<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
span.EmailStyle19
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri","sans-serif";}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Tom,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I’m not sure I understand the reasoning behind the statement that “o</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">nly
 the telco can support CIBA”?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">BR,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Bjorn</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Openid-specs-fapi [mailto:openid-specs-fapi-bounces@lists.openid.net]
<b>On Behalf Of </b>Tom Jones via Openid-specs-fapi<br>
<b>Sent:</b> Tuesday, November 28, 2017 8:13 AM<br>
<b>To:</b> Gonzalo Fernández; Financial API Working Group List<br>
<b>Cc:</b> Tom Jones<br>
<b>Subject:</b> [E] Re: [Openid-specs-fapi] [Bitbucket] Issue #127: CIBA: security issues (openid/fapi)<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">To be really clear then. Only the telco can support CIBA, correct?<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Note that i voted against the MODRNA specs because, IMO, they do not uphold the user consent requirements in OpenID Connect. For FAPI to endorse the telco involvement in a financial transaction would exacerbate this failing.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">..tom<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><br clear="all">
<o:p></o:p></p>
<div>
<div>
<div>
<div>
<p class="MsoNormal">Peace ..tom<o:p></o:p></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Tue, Nov 28, 2017 at 7:16 AM, Gonzalo Fernández <<a href="mailto:issues-reply@bitbucket.org" target="_blank">issues-reply@bitbucket.org</a>> wrote:<o:p></o:p></p>
<div>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="100%" style="width:100.0%;border-collapse:collapse">
<tbody>
<tr>
<td style="background:whitesmoke;padding:7.5pt 7.5pt 0in 7.5pt;border-radius:5px" id="m_-4675330633121102806main">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="100%" style="width:100.0%;border-collapse:collapse">
<tbody>
<tr>
<td style="background:white;padding:0in 0in 0in 0in" id="m_-4675330633121102806avatar">
<div style="border:solid #CCCCCC 1.0pt;padding:15.0pt 15.0pt 15.0pt 15.0pt;border-radius:5px">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="100%" style="width:100.0%;border-collapse:collapse">
<tbody>
<tr>
<td style="padding:0in 0in 0in 0in">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="100%" style="width:100.0%;border-collapse:collapse">
<tbody>
<tr>
<td width="32" valign="top" style="width:24.0pt;padding:0in 0in 0in 0in">
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif""><img border="0" width="32" height="32" id="_x0000_i1025" src="https://avatar-cdn.atlassian.com/8244b0cf5b55c82883cb9a6457821df9?s=32&ts=1511881830" alt="xixon2002"><o:p></o:p></span></p>
</td>
<td style="padding:0in 0in 0in 7.5pt" id="m_-4675330633121102806content">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="100%" style="width:100.0%;border-collapse:collapse">
<tbody>
<tr>
<td colspan="2" style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><strong><span style="font-size:10.5pt;font-family:"Arial","sans-serif"">Gonzalo Fernández</span></strong><span style="font-size:10.5pt;font-family:"Arial","sans-serif""> commented on issue #127:
<o:p></o:p></span></p>
</td>
</tr>
<tr>
<td colspan="2" style="padding:3.75pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.5pt;font-family:"Arial","sans-serif""><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_openid_fapi_issues_127_ciba-2Dsecurity-2Dissues&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=WKKL3u2bCFK_S3-cdUcTpKtFv6WtIOfgf-q9kODpVaE&s=1KCgOH0C_ZjNSl2pUFYoN-ZeFnwsk7z276YIIeSRdfs&e=" target="_blank"><span style="color:#3572B0;text-decoration:none">CIBA:
 security issues</span></a> <o:p></o:p></span></b></p>
</td>
</tr>
<tr>
<td colspan="2" style="padding:7.5pt 0in 11.25pt 0in">
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:10.5pt;font-family:"Arial","sans-serif"">Hi Nat,<o:p></o:p></span></p>
<p style="mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:0in;margin-left:0in;margin-bottom:.0001pt">
<span style="font-size:10.5pt;font-family:"Arial","sans-serif"">Telcos companies do know the device associated with a user, in fact they use such information to improve customer care when he calls for something related with the device. As far as I know, when
 the terminal has been registered in the network, it sends the IMEI and thanks to that the operator is able to know the device and associated it to the MSISDN and IMSI because at this time it also has that information.<o:p></o:p></span></p>
</td>
</tr>
<tr>
<td style="padding:7.5pt 0in 0in 0in"></td>
<td style="padding:7.5pt 0in 0in 0in"></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td style="border:none;border-top:solid #CCCCCC 1.0pt;padding:7.5pt 0in 0in 0in">
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Arial","sans-serif""><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_openid_fapi_issues_127_ciba-2Dsecurity-2Dissues&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=WKKL3u2bCFK_S3-cdUcTpKtFv6WtIOfgf-q9kODpVaE&s=1KCgOH0C_ZjNSl2pUFYoN-ZeFnwsk7z276YIIeSRdfs&e=" target="_blank"><span style="color:#3572B0;text-decoration:none">View
 this issue</span></a> or add a comment by replying to this email. <o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
</div>
</td>
</tr>
<tr>
<td style="padding:15.0pt 0in 15.0pt 0in">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="100%" style="width:100.0%;border-collapse:collapse">
<tbody>
<tr>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_api_1.0_repositories_openid_fapi_issue_127_unsubscribe_tomcjones_f30a0030618b6476696b7a6f4abe3a0090d0f6ad_&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=WKKL3u2bCFK_S3-cdUcTpKtFv6WtIOfgf-q9kODpVaE&s=LWBWzL1lZYI5dP20SHpqmtpQqIJpGAGmuCXgVJnh63w&e=" target="_blank"><span style="color:#3572B0;text-decoration:none">Unsubscribe
 from issue emails</span></a> for this repository. <o:p></o:p></p>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><img border="0" width="1" height="1" id="_x0000_i1026" src="https://bitbucket.org/account/notifications/mark-read/767491557/cd8c121f6d52a6046bcfcb9d9159b56ce62dee94/"><o:p></o:p></p>
</td>
<td width="100" style="width:75.0pt;padding:0in 0in 0in 0in">
<p class="MsoNormal" align="right" style="text-align:right"><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=WKKL3u2bCFK_S3-cdUcTpKtFv6WtIOfgf-q9kODpVaE&s=JBjIAgmVopP8Hh1TctI1LpWKdM7jwJZRmYSJ7BaZo54&e=" target="_blank"><span style="color:#3572B0;text-decoration:none"><img border="0" width="125" height="18" id="_x0000_i1027" src="https://d301sr5gafysq2.cloudfront.net/370568ebc84f/img/email/bitbucket-footer.gif" alt="Bitbucket"></span></a><o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>