in my opinion, the problem with client authentication is more the secure distribution of the secret than the storage. How should a USIM help here?
regards, Torsten. Thomas Hardjono <[email protected]> schrieb: Thanks Igor, If you bring smartcards into the picture, then it's a different ballgame :) If mobile phones are assumed to have smartcards (which is increasingly true today via USIMs), then OAUTH can assume that native apps (running on the phones) may have access to crypto-store. In this case the text in Section 9 of draft-16 would needs changes/clarifications. /thomas/ __________ > -----Original Message----- > From: Igor Faynberg [mailto:[email protected]] > Sent: Thursday, June 02, 2011 3:31 PM > To: Thomas Hardjono > Cc: Torsten Lodderstedt; OAuth WG > Subject: Re: [OAUTH-WG] review of draft-ietf-oauth-v2-16 > > Actually, for the devices that use smart cards (mobile devices, in > particular), this assumption is quite appropriate. > > Igor > > Thomas Hardjono wrote: > >> .... > > ... > > > > However, there is indeed the assumption in Kerberos/RFC4120 (and in > the original Needham-Schroeder protocol) that the "client" can keep > secrets. > > > > /thomas/ > > > > > > > >_____________________________________________ > > > >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
