[Openid-specs-mobile-profile] Comments on draft-mobile-authentication-1

[John Bradley]

For login_hint_token,  The main reason to sign it is so that RP don’t start prompting users for phone numbers and creating there own tokens.  
I can’t think of any security reason. 

For an example of a signed and encrypted JWT see : https://tools.ietf.org/html/rfc7519#page-26 <https://tools.ietf.org/html/rfc7519#page-26>  A.2.

It is more of a policy decision than a technical one to require signing. 

We could require integrity protection instead. 

That would let the discovery service sign and then encrypt.   The IdP could use a symmetric key to encrypt , and get sender verification in one operation.  

John B.
> On Nov 29, 2015, at 3:19 PM, Torsten Lodderstedt <torsten at lodderstedt.net> wrote:
> 
> Hi Jörg,
> 
> thanks for producing a new revision, which covers context and login_token_hint (@all: it's published at https://bitbucket.org/openid/mobile/raw/default/draft-mobile-authentication-01.txt <https://bitbucket.org/openid/mobile/raw/default/draft-mobile-authentication-01.txt>).
> 
> Please find attached my comments as well as proposed text for security/privacy considerations sections and other aspects. 
> 
> I would like to bring one question to the group's attention: Do we want to require the login_token_hint to be signed? What is the main reason? Issuer authenticity?
> 
> best regards,
> Torsten.
> <draft-mobile-authentication-01_tlt.docx>_______________________________________________
> Openid-specs-mobile-profile mailing list
> Openid-specs-mobile-profile at lists.openid.net <mailto:Openid-specs-mobile-profile at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile <http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20151129/fbad7b8a/attachment.html>