Skip to main content

[jsr360-experts] Re: Updated JSR 360 Draft Specification - OAuth

  • From: roger riggs < >
  • To:
  • Subject: [jsr360-experts] Re: Updated JSR 360 Draft Specification - OAuth
  • Date: Tue, 02 Jul 2013 10:24:32 -0400
  • Organization: Oracle Corporation

<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    Hi Werner,<br>
    <br>
    OAuth is at a different level, it is used for authentication at the
    application layer.<br>
    <br>
    Http/https supports for basic authentication at the application
    level. <br>
    <br>
    SSL and TLS cover confidentiality and data integrity at the
    transport level. (sockets and datagrams)<br>
    <br>
    Java SE supports only SSL/TLS.  Java EE can support OAuth.<br>
    <br>
    Roger<br>
    <br>
    <br>
    <div class="moz-cite-prefix">On 7/2/2013 10:07 AM, Werner Keil
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAAGawe1oPEqXxeuW1a0d0Dn_+MbbVi5Fe+A9=
      "
      type="cite">At least on the SE side (I know we heard especially in
      Eclipse M2M IWG there are other lower footprint protocols for
      security or sometimes sorry to say even NO security yet<img
        src="cid:part1.07010204.07030906@oracle.com" goomoji="322"
        style="margin: 0px 0.2ex; vertical-align: middle;">) isn't OAuth
      normally the de facto standard these days?
      <div>
        <br>
      </div>
      <div>Werner</div>
      <div><br>
        <div class="gmail_quote">On Tue, Jul 2, 2013 at 3:51 PM, roger
          riggs <span dir="ltr">&lt;<a moz-do-not-send="true"
              href="mailto:
      " target="_blank">
      </a>&gt;</span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div text="#000000" bgcolor="#FFFFFF"> Hi Thomas,<br>
              <br>
              Sorry for the delay.
              <div class="im"><br>
                <br>
                <div>On 6/27/2013 11:56 AM, Lampart Thomas wrote:<br>
                </div>
                <blockquote type="cite">
                  <div>
                    <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">Hi

                        Roger, Michael, experts,</span></p>
                    <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d"> </span></p>
                    <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">Thanks

                        for giving us this update with a bunch of new
                        features.</span></p>
                    <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d"> </span></p>
                    <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">I
                        do have some comments:</span></p>
                    <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">-I

                        do like the extended TLS support</span></p>
                    <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">-SecureServerConnection,

                        what is the ClientAuth “want” parameter good for
                        ? In my understanding a server either does
                        client authentication or not.</span></p>
                  </div>
                </blockquote>
              </div>
              There is a provision in the Java SE api for the client to
              request client authentication.<br>
              The SSL/TLS protocol does leave it to the server to
              require client authentication <br>
              and that may be sufficient.  <br>
              <br>
              Is there any use case where the client would refuse to<br>
              talk to a server that did not authenticate the client?
              <div class="im"><br>
                <blockquote type="cite">
                  <div>
                    <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d"></span></p>
                    <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">-Why

                        squeezing the TLS into the DatagramConnection
                        and not have  SecureDatagramConnection ?</span></p>
                  </div>
                </blockquote>
              </div>
              Good point, it seemed initially like an easy extension but
              several questions have been raised about it and we'll
              reexamine creating a separate interface.
              <div class="im"><br>
                <blockquote type="cite">
                  <div>
                    <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d"></span></p>
                    <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">-AccessPoint:

                        as far as I know in CDMA there is only a Mobile
                        IP (or Simply IP) configuration profile id to
                        select, when opening a packet service. No other
                        parameters.</span></p>
                  </div>
                </blockquote>
              </div>
              ok, can you refer me to a CDMA spec on that? <br>
              <div class="im">
                <blockquote type="cite">
                  <div>
                    <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d"></span></p>
                    <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">-AccessPoint:

