[Openid-specs-fapi] [Openid-specs-mobile-profile] Backchannel sign result object

Dave Tonge dave.tonge at momentumft.co.uk
Fri Jun 16 10:57:55 UTC 2017


Hi Axel,

I don't think the authentication result object needs to be signed as it is
the response to a request by the RP that will be authenticated.
The closest we have to this in the FAPI spec is the success response when
registering a request object:
https://bitbucket.org/openid/fapi/src/53d8de443d6727ea547fef
173ee532858c183e14/Financial_API_WD_002.md?at=master&filevie
wer=file-view-default#markdown-header-73-successful-response
This response is not signed.

I do think the token notification object needs to be signed as this request
is made by the OP to the RP and the endpoint is currently only protected by
a bearer token. In response to your other email, the signed token
notification object could be the recommended authentication method.

Also, we discussed on the last FAPI call starting a FAPI profile of the
CIBA spec. I've started work on this and hope to share it shortly.

Thanks

Dave





On 14 June 2017 at 17:42, <Axel.Nennker at telekom.de> wrote:

> Hi,
>
>
>
> some of you looked at the MODRNA Backchannel specification and I would
> like to get your opion on whether the backchannel result object should be
> signed by the OP?
>
> The issue in the MODRNA repository is: https://bitbucket.org/openid/m
> obile/issues/55/ciba-signed-result-objects
>
>
>
> Kind regards
>
> Axel
>
>
>
> Should we - at least - recommend that the OP signs the authentication
> result object? Here: https://xml2rfc.tools.ietf.org
> /cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&ty
> pe=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/dra
> ft-mobile-client-initiated-backchannel-authentication.xml?
> at=default#successful_authentication_request_acknowdlegment
>
> and here: https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Su
> bmit&format=ascii&mode=html&type=ascii&url=https://bitbucket
> .org/openid/mobile/raw/tip/draft-mobile-client-initiated-bac
> kchannel-authentication.xml?at=default#issuing_successful_token
>
>
>
>
>
>
>
>
>
> *DEUTSCHE TELEKOM AG*
> T-Labs (Research & Innovation)
> Axel Nennker
> Winterfeldtstr. 21, 10781 Berlin
> +491702275312 (Tel.)
>
> E-Mail: axel.nennker at telekom.de
>
>
>
>
>
>
>
> _______________________________________________
> Openid-specs-mobile-profile mailing list
> Openid-specs-mobile-profile at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile
>
>


-- 
Dave Tonge
CTO
[image: Moneyhub Enterprise]
<http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A>
10 Temple Back, Bristol, BS1 6FL
t: +44 (0)117 280 5120

Moneyhub Enterprise is a trading style of Momentum Financial Technology
Limited which is authorised and regulated by the Financial Conduct
Authority ("FCA"). Momentum Financial Technology is entered on the
Financial Services Register (FRN 561538) at fca.org.uk/register. Momentum
Financial Technology is registered in England & Wales, company registration
number 06909772 © . Momentum Financial Technology Limited 2016. DISCLAIMER:
This email (including any attachments) is subject to copyright, and the
information in it is confidential. Use of this email or of any information
in it other than by the addressee is unauthorised and unlawful. Whilst
reasonable efforts are made to ensure that any attachments are virus-free,
it is the recipient's sole responsibility to scan all attachments for
viruses. All calls and emails to and from this company may be monitored and
recorded for legitimate purposes relating to this company's business. Any
opinions expressed in this email (or in any attachments) are those of the
author and do not necessarily represent the opinions of Momentum Financial
Technology Limited or of any other group company.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20170616/040731cc/attachment.html>


More information about the Openid-specs-fapi mailing list