[Openid-specs-mobile-profile] OP generated binding_message
GONZALO FERNANDEZ RODRIGUEZ
gonzalo.fernandezrodriguez at telefonica.com
Wed Nov 30 19:09:39 UTC 2016
The objective of the binding_message is to interlock both devices in other scenarios different from a simple authentication. In fact, as far as I know the original request came from the banks that wanted show information related with transactions, etc…
From: "Torsten.Lodderstedt at telekom.de<mailto:Torsten.Lodderstedt at telekom.de>"
Date: Wednesday 30 November 2016 at 17:43
To: Gonzalo Fernández, "Axel.Nennker at telekom.de<mailto:Axel.Nennker at telekom.de>", "openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>"
Subject: AW: [Openid-specs-mobile-profile] OP generated binding_message
In the context of an authentication process, the OP definitely knows what to display on the authentication device, e.g. information about the service the user is supposed to login to.
Von: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] Im Auftrag von GONZALO FERNANDEZ RODRIGUEZ
Gesendet: Mittwoch, 30. November 2016 15:27
An: Nennker, Axel; openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>
Betreff: Re: [Openid-specs-mobile-profile] OP generated binding_message
I don’t agree with this approach, the OP knows better “HOW” to show the information in the Authentication device because it knows de limits of the authenticator, however I reckon that is the RP who knows better “WHAT” should be displayed. What I mean is that if the OP takes a decision to optimise what should be displayed it can truncate it and exclude what is important.
From: Openid-specs-mobile-profile on behalf of "Axel.Nennker at telekom.de<mailto:Axel.Nennker at telekom.de>"
Date: Wednesday 30 November 2016 at 14:53
To: "openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>"
Subject: [Openid-specs-mobile-profile] OP generated binding_message
I an email to GSMA I suggested to discuss whether it is worthwhile reversing the direction of binding_message.
The reasoning is:
I think that the OP knows better what the AD can display.
After receiving the CIBA request the OP determines the channel and AD capabilities (like USSD and SIM Toolkit) and sends the binding_message to the AD and the RP in the CIBA Authentication Request Response.
The same suggestion was raised by Arne during a GSMA CPAS call this morning.
Here some use case describing this
- Polish policeman (PP) wants to check driver’s license which the driver has not present
- PP logs into government website (RP) and enters drivers mobile number
- RP sends CIBA to OP which sends request to AD binding_message=”PP Szydło wants to check your driver’s license”
OP sends binding_message to RP which is shown to PP too.
- User sees message “PP Szydło wants to check your driver’s license”, checks Name PP’s device and consents
- OP notifies RP of consent
- RP retrieves driver’s picture and validity data of licence from its DB
- RP sends data to PP who compares the picture and now knows the validity of the driver’s license without giving away too much data
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-mobile-profile