[aerogear-dev] Security for "Device Registration"
Bruno Oliveira
bruno at abstractj.org
Tue May 21 18:01:40 EDT 2013
I'm really not sure which e-mail to reply, so just in case, I'll reply all.
Matthias Wessendorf wrote:
> Hi,
>
> once the app is installed on the phone (or launched in a browser),
> we (as discussed in the spec/mailing list) need to upload the "device
> token" (or channelID) from the actual device/channel to the Unified Push
> Server.
>
>
> My questions:
> Is it safe, if every "Mobile Variant" has a Private/Public Key ???
Mobile Variant == An application correct? (I'm looking at
https://gist.github.com/matzew/b918eb45d3f17de09b8f)
Why do you need a public/private key model? Encrypt data exchanged
between client/server? At first glance is it really a priority? Why not
make use of WSS?
>
> The UP server keeps the private one.
> Once we register a new mobile variant (e.g. HR for Android, HR for iPad,
> HR for iPhone, ...) EACH variant has ONE Private/Public key
>
>
> The Public Key of this combo would be "coded" into the actual mobiel
> application...
>
> On EVERY iOS app, it would use the PubKey from the iOS Variant, on EVERY
> JS-app, it would use the PubKey from the SimplePush Variant, etc
>
>
> So, that means EVERY installation (on the devices) would have that
> pbulci key...
Why?
>
> Would that be (extremely) odd, if "1 Mio Russian hacker" would have that
> public key, used on the device, to perform some sort of "auth" (e.g. via
> HTTP BASIC (just saying.....)) against the server, in order to upload
> the "device token" ??
I'm really confused about what do you want to achieve. I read the whole
spec and I'm not following.
>
> Note: This Private/Public key would/should be EXCLUSIVE for "device
> registration". And really ONLY.. :-)
>
> So that this "Private/Public key" pair can NOT be used (==invalid) for
> sending messages to the installations, or creating the Push-Applications
> / Mobile Variant Constructs.
>
>
>
> Greetings,
> Matthias
>
> --
> Matthias Wessendorf
>
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
More information about the aerogear-dev
mailing list