I'd rather support the client secret and document the hell out of the
security considerations for the profile.

On Tue, Mar 9, 2010 at 10:57 AM, Allen Tom <a...@yahoo-inc.com> wrote:
> The problem with using a client secret for trusted devices is that these
> secrets usually get extracted over time. For obvious reasons, I'd rather not
> get into the details, but there are many examples of devices whose secrets
> are not secret.
>
> The motivation for deliberately excluding the client secret from the
> username/password profile was to prevent having the illusion that clients
> can be authenticated.
>
> I personally have no objection to adding a client secret to the
> username/password profile, however, as we've seen with OAuth, doing so will
> give the illusion that downloadable apps can be authenticated.
>
> Allen
>
>
> On 3/9/10 9:46 AM, "David Recordon" <record...@gmail.com> wrote:
>
>> @Justin, there's a separate client key and secret profile for making
>> requests not within the context of a given user.
>>
>> @Brain, I'm not focused on using this profile for DRM.  Rather for
>> trusted devices (ideally with TPM) which do not open web browsers
>> (such as the XBox).
>>
>> --David
>>
>> On Tue, Mar 9, 2010 at 9:24 AM, Brian Eaton <bea...@google.com> wrote:
>>> On Mon, Mar 8, 2010 at 10:33 PM, David Recordon <record...@gmail.com> wrote:
>>>> Yes.  I was agreeing with your point and suggesting that the profile
>>>> have the client secret added to the request. :)
>>>
>>> Just so we're clear on use cases...  is the primary use case here DRM,
>>> verifying software on client machines?
>>>
>>> Or do folks want to use this for server-to-server calls?
>>>
>>> I am not an expert on DRM, but if we're going to try to do DRM in WRAP
>>> I think we should
>>> a) learn from prior experience
>>>   and
>>> b) get experts involved to write that section of the spec
>>>   and
>>> c) call it out as a separate use case and profile, so that people
>>> don't get confused and misuse the spec in dangerous ways.
>>>
>>> Cheers,
>>> Brian
>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups
>>> "OAuth WRAP WG" group.
>>> To post to this group, send email to oauth-wrap...@googlegroups.com.
>>> To unsubscribe from this group, send email to
>>> oauth-wrap-wg+unsubscr...@googlegroups.com.
>>> For more options, visit this group at
>>> http://groups.google.com/group/oauth-wrap-wg?hl=en.
>>>
>>>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to