Thanks Igor, If you bring smartcards into the picture, then it's a different ballgame :)
If mobile phones are assumed to have smartcards (which is increasingly true today via USIMs), then OAUTH can assume that native apps (running on the phones) may have access to crypto-store. In this case the text in Section 9 of draft-16 would needs changes/clarifications. /thomas/ __________ > -----Original Message----- > From: Igor Faynberg [mailto:igor.faynb...@alcatel-lucent.com] > Sent: Thursday, June 02, 2011 3:31 PM > To: Thomas Hardjono > Cc: Torsten Lodderstedt; OAuth WG > Subject: Re: [OAUTH-WG] review of draft-ietf-oauth-v2-16 > > Actually, for the devices that use smart cards (mobile devices, in > particular), this assumption is quite appropriate. > > Igor > > Thomas Hardjono wrote: > >> .... > > ... > > > > However, there is indeed the assumption in Kerberos/RFC4120 (and in > the original Needham-Schroeder protocol) that the "client" can keep > secrets. > > > > /thomas/ > > > > > > > > _______________________________________________ > > > >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
