[Openid-specs-mobile-profile] Minutes WG Call 27.1.2016

Lodderstedt, Torsten t.lodderstedt at telekom.de
Mon Feb 8 15:49:25 UTC 2016

Hi all,

please find below the minutes of our call on January 27th 2016.

best regards,

John Bradley
Nat Sakimura
Florian Walter
Jörg Connotte
Gonzalo Fernandéz
Matthieu Verdier
Bjorn Hjelm
Torsten Lodderstedt

Authentication spec
- John guided us through the changes he made in the last revision
- The following topics were discussed:
* ACR Values: examples for security keys and difference between keys and pwd/pin shall be added
* AMR values: add example for amr values (e.g SIM Applet+PIN is represented by "hpop" + "pin")
* short and long form of ACRs: the short shall be used by clients, long form will be used to register the ACR values in the IANA registry (by MODRNA WG)
* order of acrs gives RP a way to express its preferences regarding authentication, i.e. bring ARC values in their preferred order
* we stay with two acr values for now, we could add the third (or a forth) value at any time based on experiences/discussions
- how to handle TBDs
- 6.1. replace by reference to respective OpenID Connect Discovery
- 7 length of the binding message - replace by better explanation: message may be truncated
- Mitigations for new security vulnerabilities
- discussed different options
* copy text from oauth spec
* reference current oauth spec
* recommend to use "code id_token" instead of "code"
* general problem: discussions within OAuth WG are ongoing and outcome cannot really be predicted.
-> Conclusion: will pass spec to GSMA as is and discuss vulnerabilities and way forward with GSMA

- John, Torsten will attend
- Nat will probably attend as well (as he will be in Paris at that time)
- Gonzalo & Matthieu would attend if we setup a meeting regarding MODRNA
- Torsten will talk to GSMA

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20160208/800afe71/attachment.html>

More information about the Openid-specs-mobile-profile mailing list