[Openid-specs-mobile-profile] Fwd: [User Questioning (a.k.a Transaction Authorization)] First draft

nicolas.aillery at orange.com nicolas.aillery at orange.com
Mon Sep 12 07:20:18 UTC 2016


Hello Torsten,


·         About the Verification code:

o   In France, most banks use SMS OTP for 3D Secure. In brief: when I pay on a web site, I enter my credit card number then I’m redirected on my bank website. I receive a SMS containing an OTP on my mobile, and I must enter this code on my bank website to validate the payment. It’s a split terminal use case, as the consuming device is different from the authenticating device, that works even with basic phones.

o   With the ‘user questioning’ specification, Orange would like to address this use case. The bank website would be a Client.

o   We agree that the “Terminated-By-Client flow” add complexity so we are interested to your ideas to enable the use case without the specific “Terminated-By-Client flow”.


·         About the User Questioning Object:

o   We designed a RESTful API, but we agree that this approach is not the most efficient (large object, redundancy of information, …).

o   We agree to work on a simplified API.


Regards,

Nicolas


De : Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] De la part de Torsten.Lodderstedt at telekom.de
Envoyé : mercredi 7 septembre 2016 17:51
À : openid-specs-mobile-profile at lists.openid.net
Cc : philippe.clement.ft at gmail.com
Objet : Re: [Openid-specs-mobile-profile] Fwd: [User Questioning (a.k.a Transaction Authorization)] First draft

Hi all,

thank you for producing this first draft for user questioning (formerly known as transaction authorization).

Here are some comments:

Verification code: the document defines three different flows how a client can obtain the user’s answer. What is the use case for the “terminated by client” flow? From the discussion in our WG call I understood you want to support SMS-based OTP mechanisms for getting the user’s answer. I personally think this does not require user to (somehow) give the code to the client which in turn uses it as a credential to obtain the answer from the user questioning endpoint. Integration of SMS could be achieved (encapsulated within the OP) by adding a confirmation URL to the SMS pointing to a suitable (internal) endpoint at the OP. This way even SMS can be used in conjunction with the other modes.

User Questioning Object: What is the benefit of using always the same object type in all requests and responses from/to the user questioning API? I think ordinary request/response parameters would do the job. For example, why do I need to respond to the client user id and type given I sent this data to the OP in the request?

best regards,
Torsten.

Von: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] Im Auftrag von Philippe Clément
Gesendet: Donnerstag, 1. September 2016 14:45
An: openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>
Betreff: [Openid-specs-mobile-profile] Fwd: [User Questioning (a.k.a Transaction Authorization)] First draft

Dear all,

please find below the first draft of Orange participation in the User Questionning API (aka transaction authorization). Do not hesitate to feedback Nicolas or Charles on the list

regards,
Philippe

---------- Forwarded message ----------
From: <philippe.clement at orange.com<mailto:philippe.clement at orange.com>>
Date: 2016-09-01 14:40 GMT+02:00
Subject: TR: [User Questioning (a.k.a Transaction Authorization)] First draft
To: Openid-specs-mobile-profile <openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>>
Cc: "philippe.clement.ft at gmail.com<mailto:philippe.clement.ft at gmail.com>" <philippe.clement.ft at gmail.com<mailto:philippe.clement.ft at gmail.com>>



De : AILLERY Nicolas IMT/OLPS
Envoyé : mercredi 31 août 2016 11:35
À : openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>
Cc : John Bradley; Torsten.Lodderstedt at telekom.de<mailto:Torsten.Lodderstedt at telekom.de>; CLEMENT Philippe IMT TECHNO; VASSELET Mickaël IMT/OLN; MARAIS Charles IMT/OLPS
Objet : [User Questioning (a.k.a Transaction Authorization)] First draft

Hi all,

   Please find in attachment a first draft for the API enabling transaction authorization.
   We chose to name this API ‘User Questioning’ to avoid possible misunderstanding with ‘oauth authorization’.

Best regards,

Nicolas

_________________________________________________________________________________________________________________________



Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc

pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler

a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,

Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.



This message and its attachments may contain confidential or privileged information that may be protected by law;

they should not be distributed, used or copied without authorisation.

If you have received this email in error, please notify the sender and delete this message and its attachments.

As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.

Thank you.


_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20160912/6b94b244/attachment-0001.html>


More information about the Openid-specs-mobile-profile mailing list