[Openid-specs-mobile-profile] Issue 52 CIBA Pairwise Identifiers Structuring Text

John Bradley ve7jtb at ve7jtb.com
Thu Jun 8 16:55:54 UTC 2017

Validation of the sector identifier is part of registration.

The client registers its client_notification_endpoint as a new element.  (Shouldn't that be an array vs a single URI if the request allows notification_uri to be specified?  otherwise why send it in the request?)

The registration process needs to check those URI against the URI in the JSON file returned from the sector_identifier_uri.

I dont think registration is going to get updated anytime soon so it probably needs to be explained in this spec for those IDP that allow notifiction_uri to be specified.

All AS should always use the sector_identifier_uri as the key for generating ppid. Nothing in that changes.

I think for the polling we need to specify the client JWKS endpoint in the sector_identifier_uri as well.

It is just a URI so that should not be an issue.  

If the registered jwks uri is not in the file then don’t allow polling.    
I know this precludes the use of symmetric keys but I think that may be a reasonable trade off if someone wants to use this with polling.

John B.

> On Jun 8, 2017, at 3:38 AM, <Axel.Nennker at telekom.de> <Axel.Nennker at telekom.de> wrote:
> Hi all,
> can this issue be closed?
> https://bitbucket.org/openid/mobile/issues/52/ciba-pairwise-identifiers-structuring-text <https://bitbucket.org/openid/mobile/issues/52/ciba-pairwise-identifiers-structuring-text>
> The sector_identifier_url is now mandatory to be specified at Client registration time.
> Validation of the sector_identifier is out-of-scope for CIBA and should be in Discovery.
> Please comment on the issue in bitbucket or here.
> Kind regards
> Axel
> T-Labs (Research & Innovation)
> Axel Nennker
> Winterfeldtstr. 21, 10781 Berlin
> +491702275312 (Tel.)
> E-Mail: axel.nennker at telekom.de <mailto:axel.nennker at telekom.de>
> _______________________________________________
> Openid-specs-mobile-profile mailing list
> Openid-specs-mobile-profile at lists.openid.net <mailto:Openid-specs-mobile-profile at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile <http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170608/a3842378/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4383 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170608/a3842378/attachment.p7s>

More information about the Openid-specs-mobile-profile mailing list