On Thu, Jun 2, 2011 at 12:17 PM, Thomas Hardjono <[email protected]> wrote:
> (a) Oauth2.0 today is designed for low-assurance environments. So I think > the WG is wasting a lot of time in trying to address whether the Client can > keep secrets. The WG should just assume that the problem of keeping secrets > is out of scope for Oauth. Unless we are trying to address high-assurance > environments (and start talking about smartcards, HSMs, TPMs, trusted > execution, trusted boot, etc), I think the WG should just move on. > In terms of support for things like HSMs, check out this web site: https://sites.google.com/site/oauthgoog/authenticate-google-app-engine-app I agree with you that the working group should probably move on from the topic of keeping secrets in native apps, because what we say on this topic is not going to change industry practice at all. But it is important that the protocol support higher security environments where secrets really are secrets. That's an area where protocol changes do have impact on industry practice, and we should be careful not to screw it up.
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
