Re: [aerogear-dev] Push: Security / role model

On Wed, Apr 10, 2013 at 8:52 AM, Bruno Oliveira <bruno(a)abstractj.org&gt; wrote: from my original point of view: yes Somehow the app installation (on the device) needs to tell the "registration server" I am an installation of your "FOO APP"; We could use something else instead of the "internal ids" ( PUSH-APP ID (+ mobile-variant ID)) - on both, android and iOS, there is something like an "app id" (think packages in java), but it's not unique. So there is a chance that different users of the server have an app, in the app store, that have the same ID (since picked by the developer). Thanks for sharing!!! It's a pretty complex paper :) Looks like at least some sort of "interactions" are required to have the proof; I also (for simpler understanding) read the German version of that article, which says something like: "its practical usage is rare, since the system requires lot's of interaction, which is why (according to the article) practical auth-protocols are based on "digital signatures"" Not sure if that statement is true :) However, I guess, requiring lot's of interactions between device and server, for registration of the token may be a problem. not sure how "chatty" that would be. Perhaps I am totally wrong :) :-) yeah - sounds pretty complex I guess it can, all we really need is the device telling the server: "Hey I belong to your BLAH app" :) sounds like a plan! I will continue with the IDs and we can improve this later; However, from reading, the "zero-knowledge proof" concept is an interesting thing Absolutely ! -- Matthias Wessendorf blog: http://matthiaswessendorf.wordpress.com/ sessions: http://www.slideshare.net/mwessendorf twitter: http://twitter.com/mwessendorf