<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, May 22, 2013 at 12:01 AM, Bruno Oliveira <span dir="ltr"><<a href="mailto:bruno@abstractj.org" target="_blank">bruno@abstractj.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">I'm really not sure which e-mail to reply, so just in case, I'll reply all.<br>
</blockquote><div><br></div><div style>that's OK :) Thanks for looking at them</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div class="im"><br>
Matthias Wessendorf wrote:<br>
> Hi,<br>
><br>
> once the app is installed on the phone (or launched in a browser),<br>
> we (as discussed in the spec/mailing list) need to upload the "device<br>
> token" (or channelID) from the actual device/channel to the Unified Push<br>
> Server.<br>
><br>
><br>
> My questions:<br>
> Is it safe, if every "Mobile Variant" has a Private/Public Key ???<br>
<br>
</div>Mobile Variant == An application correct? (I'm looking at<br>
<a href="https://gist.github.com/matzew/b918eb45d3f17de09b8f" target="_blank">https://gist.github.com/matzew/b918eb45d3f17de09b8f</a>)<br>
<br></blockquote><div><br></div><div style>An application (installed on a phone) is a "Mobile Variant Instance". The MobileVariant it self is just the abstraction, saying there is an one iOS application (HR for iOS). The actual installations, on the devices are called "Mobile Variant Instance".</div>
<div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Why do you need a public/private key model? Encrypt data exchanged<br>
between client/server? At first glance is it really a priority? </blockquote><div><br></div><div style>I don't know - that's why I am asking here :)</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Why not make use of WSS?<br></blockquote><div><br></div><div style>WebSocketSecure ? </div><div style><br></div><div style> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div class="im"><br>
><br>
> The UP server keeps the private one.<br>
> Once we register a new mobile variant (e.g. HR for Android, HR for iPad,<br>
> HR for iPhone, ...) EACH variant has ONE Private/Public key<br>
><br>
><br>
> The Public Key of this combo would be "coded" into the actual mobiel<br>
> application...<br>
><br>
> On EVERY iOS app, it would use the PubKey from the iOS Variant, on EVERY<br>
> JS-app, it would use the PubKey from the SimplePush Variant, etc<br>
><br>
><br>
> So, that means EVERY installation (on the devices) would have that<br>
> pbulci key...<br>
<br>
</div>Why?<br></blockquote><div><br></div><div style>I am not sure, I just had that idea. I am not a security expert; I ask here to validate my ideas. That's all.</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div class="im">><br>
> Would that be (extremely) odd, if "1 Mio Russian hacker" would have that<br>
> public key, used on the device, to perform some sort of "auth" (e.g. via<br>
> HTTP BASIC (just saying.....)) against the server, in order to upload<br>
> the "device token" ??<br>
<br>
</div>I'm really confused about what do you want to achieve. I read the whole<br>
spec and I'm not following.<br></blockquote><div><br></div><div style>hrm, perhaps a hangout to "validate" these things?</div><div style>I will, afterwards, summarize that and will send out the notes.</div>
<div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div class="im"><br>
><br>
> Note: This Private/Public key would/should be EXCLUSIVE for "device<br>
> registration". And really ONLY.. :-)<br>
><br>
> So that this "Private/Public key" pair can NOT be used (==invalid) for<br>
> sending messages to the installations, or creating the Push-Applications<br>
> / Mobile Variant Constructs.<br>
><br>
><br>
><br>
> Greetings,<br>
> Matthias<br>
><br>
> --<br>
> Matthias Wessendorf<br>
><br>
> blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>
> sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>
> twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a><br>
><br>
</div><div class=""><div class="h5">> _______________________________________________<br>
> aerogear-dev mailing list<br>
> <a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>Matthias Wessendorf <br><br>blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>
sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a>
</div></div>