> If you aren't willing to accept the risk of native apps that can't keep > secrets, don't support such apps.
We continue to say "can't keep secrets". I think what we mean is "can't keep secrets that are embedded in the code". One could imagine an install-time, leap-of-faith binding to a remotely received secret, via some on-line registration process, that the native app asks the operating system to store for it securely. The user can make an assertion of trust in the validity of the app that he/she has downloaded and is subsequently installing. Of course, that initial faith might be misplaced, but that's true of almost all user-installable software, even that receive on physical media. If browsers are trusted to store secrets securely, then that same capability is available to native apps. Regards, Dave David B. Nelson Sr. Software Architect Elbrys Networks, Inc. www.elbrys.com +1.603.570.2636 _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
