[Openid-specs-mobile-profile] ACR values

John Bradley ve7jtb at ve7jtb.com
Sun Nov 22 20:13:34 UTC 2015


We don’t have the ability to register those URN so we probably should go with URI that point to explanatory documents.
http://schemas.openid.net/acr/password_less

To get a shorter name it would be registered via https://tools.ietf.org/html/rfc6711

The reason for putting credential in as I understand it was to differentiate between a LoA that only requires the credential part of 29115 vs one that includes all the other business process requirements for account management and identity proofing.

John B.

> On Nov 22, 2015, at 4:50 PM, Mike Jones <Michael.Jones at microsoft.com> wrote:
> 
> I'd suggest these names instead:
> - urn:openid:acr:credential:password_less (meaning: possession or inherence is ok)
> - urn:openid:acr:credential:2factor (any two factors, software-based solutions are ok)
> - urn:openid:acr:credential:2factor_tamper_resistant (any two factors, hardware token required)
> 
> I think that the names should not be MODRNA-specific.  And URNs are normally spelled with all lowercase characters.  Like OpenID Connect claim names, when there are multiple words in a name, separate them with underscores.
> 
> Also, is there a reason to have the "credential:" part in the URNs?  I'd suggest dropping that part as well, for brevity.  The size of the ID Token still matters (especially in mobile!).
> 
> 				-- Mike
> 
> -----Original Message-----
> From: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] On Behalf Of Torsten Lodderstedt
> Sent: Sunday, November 22, 2015 11:42 AM
> To: openid-specs-mobile-profile at lists.openid.net
> Subject: [Openid-specs-mobile-profile] ACR values
> 
> Hi all,
> 
> based on the discussions in the last WG call, I think we are running circles again when it comes to ACR values.
> 
> What I got:
> - usage of LOA values from ISO 29115 seems to confuse people (because they seem to be not as specfic as we thought and cover identification as
> well)
> - new EU regulations use other terms and the number of authentication levels differ
> 
> What do you think about the following proposal:
> 
> In the end, we want to give the RP a way to request authentication levels, which are specific to Mobile Connect/MODRNA. Why don't we define ACR value names, which exactly correspond to what we intend to use? From my perspective, Mobile Connect requires the following levels:
> - urn:openid:modrna:acr:credential:PasswordLess (meaning: posession or inherence is ok)
> - urn:openid:modrna:acr:credential:TwoFactor (any two factors, software-based solutions are ok)
> - urn:openid:modrna:acr:credential:TwoFactorTamperResistant (any two factors, hardware token required)
> 
> Those values are intentionally MODRNA specific and could be mapped (if
> needed) to any other model.
> 
> What do you think?
> 
> best regards,
> Torsten.
> _______________________________________________
> Openid-specs-mobile-profile mailing list Openid-specs-mobile-profile at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile
> _______________________________________________
> Openid-specs-mobile-profile mailing list
> Openid-specs-mobile-profile at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile



More information about the Openid-specs-mobile-profile mailing list