[Openid-specs-mobile-profile] Account porting draft 05: public key encryption

Manger, James James.H.Manger at team.telstra.com
Fri Feb 24 02:48:04 UTC 2017


The next draft of Account Porting has been published.
The major change is that the port_token is encrypted with the Old OP's public key, instead of with the New OP's symmetric client_secret.
This draft also mandates that New OPs support RSA-OAEP-256 and AES256GCM.

Changes: https://bitbucket.org/openid/mobile/commits/6ac4d627924cd88edf5026b3167562f12c508470#chg-draft-account-porting.xml
(look at the .xml file, not the .html which is just derived from the .xml)

Xml: draft-account-porting.xml in https://bitbucket.org/openid/mobile/src
Web: https://id.cto.telstra.com/2016/openid/draft-account-porting.html

Changes:

*         "port_enc_algs_supported" renamed to "port_enc_values_supported" for consistency with other values in OIDC.Discovery<http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata>. We still need this field even when switching to public key encryption for the content-encryption part (despite what I implied in my recent slide deck on account porting).

*         Require "jwks_uri" with at least 1 encryption key ("use": "enc"). Include an example JWKS value.

*         Encrypt port_token with the Old OP's public key, instead of a symmetric key shared by Old & New OPs

*         Mandatory-to-implement (MTI) RSA-OAEP-256 and AES256GCM (for New OP)

Open issues:

*         Should we mandate 1 key-encryption and 1 content-encryption algorithm? Or more? Which ones? Should the requirement be on New OPs or Old OPs?

To do (any help is appreciated):

*         Full worked examples

*         A couple of (demo) implementations

*         Write privacy considerations; review security considerations


--
James Manger
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170224/2d2e6fc0/attachment-0001.html>


More information about the Openid-specs-mobile-profile mailing list