[Openid-specs-heart] Pulling out Native Apps

[Justin Richer]

From a conversation in our sister iGov working group, we think there might be a gap in the current client descriptions in HEART. Namely, native applications aren’t called out as being separate from web-based clients. Newer techniques like PKCE can allow native apps to connect more securely without per-instance registration, and software statements are going to be particularly important for these clients as well. There’s some question as to how we’ll manage key registration here, since we don’t want to encourage packing the same private key in a million copies of a piece of software. 

What we’re proposing is that we separate out recommendations and requirements for native apps (and desktop apps) as a fourth category alongside the current “full app”, “in-browser app”, and “batch-process app” categories.

Note that we’re not proposing, at this time, relaxing the requirement that the AS make dynamic registration available.

 — Justin