[WG-UMA] Notes from 28 July 2010 focus meeting
eve at xmlgrrl.com
Wed Jul 28 13:38:46 EDT 2010
Here's my understanding; others please jump in.
On 28 Jul 2010, at 10:17 AM, George Fletcher wrote:
> Just to make sure I understand, here are some key decisions... are these correct?
> 1. The connection between the invoking client and the url they provide is being left out-of-scope.
For the web-server client case, it's not out of scope; the two URLs need to be compared to validate the provided URL.
> 2. "Pull" is preferred over "push" (due to the issues with securing the data in the "push" model)
It's preferred but we couldn't leave out "push" entirely because of the web-server client behind the firewall.
> 3. The key to verify signed pushed metadata SHOULD be present in the XRD "pulled" via the supplied URL (otherwise sig verification will fail)
Funny, I was just getting to that point in the dyn reg draft that I'm editing right now... I went into this morning's meeting with the assumption that we could specify precisely this method, but left the meeting with the understanding that we should hand-wave and not even say this. However, I'd rather document as much of the "distance" to signature verification as possible, and since the OpenID Artifact Binding (for one) already goes here, I think we could too. Thoughts?
> 1. Do we need to draw a distinction between app instance registration and app "class" registration? Or another way to think about it is, should the AS give out the same client_id and client_secret to any app that registers with a given app "class". For example, any app providing a URL for the iphone photo app will get that app's client id and secret?
There seemed like general agreement that even though the unitary server-side ("cloud") portion of a class of native apps would have to get involved in the client registration process, unique credentials should still be issued for every instance of a deployed native app. Thus, every instance would have to register separately.
We left the meeting thinking that both Maciej's "client-initiated" and Domenico's "cloud-initiated" flows (for lack of better terms...) for dynamic registration of a native app were viable. I figured I could present them both in the doc and we could ask for input, or we might learn more and thereafter pick one option before submitting the I-D.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the WG-UMA