I'd rather support the client secret and document the hell out of the security considerations for the profile.
On Tue, Mar 9, 2010 at 10:57 AM, Allen Tom <a...@yahoo-inc.com> wrote: > The problem with using a client secret for trusted devices is that these > secrets usually get extracted over time. For obvious reasons, I'd rather not > get into the details, but there are many examples of devices whose secrets > are not secret. > > The motivation for deliberately excluding the client secret from the > username/password profile was to prevent having the illusion that clients > can be authenticated. > > I personally have no objection to adding a client secret to the > username/password profile, however, as we've seen with OAuth, doing so will > give the illusion that downloadable apps can be authenticated. > > Allen > > > On 3/9/10 9:46 AM, "David Recordon" <record...@gmail.com> wrote: > >> @Justin, there's a separate client key and secret profile for making >> requests not within the context of a given user. >> >> @Brain, I'm not focused on using this profile for DRM. Rather for >> trusted devices (ideally with TPM) which do not open web browsers >> (such as the XBox). >> >> --David >> >> On Tue, Mar 9, 2010 at 9:24 AM, Brian Eaton <bea...@google.com> wrote: >>> On Mon, Mar 8, 2010 at 10:33 PM, David Recordon <record...@gmail.com> wrote: >>>> Yes. I was agreeing with your point and suggesting that the profile >>>> have the client secret added to the request. :) >>> >>> Just so we're clear on use cases... is the primary use case here DRM, >>> verifying software on client machines? >>> >>> Or do folks want to use this for server-to-server calls? >>> >>> I am not an expert on DRM, but if we're going to try to do DRM in WRAP >>> I think we should >>> a) learn from prior experience >>> and >>> b) get experts involved to write that section of the spec >>> and >>> c) call it out as a separate use case and profile, so that people >>> don't get confused and misuse the spec in dangerous ways. >>> >>> Cheers, >>> Brian >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "OAuth WRAP WG" group. >>> To post to this group, send email to oauth-wrap...@googlegroups.com. >>> To unsubscribe from this group, send email to >>> oauth-wrap-wg+unsubscr...@googlegroups.com. >>> For more options, visit this group at >>> http://groups.google.com/group/oauth-wrap-wg?hl=en. >>> >>> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth