[Openid-specs-mobile-profile] Account porting: draft -01: New OP encrypting port_token

[Manger, James]

draft-account-porting-01 is now in the MODRNA Bitbucket repo https://bitbucket.org/openid/mobile/src/.
The file name doesn't have the "-01" version suffix, as the version control system is designed to take care of that.

--
James Manger


From: Manger, James
Sent: Thursday, 22 September 2016 6:31 PM
To: openid-specs-mobile-profile at lists.openid.net
Subject: Account porting: draft -01: New OP encrypting port_token

Attached is an updated draft of OpenID Connect Account Porting: draft-account-porting-01.

Or read it at https://id.cto.telstra.com/2016/openid/draft-account-porting.html

I will put it in the Bitbucket repo<https://bitbucket.org/openid/mobile/src/>, once I have sorted out some glitches. [There are 2 "default" branches after Gonzalo's recent commits, which is hiding earlier commits by John, Joerg, and I. A merge should do it, if I can work out how.]


The main change in this draft is that the New OP collects a single token from the Old OP representing a porting event. The New OP needs to bind it to a sector_id and anonymizes it before passing it to RPs - which is done by applying symmetric authenticated encryption, keyed with H(client_secret).

This draft does NOT require RPs to authenticate to the Old OP. It assume the encrypted port token can act as a bearer token (ie a capability).

There is a pretty flow diagram in appendix A. This time in SVG instead of a PNG.

Comments welcome, indeed required.

--
James Manger

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20160923/8db434a2/attachment.html>