[WG-UMA] Draft minutes of UMA telecon 2010-07-22

Christian Scholz cs at comlounge.net
Fri Jul 23 16:47:19 EDT 2010


Am 23.07.10 20:44, schrieb Bill Smith:
> I suspect there are scenarios where it will be desirable to disable
> access from certain devices:
> 
>     * a lost/stolen phone/computer, etc,
>     * any device outside a physical LAN (at times of elevated risk), and
>     * add your favorites here.

Well you can for case 1 by revoking your access token and creating a new
one for your other/new devices. As for other cases I think we shouldn't
try to solve more than OAuth tries to solve esp. given the fact that
this registration I-D is only supposed to be a small part of our work ;-)

-- Christian

> 
> On Jul 23, 2010, at 11:40 AM, Christian Scholz wrote:
> 
>> Hi!
>>
>> Am 23.07.10 18:51, schrieb Holodnik, Tom:
>>>
>>> I had a minor note about the minutes that Eve prepared (to clarify a
>>> question I raised).
>>>
>>> Tom asks whether a native app on, say, a phone, representing a unique
>>> instance of an application should get different credentials from the
>>> same kind of native app running on a different phone. George suspects
>>> that the best way to go is to give each instance different
>>> credentials.
>>
>> So why is that necessary? It is in fact the same app but different
>> instances and it's just the first step before authorizing the user in
>> which case the individual app instance is then authorized.
>>
>> And as in OAuth today there is also no requirement (and it's not
>> possible anyway) to register each device.
>>
>> my .02€
>>
>> -- Christian
>>
>>
>>> What I was after was whether the same software running on different
>>> machines, running on behalf of the same user (or the same group of
>>> people, like a business) should get the same client ID and secret or
>>> whether it needed to be unique.  George (rightly, in my opinion) said
>>> that it must be unique.
>>>
>>> The impact of this is that if Alice grants permissions to Bob to
>>> access her resources using Application A, that access is extended to
>>> Bob, running an instance of Application A on one of his machines (any
>>> or all of which is running Application A). This seems like something
>>> that would have some usability or operational impact that we might
>>> want to be explicit about.
>>>
>>> Lacking this, it seems there would be significant risks from brute
>>> forcing and spoofing.
>>>
>>> My intention was to expand on what we mean about uniquely identifying
>>> an application.
>>>
>>> Thanks, -tom
>>>
>>>
>>> Tom Holodnik  -  Security Architect – Intuit Inc.  -   Office:
>>> 650-944-5494  -  Mobile: 650-387-6574
>>>
>>> _______________________________________________ WG-UMA mailing list
>>> WG-UMA at kantarainitiative.org <mailto:WG-UMA at kantarainitiative.org>
>>> http://kantarainitiative.org/mailman/listinfo/wg-uma
>>
>>
>> -- 
>> Christian Scholz                          Homepage: http://comlounge.net
>> COM.lounge GmbH                                    http://mrtopf.de/blog
>> Hanbrucher Str. 33                             http://twitter.com/mrtopf
>> 52064 Aachen                                             Skype: HerrTopf
>> Tel: +49 241 400 730 0
>>                                  cs at comlounge.net
>> <mailto:cs at comlounge.net>
>> Fax: +49 241 979 00 850                                      IRC: MrTopf
>>
>> Podcasts:
>> Der OpenWeb-Podcast (http://openwebpodcast.de)
>> Data Without Borders (http://datawithoutborders.net)
>> Politisches: http://politfunk.de/
>> Technical: http://comlounge.tv/
>> _______________________________________________
>> WG-UMA mailing list
>> WG-UMA at kantarainitiative.org <mailto:WG-UMA at kantarainitiative.org>
>> http://kantarainitiative.org/mailman/listinfo/wg-uma
> 


-- 
Christian Scholz                          Homepage: http://comlounge.net
COM.lounge GmbH                                    http://mrtopf.de/blog
Hanbrucher Str. 33                             http://twitter.com/mrtopf
52064 Aachen                                             Skype: HerrTopf
Tel: +49 241 400 730 0                                  cs at comlounge.net
Fax: +49 241 979 00 850                                      IRC: MrTopf

Podcasts:
Der OpenWeb-Podcast (http://openwebpodcast.de)
Data Without Borders (http://datawithoutborders.net)
Politisches: http://politfunk.de/
Technical: http://comlounge.tv/


More information about the WG-UMA mailing list