[aerogear-dev] Push: Security / role model

Matthias Wessendorf matzew at apache.org
Wed Apr 10 03:33:34 EDT 2013 

On Wed, Apr 10, 2013 at 8:52 AM, Bruno Oliveira <bruno at abstractj.org> wrote:

> I'm still thinking about your problem (must try before). Is APP ID (+
> mobile-variant ID) really necessary?.


from my original point of view: yes
Somehow the app installation (on the device) needs to tell the
"registration server" I am an installation of your "FOO APP";

We could use something else instead of the "internal ids" ( PUSH-APP ID (+
mobile-variant ID)) - on both, android and iOS, there is something like an
"app id" (think packages in java), but it's not unique.
So there is a chance that different users of the server have an app, in the
app store, that have the same ID (since picked by the developer).



> I'm just concerned about the non repudiation, for what do you want we
> could introduce the concept of zero-knowledge proof for devices (
> http://en.wikipedia.org/wiki/Zero-knowledge_proof).
>

Thanks for sharing!!!  It's a pretty complex paper :) Looks like at least
some sort of "interactions" are required to have the proof;
I also (for simpler understanding) read the German version of that article,
which says something like: "its practical usage is rare, since the system
requires lot's of interaction, which is why (according to the article)
practical auth-protocols are based on "digital signatures""
Not sure if that statement is true :)


However, I guess, requiring lot's of interactions between device and
server, for registration of the token may be a problem. not sure how
"chatty" that would be. Perhaps I am totally wrong :)



>
> I'm not saying it's easy to achieve,


:-) yeah - sounds pretty complex



> but let me know if APP ID (+ mobile variant ID) can be replaced.



I guess it can, all we really need is the device telling the server: "Hey I
belong to your BLAH app" :)



> My suggestion is to move forward as is, until we figure out a better way
> to do it.
>


sounds like a plan! I will continue with the IDs and we can improve this
later;


However, from reading, the "zero-knowledge proof" concept is an interesting
thing



>
> Makes sense?
>


Absolutely !



>
>
> --
> "The measure of a man is what he does with power" - Plato
> -
> @abstractj
> -
> Volenti Nihil Difficile
>
>
>
> On Tuesday, April 9, 2013 at 1:20 PM, Matthias Wessendorf wrote:
>
> >
> > So...... the following information needs to be available.... so that the
> mobile dev. for the free iOS app can register the token with the server:
> >
> > APP ID (+ mobile-variant ID)
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>



-- 
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20130410/47407c4d/attachment-0001.html

More information about the aerogear-dev mailing list