<div dir="ltr">To translate for the less technical among us...<div><br></div><div>While it was once common (and it may still be) for software app publishers to use the simple "clone" approach in giving each user their own copy of an app, technological advances have made it possible to ensure that every copy of an app can register for its own unique credentials, and our profile can and should take advantage of forcing this more secure method.</div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr">
<p><b>Eve Maler<br></b>ForgeRock Office of the CTO | VP Innovation & Emerging Technology<br>Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl<br>Join our <a href="http://forgerock.org/openuma/" target="_blank">ForgeRock.org OpenUMA</a> community!</p></div></div></div></div></div>
<br><div class="gmail_quote">On Sat, Nov 28, 2015 at 6:01 PM, John Bradley <span dir="ltr"><<a href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">Yes it probably should be separate instances of client software. I don’t know that “of a given piece” adds much to the sentence. <div><br></div><div>OAuth 2 allows for non confidential clients to use the code flow. The client credential is optional. This is not as secure as it would be with a confidential client.</div><div><br></div><div>We now have the PKCE extension for OAuth that improves the security for non confidential clients using code flow, but that has become a RFC only after this profile was created.</div><div><br></div><div>This profile is forcing every client instance to dynamically register (3) so that it has it’s own asymmetric key pair provisioned. </div><div><br></div><div>I think that is fine for this profile.</div><div><br></div><div>John B.</div><div><div class="h5"><div><br></div><div><br></div><div><br></div><div><div><div><blockquote type="cite"><div>On Nov 28, 2015, at 1:34 PM, Eve Maler <<a href="mailto:eve.maler@forgerock.com" target="_blank">eve.maler@forgerock.com</a>> wrote:</div><br><div><div dir="ltr">An example could go a long way here. The usual concern is that a mobile application has been assigned client credentials "at the factory", and every copy ("instance") downloaded at the App Store carries the exact same credentials -- that is, it's a kind of clone. (I'm writing this without having looked at the phrase in context, so I'm not sure if that's what was meant...)</div><div class="gmail_extra"><br clear="all"><div><div><div dir="ltr"><div><div dir="ltr"><p><b>Eve Maler<br></b>ForgeRock Office of the CTO | VP Innovation & Emerging Technology<br>Cell <a href="tel:%2B1%20425.345.6756" value="+14253456756" target="_blank">+1 425.345.6756</a> | Skype: xmlgrrl | Twitter: @xmlgrrl<br>Join our <a href="http://forgerock.org/openuma/" target="_blank">ForgeRock.org OpenUMA</a> community!</p></div></div></div></div></div>
<br><div class="gmail_quote">On Sat, Nov 28, 2015 at 12:29 AM, Danny van Leeuwen <span dir="ltr"><<a href="mailto:danny@health-hats.com" target="_blank">danny@health-hats.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div style="margin:0in;line-height:21pt"><a href="http://openid.bitbucket.org/HEART/openid-heart-oauth2.html#rfc.section.2.1.1" target="_blank"><span style="font-weight:bold;font-family:verdana;font-size:14pt">2.1.1.</span></a><span style="font-weight:bold;font-family:verdana;font-size:14pt"> </span><a href="http://openid.bitbucket.org/HEART/openid-heart-oauth2.html#FullClient" target="_blank"><span style="font-weight:bold;font-family:verdana;font-size:14pt">Full Client with
User Delegation</span></a></div><p style="margin:0in;font-family:Calibri;font-size:11pt"> </p><div style="margin:0in;font-family:Calibri;font-size:9pt;color:rgb(89,89,89)">From
<<a href="http://openid.bitbucket.org/HEART/openid-heart-oauth2.html" target="_blank">http://openid.bitbucket.org/HEART/openid-heart-oauth2.html</a>>
</div><div style="margin:0in;font-family:Calibri;font-size:11pt">The authorization
code flow is supported only for confidential clients. Examples of this client
type include web applications and native applications that can store
installation-instance-specific client credentials securely. Client credentials
MUST NOT be shared among <span style="background:yellow">instances</span>
[<span style="font-weight:bold">separate</span> or<span style="font-weight:bold"> discreet </span>instances?] of a given piece of client software.</div><p style="margin:0in;font-family:Calibri;font-size:11pt"> </p><div style="margin:0in;font-family:Calibri;font-size:9pt;color:rgb(89,89,89)">From
<<a href="http://openid.bitbucket.org/HEART/openid-heart-oauth2.html" target="_blank">http://openid.bitbucket.org/HEART/openid-heart-oauth2.html</a>> </div><span><font color="#888888"><div><br></div>-- <br><div><font color="#330099">Danny van Leeuwen<br><a href="tel:617-304-4681" value="+16173044681" target="_blank">617-304-4681</a><br></font><div><b><font color="#330099"><br></font></b><div><b><font color="#330099">Blog <a href="http://www.health-hats.com/" target="_blank">www.health-hats.com</a> <i><span style="font-size:8pt;font-family:'Arial Black',sans-serif">discovering the magic levers of best health</span></i></font></b></div></div><div><b><font color="#330099">Twitter </font></b><b><font color="#330099"><i><span style="font-size:8pt;font-family:'Arial Black',sans-serif">@healthhats</span></i></font></b></div></div>
</font></span></div>
<br>_______________________________________________<br>
Openid-specs-heart mailing list<br>
<a href="mailto:Openid-specs-heart@lists.openid.net" target="_blank">Openid-specs-heart@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><br>
<br></blockquote></div><br></div>
_______________________________________________<br>Openid-specs-heart mailing list<br><a href="mailto:Openid-specs-heart@lists.openid.net" target="_blank">Openid-specs-heart@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><br></div></blockquote></div><br></div></div></div></div></div></blockquote></div><br></div>