[Openid-specs-mobile-profile] ACR values

Lodderstedt, Torsten t.lodderstedt at telekom.de
Tue Nov 24 13:03:50 UTC 2015


Hi Philippe,

what does it mean with respect to the topic at hand? As I said (at least I tried :-)), my focus is on getting something reasonable/suitable done.

best regards,
Torsten.

-----Ursprüngliche Nachricht-----
Von: philippe.clement at orange.com [mailto:philippe.clement at orange.com] 
Gesendet: Dienstag, 24. November 2015 13:13
An: openid-specs-mobile-profile at lists.openid.net; Mike Jones; Lodderstedt, Torsten
Betreff: RE: [Openid-specs-mobile-profile] ACR values

sent again due to mail failure...

-----Message d'origine-----
De : CLEMENT Philippe IMT TECHNO
Envoyé : mardi 24 novembre 2015 10:40
À : Lodderstedt, Torsten; Mike Jones; openid-specs-mobile-profile at lists.openid.net
Objet : RE: [Openid-specs-mobile-profile] ACR values

Dear all,
I went back to the charter to check the purpose of the workgroup:
__________________

2) Purpose:
Developing a profile of OpenID Connect intended to be appropriate for use by mobile network operators (MNOs) providing identity services to RPs and for RPs in consuming those services as well as any other party wishing to be interoperable with this profile.
__________________

 I think that means that we work for a OIDC profile of OIDC adapted for MNOs, not exclusively for Mobile Connect that is one of different potential services MNO offer to partners. 

Hope this helps
Philippe

-----Message d'origine-----
De : Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] De la part de Lodderstedt, Torsten Envoyé : lundi 23 novembre 2015 18:28 À : Mike Jones; openid-specs-mobile-profile at lists.openid.net
Objet : Re: [Openid-specs-mobile-profile] ACR values

Hi Mike,

thanks for your proposal. I think we can drop the "credential" part. It makes sense if we try to used ISO levels in order to indicate we cover credential/authentication levels only, not identity validation.

I'm rather reluctant to start with generic OpenId ACR value names. I prefer to start with the definition of what is really needed for MODRNA/Mobile Connect. Reaching consensus in the group will be difficult enough. 

I would rather suggest to have a discussions on generic ACR values later on with HEART, iGov and the new FIDO WG.

best regards,
Torsten. 

-----Ursprüngliche Nachricht-----
Von: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] Im Auftrag von Mike Jones
Gesendet: Sonntag, 22. November 2015 20:50
An: Torsten Lodderstedt; openid-specs-mobile-profile at lists.openid.net
Betreff: Re: [Openid-specs-mobile-profile] ACR values

I'd suggest these names instead:
- urn:openid:acr:credential:password_less (meaning: possession or inherence is ok)
- urn:openid:acr:credential:2factor (any two factors, software-based solutions are ok)
- urn:openid:acr:credential:2factor_tamper_resistant (any two factors, hardware token required)

I think that the names should not be MODRNA-specific.  And URNs are normally spelled with all lowercase characters.  Like OpenID Connect claim names, when there are multiple words in a name, separate them with underscores.

Also, is there a reason to have the "credential:" part in the URNs?  I'd suggest dropping that part as well, for brevity.  The size of the ID Token still matters (especially in mobile!).

				-- Mike

-----Original Message-----
From: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] On Behalf Of Torsten Lodderstedt
Sent: Sunday, November 22, 2015 11:42 AM
To: openid-specs-mobile-profile at lists.openid.net
Subject: [Openid-specs-mobile-profile] ACR values

Hi all,

based on the discussions in the last WG call, I think we are running circles again when it comes to ACR values.

What I got:
- usage of LOA values from ISO 29115 seems to confuse people (because they seem to be not as specfic as we thought and cover identification as
well)
- new EU regulations use other terms and the number of authentication levels differ

What do you think about the following proposal:

In the end, we want to give the RP a way to request authentication levels, which are specific to Mobile Connect/MODRNA. Why don't we define ACR value names, which exactly correspond to what we intend to use? From my perspective, Mobile Connect requires the following levels:
- urn:openid:modrna:acr:credential:PasswordLess (meaning: posession or inherence is ok)
- urn:openid:modrna:acr:credential:TwoFactor (any two factors, software-based solutions are ok)
- urn:openid:modrna:acr:credential:TwoFactorTamperResistant (any two factors, hardware token required)

Those values are intentionally MODRNA specific and could be mapped (if
needed) to any other model.

What do you think?

best regards,
Torsten.
_______________________________________________
Openid-specs-mobile-profile mailing list Openid-specs-mobile-profile at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile
_______________________________________________
Openid-specs-mobile-profile mailing list Openid-specs-mobile-profile at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile
_______________________________________________
Openid-specs-mobile-profile mailing list Openid-specs-mobile-profile at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.



More information about the Openid-specs-mobile-profile mailing list