As far the authentication goes, what I had in mind was that the network
provider could authenticate the end-user. Alternatively, an application
(not necessarily the USIM) on the smart card could hold the secret and
perform all cryptographic operations (what Thomas calls crypto-store).
In either case, only the provider and the card would share the secret.
Igor
Torsten Lodderstedt wrote:
in my opinion, the problem with client authentication is more the
secure distribution of the secret than the storage. How should a USIM
help here?
regards,
Torsten.
Thomas Hardjono <hardj...@mit.edu> schrieb:
Thanks Igor,
If you bring smartcards into the picture, then it's a different
ballgame :)
If mobile phones are assumed to have smartcards (which is increasingly
true today via USIMs), then OAUTH can assume that native apps (running
on the phones) may have access to crypto-store. In this case the text
in Section 9 of draft-16 would needs changes/clarifications.
/thomas/
__________
> -----Original Message-----
> From: Igor Faynberg [mailto:igor.faynb...@alcatel-lucent.com]
> Sent: Thursday, June 02, 2011 3:31 PM
> To: Thomas Hardjono
> Cc: Torsten Lodderstedt; OAuth WG
> Subject: Re: [OAUTH-WG] review of draft-ietf-oauth-v2-16
>
> Actually, for the devices that use smart cards (mobile devices, in
> particular), this assumption is quite appropriate.>
> Igor
>
> Thomas Hardjono wrote:
> >> ....
> > ...
> >
> > However, there is indeed the assumption in Kerberos/RFC4120 (and
in
> the original Needham-Schroeder protocol) that the "client" can keep
> secrets.
> >
> > /thomas/
> >
> >
> >
> >
------------------------------------------------------------------------
> >
> >
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
