[Openid-specs-mobile-profile] Account porting draft 05: public key encryption
James.H.Manger at team.telstra.com
Fri Feb 24 02:48:04 UTC 2017
The next draft of Account Porting has been published.
The major change is that the port_token is encrypted with the Old OP's public key, instead of with the New OP's symmetric client_secret.
This draft also mandates that New OPs support RSA-OAEP-256 and AES256GCM.
(look at the .xml file, not the .html which is just derived from the .xml)
Xml: draft-account-porting.xml in https://bitbucket.org/openid/mobile/src
* "port_enc_algs_supported" renamed to "port_enc_values_supported" for consistency with other values in OIDC.Discovery<http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata>. We still need this field even when switching to public key encryption for the content-encryption part (despite what I implied in my recent slide deck on account porting).
* Require "jwks_uri" with at least 1 encryption key ("use": "enc"). Include an example JWKS value.
* Encrypt port_token with the Old OP's public key, instead of a symmetric key shared by Old & New OPs
* Mandatory-to-implement (MTI) RSA-OAEP-256 and AES256GCM (for New OP)
* Should we mandate 1 key-encryption and 1 content-encryption algorithm? Or more? Which ones? Should the requirement be on New OPs or Old OPs?
To do (any help is appreciated):
* Full worked examples
* A couple of (demo) implementations
* Write privacy considerations; review security considerations
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-mobile-profile