[aerogear-dev] Security for "Device Registration"

Matthias Wessendorf matzew at apache.org
Tue May 21 12:27:32 EDT 2013


On Tue, May 21, 2013 at 6:19 PM, Douglas Campos <qmx at qmx.me> wrote:

> On Tue, May 21, 2013 at 06:05:00PM +0200, Matthias Wessendorf wrote:
> > I think I mean more the Unified Push server has the "private key", while
> > the device uses the public key,
> > to perform the "auth" against the server-side variant (e.g. PhoneABC
> > registers itself with the Android variant)
> Unless you have two key pairs, this adds zero security to the mix.
>

Not sure I follow, but if _every_ mobile application
(MobileVariantInstance) needs to perform auth against the server to
register itself with the MobileVariant (e.g. the logical construct of an
Android variant), how or why are two key pairs needed.


The public/private key I had in mind is just for the MobileVariant, so that
_every_ devices that know the public key, can perform auth against it.

As said before this key pair is ONLY for working on the data of the
MobileVariantInstance(s). Not more (no sending, no PushApp/MobileVariant
registration; as said before).

Not sure I understand the two key pairs here (e.g. why two)




>
> amirite, abstractj?
>
> --
> qmx
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>



-- 
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20130521/44cd6d42/attachment.html 


More information about the aerogear-dev mailing list