[WG-UMA] Draft minutes of UMA telecon 2010-07-22

Holodnik, Tom Tom_Holodnik at intuit.com
Fri Jul 23 12:51:26 EDT 2010

I had a minor note about the minutes that Eve prepared (to clarify a question I raised).

Tom asks whether a native app on, say, a phone, representing a unique instance of an application should get different credentials from the same kind of native app running on a different phone. George suspects that the best way to go is to give each instance different credentials.

What I was after was whether the same software running on different machines, running on behalf of the same user (or the same group of people, like a business) should get the same client ID and secret or whether it needed to be unique.  George (rightly, in my opinion) said that it must be unique.

The impact of this is that if Alice grants permissions to Bob to access her resources using Application A, that access is extended to Bob, running an instance of Application A on one of his machines (any or all of which is running Application A). This seems like something that would have some usability or operational impact that we might want to be explicit about.

Lacking this, it seems there would be significant risks from brute forcing and spoofing.

My intention was to expand on what we mean about uniquely identifying an application.


Tom Holodnik  -  Security Architect – Intuit Inc.  -   Office: 650-944-5494  -  Mobile: 650-387-6574

More information about the WG-UMA mailing list