[Openid-specs-mobile-profile] New Revision of Discovery Draft

Torsten Lodderstedt torsten at lodderstedt.net
Sat Jul 25 17:17:32 UTC 2015

Hi Philippe.

Am 23.07.2015 um 14:50 schrieb philippe.clement at orange.com:
> Hi torsten,
> Thanks a lot for this document, here are my comments
> 2. Overview:
> - "•a RP may not process the MSISDN in the course of the discovery 
> process"
> I think that in some cases, the RP will have this MSISDN, and that 
> this one will be secured at the RP by a real secured process 
> (challenge with a phone call, confirmation by OTP...). Case of banks 
> for example, but they are not alone.
> As this MSISDN at RP exist, we should use it to simplify the user 
> journey at the discovery stage and not risk to re-ask to the user some 
> information regarding his MNO. Indeed, in some cases, the discovery 
> service will have, in absence of user/MNO data, to ask to the user 
> pieces of information (MSISDN, MCC/MNC...).
> This could be added in § 2.1 C : "Moreover, the client may pass MCC, 
> MNC or IMSI as part of the discovery request."

make sense. I just created a new issue and added your and Sebastian's 
comments to it (and added placeholders for a msisdn parameter to both 
requests). I'm open to this enhancements as it would improve UX in the 
same way as the encrypted login hint.

> - "OpenID Connect Clients using this specification are encouraged to 
> use the OpenID Account chooser service [Account.Chooser]. This allows 
> them to bypass discovery for users that already have account 
> information cached."
> Are we confident that Account Chooser can endorse the discovery 
> mechanism of an MNO for a specific user ? In other words, do we know 
> exactly what should be the changes at Account Chooser level and at MNO 
> level to bypass the discovery process ?

As far as I understand, there are two extensions required:
- a represention of the user id, which can only be interpreted by the OP
- a description of the user id for display in the account chooser UI 
(e.g. MSISDN with some digests replaced by stars)
@John: is that correct? Do you know the current status of those extensions?

best regards,

> Hope this helps,
> Philippe
> -----Message d'origine-----
> De : Openid-specs-mobile-profile 
> [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] De la 
> part de Torsten Lodderstedt
> Envoyé : samedi 18 juillet 2015 19:41
> À : openid-specs-mobile-profile at lists.openid.net
> Objet : [Openid-specs-mobile-profile] New Revision of Discovery Draft
> Hi all,
> I just posted a new revision of the discovery draft to the repository.
> The HTML version can also be found here:
> http://openid.net/wordpress-content/uploads/2014/04/draft-mobile-discovery-01.html
> I revision reflects the current discovery design for both web and 
> native apps as described in the web sequence diagrams. I also added an 
> overview and restructured the document.
> Please review it and give feedback to the list.
> kind regards,
> Torsten.
> _______________________________________________
> Openid-specs-mobile-profile mailing list 
> Openid-specs-mobile-profile at lists.openid.net 
> <mailto:Openid-specs-mobile-profile at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile
> _________________________________________________________________________________________________________________________
> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
> This message and its attachments may contain confidential or privileged information that may be protected by law;
> they should not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender and delete this message and its attachments.
> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
> Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20150725/d330783d/attachment.html>

More information about the Openid-specs-mobile-profile mailing list