Hey James, You are right. In real cases, we should rely on HTTPS to transmit certificates. Since it's just a sample app, I omit HTTPS setup for simplicity. I will add this to the document. Thanks.
Jian On Thu, Apr 14, 2011 at 11:03 PM, Manger, James H < [email protected]> wrote: > Eric, > > > > This feels a bit like WebID <http://www.w3.org/2005/Incubator/webid/spec/>– > except the client’s public key is used to verify a message they signed, > rather than a TLS tunnel they established. Both identify the client by a URI > that delivers a certificate. > > Your Cloud-to-On-Premise flow, WebID, and OpenID really need to use HTTPS > URIs as identities to be secure. However, your sample > app<https://sites.google.com/site/oauthgoog/authenticate-google-app-engine-app>has > an HTTP id > http://app-identity-java.appspot.com/certs. Was this an oversight, or > isn’t security of this system supposed to depend on how the app’s > self-signed short-lived (daily) certificate is obtained? > > > > -- > > James Manger > > > > *From:* [email protected] [mailto:[email protected]] *On Behalf Of > *Eric Sachs > *Sent:* Thursday, 7 April 2011 5:43 AM > *To:* [email protected] > *Subject:* [woes] Native JWT support in Google App Engine > > > > Google has just added native support for JWT to Google App Engine. Here is > the documentation: > > > https://sites.google.com/site/oauthgoog/authenticate-google-app-engine-app > > Our hope is to work with other players in the cloud computing space to > improve some elements of cloud security by using PKI, JWT & OAuth2 for > interop between our systems. > > > > Based on past industry discussion, we wroteup a description of some of the > general interop use-cases: > > https://sites.google.com/site/oauthgoog/robotaccounts/cloudtoonpremise > > https://sites.google.com/site/oauthgoog/robotaccounts/onpremisetocloud > > While this new feature in Google App Engine is a significant step for > Google, we realize there is more to do on our side such as adding support > for JWT assertions in our recently announced OAuth2 support for Google > APIs<http://googlecode.blogspot.com/2011/03/making-auth-easier-oauth-20-for-google.html>. > However we would prefer to get feedback from this group on a standard > approach, including around key rotation/management. > > > > Eric Sachs > > Senior Product Manager, Internet Identity > > Google > > > > _______________________________________________ > woes mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/woes > > -- Jian
_______________________________________________ woes mailing list [email protected] https://www.ietf.org/mailman/listinfo/woes
