[Openid-specs-mobile-profile] Comments on draft-mobile-authentication-1
John Bradley
ve7jtb at ve7jtb.com
Sun Nov 29 18:38:17 UTC 2015
For login_hint_token, The main reason to sign it is so that RP don’t start prompting users for phone numbers and creating there own tokens.
I can’t think of any security reason.
For an example of a signed and encrypted JWT see : https://tools.ietf.org/html/rfc7519#page-26 <https://tools.ietf.org/html/rfc7519#page-26> A.2.
It is more of a policy decision than a technical one to require signing.
We could require integrity protection instead.
That would let the discovery service sign and then encrypt. The IdP could use a symmetric key to encrypt , and get sender verification in one operation.
John B.
> On Nov 29, 2015, at 3:19 PM, Torsten Lodderstedt <torsten at lodderstedt.net> wrote:
>
> Hi Jörg,
>
> thanks for producing a new revision, which covers context and login_token_hint (@all: it's published at https://bitbucket.org/openid/mobile/raw/default/draft-mobile-authentication-01.txt <https://bitbucket.org/openid/mobile/raw/default/draft-mobile-authentication-01.txt>).
>
> Please find attached my comments as well as proposed text for security/privacy considerations sections and other aspects.
>
> I would like to bring one question to the group's attention: Do we want to require the login_token_hint to be signed? What is the main reason? Issuer authenticity?
>
> best regards,
> Torsten.
> <draft-mobile-authentication-01_tlt.docx>_______________________________________________
> Openid-specs-mobile-profile mailing list
> Openid-specs-mobile-profile at lists.openid.net <mailto:Openid-specs-mobile-profile at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile <http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20151129/fbad7b8a/attachment.html>
More information about the Openid-specs-mobile-profile
mailing list