[OAUTH-WG] Native clients & 'confidentiality'

Paul Madsen <paul.madsen@gmail.com> Mon, 19 December 2011 12:19 UTC

Return-Path: <paul.madsen@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 3C84221F8B52 for <oauth@ietfa.amsl.com>; Mon, 19 Dec 2011 04:19:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id NRlCLZeNl7o0 for <oauth@ietfa.amsl.com>; Mon, 19 Dec 2011 04:19:19 -0800 (PST)
Received: from mail-qw0-f51.google.com (mail-qw0-f51.google.com []) by ietfa.amsl.com (Postfix) with ESMTP id 98B2621F8B46 for <oauth@ietf.org>; Mon, 19 Dec 2011 04:19:19 -0800 (PST)
Received: by qadz3 with SMTP id z3so3378648qad.10 for <oauth@ietf.org>; Mon, 19 Dec 2011 04:19:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type; bh=+OM/y8+ng3Sb0pYj+Emc9vZe/UKhtlTQ+YhvC+SUNOs=; b=Ly+xkaEG6N/4vqilAa45Zc7ijTUAQp0eRpxIZZp/DC87vFzyXhx+4YvL8C6R+7Yv2O BixaZobTGLnJOKgnH/4b45RcS7zaCoX88AJVbCszyBhzeIE0UlFwClFSTKXuBchQKLXV f3sMVdmEPNGX4ekw7O9TD/GG6aapMoTcn8Zig=
Received: by with SMTP id o18mr24433449qap.72.1324297159088; Mon, 19 Dec 2011 04:19:19 -0800 (PST)
Received: from pmadsen-mbp.local (CPE0022b0cb82b4-CM0012256eb4b4.cpe.net.cable.rogers.com. []) by mx.google.com with ESMTPS id ih18sm35793863qab.8.2011. (version=SSLv3 cipher=OTHER); Mon, 19 Dec 2011 04:19:17 -0800 (PST)
Message-ID: <4EEF2BC4.7020409@gmail.com>
Date: Mon, 19 Dec 2011 07:19:16 -0500
From: Paul Madsen <paul.madsen@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0) Gecko/20111105 Thunderbird/8.0
MIME-Version: 1.0
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="------------000105020909020200080202"
Subject: [OAUTH-WG] Native clients & 'confidentiality'
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Dec 2011 12:19:20 -0000

Hi, the Online Media Authorization Protocol (OMAP) is a (as yet 
unreleased) profile of OAuth 2.0 for online delivery of video content 
based on a user's subscriptions (the TV Everywhere use case)

We want to support both server & native mobile clients. It is for the 
second class of clients that I'd appreciate some clarification of 
'confidentiality' as defined in OAuth 2.

OAuth 2 distinguishes confidential & public clients based on their 
ability to secure the credentials they'd use to authenticate to an AS - 
confidential clients can protect those credentials, public clients can't.

Notwithstanding the above definition, the spec gives a degree of 
discretion to the AS

    The client type designation is based on the authorization server's
    definition of secure authentication and its acceptable exposure
    levels of client credentials.

Give this discretion, is itpractical for the OMAP spec to stipulate that 
'All Clients (both server & native mobile), MUST be confidential', ie 
let each individual OMAP AS specify its own requirements of clients and 
their ability to securely authenticate?

Is this consistent with the OAuth definition of confidentiality?