Got it. End-user authentication via USIM is indeed secure (and convenient).
regards, Torsten. Igor Faynberg <[email protected]> schrieb: As far the authentication goes, what I had in mind was that the network provider could authenticate the end-user. Alternatively, an application (not necessarily the USIM) on the smart card could hold the secret and perform all cryptographic operations (what Thomas calls crypto-store). In either case, only the provider and the card would share the secret. Igor Torsten Lodderstedt wrote: > in my opinion, the problem with client authentication is more the > secure distribution of the secret than the storage. How should a USIM > help here? > > regards, > Torsten. > > > > Thomas Hardjono <[email protected]> schrieb: > > Thanks Igor, > > If you bring smartcards into the picture, then it's a different > ballgame :) > > If mobile phones are assumed to have smartcards (which is increasingly > true today via USIMs), then OAUTH can assume that native apps (running > on the phones) may have access to crypto-store. In this case the text > in Section 9 of draft-16 would needs changes/clarifications. > > /thomas/ > > > __________ > > > -----Original Message----- > > From: Igor Faynberg [mailto:[email protected]] > > Sent: Thursday, June 02, 2011 3:31 PM > > To: Thomas Hardjono > > Cc: Torsten Lodderstedt; OAuth WG > > Subject: Re: [OAUTH-WG] review of draft-ietf-oauth-v2-16 > > > > Actually, for the devices that use smart cards (mobile devices, in > > particular), this assumption is quite appropriate.> > > > Igor > > > > Thomas Hardjono wrote: > > >> .... > > > ... > > > > > > However, there is indeed the assumption in Kerberos/RFC4120 (and > in > > the original Needham-Schroeder protocol) that the "client" can keep > > secrets. > > > > > > /thomas/ > > > > > > > > > > > > >_____________________________________________ > > > > > > > > >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
