> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf > Of Torsten Lodderstedt > Sent: Thursday, June 02, 2011 5:10 AM > To: Brian Eaton > Cc: OAuth WG > Subject: Re: [OAUTH-WG] review of draft-ietf-oauth-v2-16 > > I fully agree with Brian and would like to add some thoughts: > > Not authenticating the client does not directly create a security > problem at all. If we would follow this line, every e-Mail client out > there would be considered insecure because the client itself is never > authenticated. Not even Kerbereos has a concept of client > authentication.
Well, not to belabor this point :) but in Kerberos it is the proof of possession of the client secret key which _is_ the authentication mechanism. There is also PKINIT (RFC4556) which can be used to "pre-authenticate" the user via Diffie-Hellman (anonymous) or a full X509 certificate. However, there is indeed the assumption in Kerberos/RFC4120 (and in the original Needham-Schroeder protocol) that the "client" can keep secrets. /thomas/ _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth