[Openid-specs-mobile-profile] New Version of Account Migration Draft

Arne Georg Gleditsch argggh at telenordigital.com
Tue Aug 2 13:39:04 UTC 2016


Hi all,

Thanks for a great job on the draft, Torsten.  I have some further
suggestions:

1) The draft explicitly states that chained migration is out of scope.
However, as far as I read the current draft, if we just allow the *from*
clause of a *migration_data* claim to itself contain a nested
*migration_data* claim, we would have it for free.

2) We are inflating the size of the id_token a bit.  What if we instead of
(or as an alternative to) the *migration_data* claim had a
*migration_data_url* claim, indicating an endpoint that could be accessed
to obtain the actual migration data payload?  (This endpoint should be
accessed with authorization bearer carrying the user's access token.)

3) Regarding time-to-live of migration proofs and the required verification
key material: I think it would be wise if we gave some thought to how we
want to enable RPs to verify migration proofs even if the original OP is
unavailable/has retired the required key material.  Could we perhaps allow
*migration_data* to have the alternate form

{
  "notarized": {
    "iss": "https://ttp.com",
    "iat": 1468925762986,
    "migration_data": "ey..."
  }
}

With the semantics that the signature protecting the encapsulated
*migration_data* JWT was verified to the issuer's satisfaction at the given
time?  This presupposes a service at the TTP that could verify a JWT
signature and produce a notarized encapsulating JWT, and that the TTP
pledged to keep verification key material accessible for a significant
amount of time.  The RP could then, provided they recognize the issuer of
the notarized claim as a trusted third party, use the payload section of
the encapsulated JWT without themselves verifying the signature.  (RPs not
happy with deferring signature verification can choose to ignore the
notarized wrapper and verify the original signature themselves, accepting
the life cycle risks of OPs and JWT verification key material.)

4) On a minor note, it looks like the *migration_data* JWT in section 4
does not match the JSON shown below it, which I assume it is intended to.

Thanks,

Arne.


On Tue, Aug 2, 2016 at 10:11 AM, <Torsten.Lodderstedt at telekom.de> wrote:

> Hi all,
>
>
>
> I just republished the draft in order to fix a problem regarding
> references (thanks to Axel!). You can find the new version at
> http://openid.net/wordpress-content/uploads/2016/08/draft-account-migration-01.html
>
>
>
> best regards,
>
> Torsten.
>
>
>
> *Von:* Openid-specs-mobile-profile [mailto:
> openid-specs-mobile-profile-bounces at lists.openid.net] *Im Auftrag von *Lodderstedt,
> Torsten
> *Gesendet:* Dienstag, 19. Juli 2016 13:30
> *An:* openid-specs-mobile-profile at lists.openid.net
> *Betreff:* [Openid-specs-mobile-profile] New Version of Account Migration
> Draft
>
>
>
> Hi all,
>
>
>
> I just published -01 of the account migration draft at openid.net (
> http://openid.net/wordpress-content/uploads/2014/04/draft-account-migration-01.html).
> The source code can be found in our Bitbucket repo.
>
>
>
> This is a significant rewrite of the specification based on your valuable
> feedback. Thank you! Although I tried to incorporate all review comments,
> please bear with me if I missed a comment. Please let me know, so I can
> incorporate it in the next revision.
>
>
>
> I applied the following changes to the document:
>
>
>
> ·         reorganized the draft
>
> ·         extended introduction and overview
>
> ·         stated scope of the draft and what is currently out of scope
>
> ·         changed terminology from porting to migration
>
> ·         changed migration data structure to be different from an id
> token
>
> ·         cleaned up references
>
> ·         added initial security considerations
>
>
>
> Please post your feedback to the list.
>
>
>
> best regards,
>
> Torsten.
>
>
>
> _______________________________________________
> Openid-specs-mobile-profile mailing list
> Openid-specs-mobile-profile at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20160802/9de842a1/attachment.html>


More information about the Openid-specs-mobile-profile mailing list