Asking Client Secret's Public Key

[Prabhakaran Murugadoss]

Hi,

 I wish to have your advice whether it is advisable to ask public key in client registration. I have gone through the internet draft about OAuth's Client Registration in "https://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-30#page-15".
 
 I have a scenario: "If my client is not confident about sharing private key but asks me to build software statement, shall I ask public key of client secret's key pair in registration page."
 Is this correct approach?

[Aaron Ault]

A client should never, ever share their private key with anybody., not even the registrar that gives them their certificate.  That's why it's called the "private" key.  

With OADA's security model, you must ask for the client's public key at the time of registration and it must go into the client registration document.  The client is then the only one who can properly sign things with their private key that can be verified later by others using their public key from the registration document.  Therefore, when a client connects to an API, it is possible to know that this client has the private key which was present when the certificate was issued by the trusted registrar.

Aaron

Sent from my iPhone

--
You received this message because you are subscribed to the Google Groups "OADA Developers Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to oada-dev+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Prabhakaran Murugadoss]

Thanks Aaron for your valuable explanation, that helps me a lot.