                        I think for WLAN there is only a password, no
                        DNS. </span></p>
                  </div>
                </blockquote>
              </div>
              Any TCP/IP stack needs a DNS server; where does it come
              from for a WAN?<br>
              <br>
              We have had questions about why an explicit DNS server is
              required in any of the AccessPoints?<br>
              For CSD it was a carry over from IMP-NG.  <br>
              What is the use case for needing application control over
              the dns-server.  <br>
              Can we simplify and leave it to the platform in all cases
              (DHCP or host specific)?<br>
              <br>
              Thanks, Roger
              <div class="im"><br>
                <br>
                <blockquote type="cite">
                  <div>
                    <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d"></span></p>
                    <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d"> </span></p>
                    <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">Kind

                        regards</span></p>
                    <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">  

                        Thomas</span></p>
                    <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d"> </span></p>
                    <div>
                      <div style="border:none;border-top:solid #b5c4df
                        1.0pt;padding:3.0pt 0cm 0cm 0cm">
                        <p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;;color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;;color:windowtext">
                            roger riggs [<a moz-do-not-send="true"
                              href="mailto:
      "
                              target="_blank">mailto:
      </a>]
                            <br>
                            <b>Sent:</b> Dienstag, 25. Juni 2013 15:45<br>
                            <b>To:</b> <a moz-do-not-send="true"
                              href="mailto:
      "
                              target="_blank">
      </a><br>
                            <b>Subject:</b> [jsr360-observers]
                            [jsr360-experts] Updated JSR 360 Draft
                            Specification</span></p>
                      </div>
                    </div>
                    <p class="MsoNormal"> </p>
                    <p class="MsoNormal">Hi,<br>
                      <br>
                      The updated<a moz-do-not-send="true"
href="https://java.net/projects/jsr360/downloads/download/jsr360-sldr.zip";
                        target="_blank"> SpecLead Draft of JSR 360 (zip)</a>
                      is available from the <br>
                      <a moz-do-not-send="true"
                        href="https://java.net/projects/jsr360/downloads";
                        target="_blank">JSR 360 downloads</a> on <a
                        moz-do-not-send="true" href="http://java.net";
                        target="_blank">java.net</a>. <br>
                      <br>
                      The update is based on the EDR draft, Expert Group
                      comments and input from<br>
                      the RI developers.<br>
                      <br>
                      This draft includes extensions and resolutions for
                      the following:</p>
                    <ul type="disc">
                      <li class="MsoNormal">CLDC Full vs Compact APIs to
                        support smaller devices with fewer new APIs</li>
                      <li class="MsoNormal">SecureServerConnection (new)</li>
                      <li class="MsoNormal">ModemConnection (new)</li>
                      <li class="MsoNormal">NetworkUtilities (new)</li>
                      <li class="MsoNormal">Access Point improvements</li>
                      <li class="MsoNormal">Support for TLS1.2 / DTLS
                        (revised)</li>
                    </ul>
                    <p>Please review and comment, Roger and Michael</p>
                    <p style="margin-bottom:12.0pt">Roger</p>
                    <p class="MsoNormal"> </p>
                  </div>
                </blockquote>
                <br>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </body>
</html>

Attachment: gifGqAAZAJYcy.gif
Description: GIF image



[jsr360-experts] Re: [jsr360-observers] Updated JSR 360 Draft Specification

roger riggs 07/02/2013

[jsr360-experts] Re: [jsr360-observers] Updated JSR 360 Draft Specification

Werner Keil 07/02/2013

[jsr360-experts] Re: Updated JSR 360 Draft Specification - OAuth

roger riggs 07/02/2013

[jsr360-experts] Re: Updated JSR 360 Draft Specification - OAuth

Werner Keil 07/02/2013

[jsr360-experts] Re: Updated JSR 360 Draft Specification - OAuth

Werner Keil 07/03/2013

[jsr360-experts] Re: [jsr360-observers] Re: Updated JSR 360 Draft Specification

Lampart Thomas 07/02/2013
 
 
Close
loading
Please Confirm
Close