[Openid-specs-mobile-profile] Account porting: draft -01: New OP encrypting port_token

Manger, James James.H.Manger at team.telstra.com
Thu Sep 22 08:30:51 UTC 2016

Attached is an updated draft of OpenID Connect Account Porting: draft-account-porting-01.

Or read it at https://id.cto.telstra.com/2016/openid/draft-account-porting.html

I will put it in the Bitbucket repo<https://bitbucket.org/openid/mobile/src/>, once I have sorted out some glitches. [There are 2 "default" branches after Gonzalo's recent commits, which is hiding earlier commits by John, Joerg, and I. A merge should do it, if I can work out how.]

The main change in this draft is that the New OP collects a single token from the Old OP representing a porting event. The New OP needs to bind it to a sector_id and anonymizes it before passing it to RPs - which is done by applying symmetric authenticated encryption, keyed with H(client_secret).

This draft does NOT require RPs to authenticate to the Old OP. It assume the encrypted port token can act as a bearer token (ie a capability).

There is a pretty flow diagram in appendix A. This time in SVG instead of a PNG.

Comments welcome, indeed required.

James Manger

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20160922/330cf8cd/attachment-0002.html>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20160922/330cf8cd/attachment-0003.html>

More information about the Openid-specs-mobile-profile mailing list