[WG-UMA] Draft minutes of UMA telecon 2010-07-22

George Fletcher george.fletcher at teamaol.com
Fri Jul 23 14:26:47 EDT 2010

Great clarifications! There are really two issues at stake (I think).

1. What is used to secure transactions from the client to the AS, and 
how is that unique instance identified.

2. What is used to identify the application (not the instance) as that 
is more likely what the persons in the flow expect. Of course, there is 
then the security issues with identifying the class vs the instance.

I was really only focusing on #1 with my suggesting that the client 
credentials should be unique per instance.


On 7/23/10 12:51 PM, Holodnik, Tom wrote:
> I had a minor note about the minutes that Eve prepared (to clarify a question I raised).
> Tom asks whether a native app on, say, a phone, representing a unique instance of an application should get different credentials from the same kind of native app running on a different phone. George suspects that the best way to go is to give each instance different credentials.
> What I was after was whether the same software running on different machines, running on behalf of the same user (or the same group of people, like a business) should get the same client ID and secret or whether it needed to be unique.  George (rightly, in my opinion) said that it must be unique.
> The impact of this is that if Alice grants permissions to Bob to access her resources using Application A, that access is extended to Bob, running an instance of Application A on one of his machines (any or all of which is running Application A). This seems like something that would have some usability or operational impact that we might want to be explicit about.
> Lacking this, it seems there would be significant risks from brute forcing and spoofing.
> My intention was to expand on what we mean about uniquely identifying an application.
> Thanks,
> -tom
> Tom Holodnik  -  Security Architect – Intuit Inc.  -   Office: 650-944-5494  -  Mobile: 650-387-6574
> _______________________________________________
> WG-UMA mailing list
> WG-UMA at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-uma
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-uma/attachments/20100723/cfb5e8c6/attachment.html 

More information about the WG-UMA mailing list