[Openid-specs-mobile-profile] openid-connect-modrna-authentication: comments

Manger, James James.H.Manger at team.telstra.com
Mon Apr 17 23:28:24 UTC 2017

Comments on openid-connect-modrna-authentication-1_0.html [2017-03-06]:

  *   [§7] Talking about "application/x-www-form-urlencoded" for binding_message makes little sense. That encoding is used for all the parameters in a request, not just binding_message. That encoding can encode any Unicode char so it doesn't help at all with ensuring a binding_message works on devices with "limited abilities".
  *   [§7] Can we be a bit more helpful about the length and chars that a binding_message SHOULD use?
  *   [§9] "authorization code" is already a term-of-art in OIDC so don't suggest the binding_message include this

*         [§5.1] “hpop” → “hwk” (twice); “pop” → “swk”

  *   [§6.1] Other formats for login_hint_token are explicitly allowed, but how does an OP know which format it has received?

*         Use “OP” or “IdP”, instead of a mix. I suggest replacing “IdP” (and “Identity Provider”) with “OP” throughout the doc.

*         “may” → “MAY” and “must” → “MUST” in a few places

*         [§6.1] “Appendix 2 of JWT” → “Appendix A.2 of JWT”

*         [§6] discovery-provider.com & babytel.com → discovery.example.net & op.example.net (to avoid potentially-real domains)

*         [Abstract] Using the future tense (“will specify”) is a bit unusual

  *   [§9] A signature doesn't "prevent collecting of phone numbers by rogue clients", only encryption does that
  *   [§3] "a MODRNA conform authentication request" → "a MODRNA-conforming authentication request". Correcting the grammar is ok, but it would be better to drop the requirement (eg allow an OP to have a default ACR).
  *   [§4] "[IdPs] may recognize and process long forms for custom authentication contexts". Seems little point in providing the URIs without making OP recognition a MUST.
  *   [§4] "users device" → "user's device"

*         Pasting the whole spec into Word to find typos would help: “messge”→”message”; “consumpution”→”consumption”; “termn”→“term”; “preformed”→“performed”; “formated”→“ formatted”; “paramater”→“parameter”; “authenicate”→“authenticate”

James Manger

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170417/34d781cc/attachment-0001.html>

More information about the Openid-specs-mobile-profile mailing list