The problem with using a client secret for trusted devices is that these secrets usually get extracted over time. For obvious reasons, I'd rather not get into the details, but there are many examples of devices whose secrets are not secret.
The motivation for deliberately excluding the client secret from the username/password profile was to prevent having the illusion that clients can be authenticated. I personally have no objection to adding a client secret to the username/password profile, however, as we've seen with OAuth, doing so will give the illusion that downloadable apps can be authenticated. Allen On 3/9/10 9:46 AM, "David Recordon" <record...@gmail.com> wrote: > @Justin, there's a separate client key and secret profile for making > requests not within the context of a given user. > > @Brain, I'm not focused on using this profile for DRM. Rather for > trusted devices (ideally with TPM) which do not open web browsers > (such as the XBox). > > --David > > On Tue, Mar 9, 2010 at 9:24 AM, Brian Eaton <bea...@google.com> wrote: >> On Mon, Mar 8, 2010 at 10:33 PM, David Recordon <record...@gmail.com> wrote: >>> Yes. I was agreeing with your point and suggesting that the profile >>> have the client secret added to the request. :) >> >> Just so we're clear on use cases... is the primary use case here DRM, >> verifying software on client machines? >> >> Or do folks want to use this for server-to-server calls? >> >> I am not an expert on DRM, but if we're going to try to do DRM in WRAP >> I think we should >> a) learn from prior experience >> and >> b) get experts involved to write that section of the spec >> and >> c) call it out as a separate use case and profile, so that people >> don't get confused and misuse the spec in dangerous ways. >> >> Cheers, >> Brian >> >> -- >> You received this message because you are subscribed to the Google Groups >> "OAuth WRAP WG" group. >> To post to this group, send email to oauth-wrap...@googlegroups.com. >> To unsubscribe from this group, send email to >> oauth-wrap-wg+unsubscr...@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/oauth-wrap-wg?hl=en. >> >> _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
