[Openid-specs-mobile-profile] Issue #52: CIBA Pairwise Identifiers Structuring Text (openid/mobile)

Axel.Nennker at telekom.de Axel.Nennker at telekom.de
Wed May 24 08:06:10 UTC 2017


Hi all,



I created https://bitbucket.org/openid/mobile/issues/52/ciba-pairwise-identifiers-structuring-text to keep track of this.



In pseudo code the calculation of sub could look like this:

// Client is authenticated at this point

If (client.sector_identifier) then

  // if we have a registered client identifier then use it

  sub = SHA-256 ( client.sector_identifier || local_account_id || salt );

else

  //need to determine sector_identifier to use as non is registered for this Client

  If (request_object && client.jwks_uri) then

    // request object signature is valid and key from client.jwks_uri was used to sign it

    sub = SHA-256 ( client.jwks_uri || local_account_id || salt );

  else

    // no registered sector_identifier, no request_object

    if (client.notification_uri) then

      // not polling but notification mode

      sub = SHA-256 ( client.notification_uri || local_account_id || salt );

    else

      // polling mode but not sector_identifier registered

      response.setError("invalid_request");

      logError("invalid_request", "no sector identifier for %s", client.id);

      return;

    endif

  endif

endif

// have sub that is a pairwise identifier here



Having said all that I currently tend to change the spec to say:

"In CIBA the Client MUST specify the sector_identifier_uri at registration time if the OP uses Pairwise Identifiers which is strongly recommended".



Should we make sector_identifier_uri mandatory for CIBA and cull all other Pairwise Identifier text?



Cheers

Axel


Pairwise Identifier Algorithm

https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg



"sector_identifier_uri" Validation

https://openid.net/specs/openid-connect-registration-1_0.html#SectorIdentifierValidation



-----Original Message-----
From: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] On Behalf Of Axel Nennker
Sent: Dienstag, 23. Mai 2017 15:33
To: openid-specs-mobile-profile at lists.openid.net
Subject: [Openid-specs-mobile-profile] Issue #52: CIBA Pairwise Identifiers Structuring Text (openid/mobile)



New issue 52: CIBA Pairwise Identifiers Structuring Text https://bitbucket.org/openid/mobile/issues/52/ciba-pairwise-identifiers-structuring-text



Axel Nennker:



Should the text regarding Pairwise Identifiers be in its own section or should it stay in the sections on polling and notification?



Polling: https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default#rfc.section.3.5.1.1

Notification: https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default#rfc.section.3.5.3.3



References to other specs:

Core: https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg

Validation of sector_identifier: https://openid.net/specs/openid-connect-registration-1_0.html#SectorIdentifierValidation





Axel



Responsible: ignisvulpis

_______________________________________________

Openid-specs-mobile-profile mailing list Openid-specs-mobile-profile at lists.openid.net<mailto:Openid-specs-mobile-profile at lists.openid.net>

http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170524/6abb465c/attachment.html>


More information about the Openid-specs-mobile-profile mailing list