<div dir="ltr">+1 That's much better. </div><div class="gmail_extra"><br><br><div class="gmail_quote">2013/11/7 Anthony Nadalin <span dir="ltr"><<a href="mailto:tonynad@microsoft.com" target="_blank">tonynad@microsoft.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I'm OK with your suggested text<br>
<div class="HOEnZb"><div class="h5"><br>
-----Original Message-----<br>
From: John Bradley [mailto:<a href="mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>]<br>
Sent: Thursday, November 7, 2013 11:32 AM<br>
To: Anthony Nadalin<br>
Cc: Justin P. Richer; Torsten Lodderstedt; Openid-specs Ab<br>
Subject: Re: [Openid-specs-ab] Review Comments on Dyn Reg<br>
<br>
The high level goal is that an attacker who knows some number of client_id and client secret pairs cannot guess what the client secret for other clieent_id are.<br>
<br>
Someone could do something like have randomly generated client_id and use the same random value as the secret. That would be unique and random but not secure.<br>
Another could XOR the client_id with some static value to produce the secret. That works until and attacker can get two client_id and there secrets and reverse out the key.<br>
<br>
The simple wording is don't do stupid things to create the client secret.<br>
<br>
Perhaps something like client_secrets need to be generated in a manner to have them be unguessable by an attacker who has access to other client_id and secrets generated by the AS.<br>
<br>
John B.<br>
<br>
On Nov 7, 2013, at 9:17 AM, Anthony Nadalin <<a href="mailto:tonynad@microsoft.com">tonynad@microsoft.com</a>> wrote:<br>
<br>
> There should be no requirement that the secret be tied to the client_id, this is an implementation choice on how authentication is done<br>
><br>
> -----Original Message-----<br>
> From: <a href="mailto:openid-specs-ab-bounces@lists.openid.net">openid-specs-ab-bounces@lists.openid.net</a> [mailto:<a href="mailto:openid-specs-ab-bounces@lists.openid.net">openid-specs-ab-bounces@lists.openid.net</a>] On Behalf Of Richer, Justin P.<br>
> Sent: Thursday, November 7, 2013 9:01 AM<br>
> To: Torsten Lodderstedt<br>
> Cc: Openid-specs Ab<br>
> Subject: Re: [Openid-specs-ab] Review Comments on Dyn Reg<br>
><br>
><br>
> On Nov 7, 2013, at 8:03 AM, Torsten Lodderstedt <<a href="mailto:torsten@lodderstedt.net">torsten@lodderstedt.net</a>><br>
> wrote:<br>
><br>
>> Hi,<br>
>><br>
>>>>> client_secret - "This MUST be unique for each client_id." - why<br>
>>>>> must the client secret be _unique_? This seems to be a rather hard requirement.<br>
>>>> +1 on that<br>
>>> If you're handing out client secrets that aren't uniquely tied to<br>
>>> client_ids, then you're going to end up with problems as some of your<br>
>>> dynamically registered clients are going to be able to more easily<br>
>>> impersonate each other. Normally this is a sufficiently random blob,<br>
>>> but it can be a signed blob or something else of that nature, too.<br>
>>> You can of course use credentials other than a client secret.<br>
>><br>
>> Client secrets must indeed be tight to client_ids. But as I read the text it requires the OP to issue secrets, which are unique over _all_ client secrets. This is more challenging than "sufficiently random" as it prohibits any duplicates/collisions.<br>
><br>
> OK, I can buy that, though I think it's a bit of an arbitrary distinction. So if you've got a suggestion for more exact specification of this principle, please provide better text. (I'll make sure to copy it to the OAuth draft too.)<br>
><br>
> -- Justin<br>
> _______________________________________________<br>
> Openid-specs-ab mailing list<br>
> <a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
> <a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
> _______________________________________________<br>
> Openid-specs-ab mailing list<br>
> <a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
> <a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
<br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>Nat Sakimura (=nat)<div>Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>@_nat_en</div>
</div>