55:23 -0000
On 12/19/2011 09:44 AM, Justin Richer wrote: > Native mobile clients can't really be confidential clients. > > The distinction between "public" and "confidential" clients is whether > or not they can keep deployment-time secrets; which is to say, a > client_secret. This is not to say that they can't keep *any* secrets. > In particular those generated at runtime, like an access token or > refresh token, could be held perfectly safe. But at the time the app > is deployed to its running environment, you have to ask "who has > access to its code and configuration?" Ah, thank you. The draft could be a *lot* more explicit about that in its definitions. After reading it several times, I couldn't figure out who "public" was to whom. > Native apps also have the concern of embedded browsers vs. external > native browsers, and what trust the user puts into them. For all OAuth > flows, you have to trust the browser provider on the platform of > choice, since the user's going to be logging in directly through that > browser. It's very much outside the scope of OAuth to make that world > any better though, and there have been long and detailed discussions > on this list about that very topic, leading to some concrete > recommendations in the draft as it stands today. As far as I can tell, the recommendations don't work. Mike
- Re: [OAUTH-WG] Native clients & 'confidentiality' Michael Thomas
- Re: [OAUTH-WG] Native clients & 'confidentiality' Justin Richer
- Re: [OAUTH-WG] Native clients & 'confidentiality' Paul Madsen
- Re: [OAUTH-WG] Native clients & 'confidentiality' Michael Thomas
- Re: [OAUTH-WG] Native clients & 'confidentiality' Michael Thomas
- Re: [OAUTH-WG] Native clients & 'confidentiality' Michael Thomas
- Re: [OAUTH-WG] Native clients & 'confidentiality' Paul Madsen
- Re: [OAUTH-WG] Native clients & 'confidentiality' Paul Madsen
- [OAUTH-WG] Native clients & 'confidentiality' Paul Madsen
- Re: [OAUTH-WG] Native clients & 'confidentiality' Anthony Nadalin
- Re: [OAUTH-WG] Native clients & 'confidentiality' George Fletcher
- Re: [OAUTH-WG] Native clients & 'confidentiality' Justin Richer
- Re: [OAUTH-WG] Native clients & 'confidentiality' John Kemp
- Re: [OAUTH-WG] Native clients & 'confidentiality' John Kemp
- Re: [OAUTH-WG] Native clients & 'confidentiality' Paul Madsen
- Re: [OAUTH-WG] Native clients & 'confidentiality' Paul Madsen
- Re: [OAUTH-WG] Native clients & 'confidentiality' John Kemp
- Re: [OAUTH-WG] Native clients & 'confidentiality' Paul Madsen
- Re: [OAUTH-WG] Native clients & 'confidentiality' George Fletcher
- Re: [OAUTH-WG] Native clients & 'confidentiality' zhang.ruishan
- Re: [OAUTH-WG] Native clients & 'confidentiality' Eran Hammer
- Re: [OAUTH-WG] Native clients & 'confidentiality' Paul Madsen