[Openid-specs-mobile-profile] [E] Comments about CIBA Draft

Fri Apr 21 16:01:53 UTC 2017

Charles,
I’ll leave it to the CIBA authors to address the first question and John may be the best person to address the second item.

On the third one, we can add this to the upcoming joint CPAS-MODRNA call  this coming Monday to confirm this assumptions before taking it back to MODRNA WG for further discussion.

BR,
Bjorn

From: charles.marais at orange.com [mailto:charles.marais at orange.com]
Sent: Wednesday, April 19, 2017 1:49 AM
To: John Bradley; Connotte, Joerg; Joerg.Connotte at telekom.de; Axel.Nennker at telekom.de; GONZALO FERNANDEZ RODRIGUEZ; F.Walter at telekom.de; Hjelm, Bjorn
Cc: CLEMENT Philippe IMT TECHNO; AILLERY Nicolas IMT-OLPS; MARIOTTE Hubert IMT-OLN; openid-specs-mobile-profile at lists.openid.net
Subject: [E] Comments about CIBA Draft

Hi,

We would like to share with you some of our concerns about CIBA as it may be soon accepted at the end of the current implementer's draft period :

- The end-to-end use cases addressed by CIBA are still unclear for us. We do understand the necessity to have a specification allowing the retrieval of an OAuth 2.0 access_token in a back channel mode but we don't have in mind end-to-end use cases that require the delivery of an id_token in pure back channel mode. @John,Joerg : Did you have time to think about Use Cases for CIBA ?

- On a security point of view, we think that we missed something. With the current specification, it seems to be possible to register a bad client interested by the polling mode with a legitimate client's sector_identifier_uri and even redirect_uri. In this way, the bad client will receive a sub dedicated for the legitimate client.

- GSMA is already working on an evolution of CIBA allowing synchronous responses. In their mind (GSMA), they want to address use cases in which the OP doesn't authenticate the user. It could maybe be relevant to include this evolution in the current specification.

Thanks for your opinions on these aspects,

Br,

The Orange Team.

--
[cid:image001.gif at 01D2BA7D.E8432AC0]

MARAIS Charles
Orange Labs Lannion
Tel : +33 (0)2 96 07 24 18
charles.marais at orange.com<mailto:charles.marais at orange.com>
Orange Labs Lannion
2, avenue Pierre Marzin
22307 LANNION Cedex - France

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc

pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler

a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,

Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;

they should not be distributed, used or copied without authorisation.

If you have received this email in error, please notify the sender and delete this message and its attachments.

As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.

Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170421/ddbe5917/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 1264 bytes
Desc: image001.gif
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170421/ddbe5917/attachment.gif>