[Openid-specs-mobile-profile] Issue 52 CIBA Pairwise Identifiers Structuring Text
John Bradley
ve7jtb at ve7jtb.com
Fri Jun 9 12:49:55 UTC 2017
You need to have something to compare it to. Without a redirect URI or postback URI anyone could claim the sector_identifer_uri and do correlation.
John B.
> On Jun 8, 2017, at 3:02 PM, <Axel.Nennker at telekom.de> <Axel.Nennker at telekom.de> wrote:
>
> My hope was that by making sector_identifier_uri mandatory we would get rid of all the special cases with jwks_uri and whatnot.
> Isn’t that true?
> So if someuses CIBA then there MUST be a siu at registration time and CIBA does not care how that is validated.
> Making my life too easy?
>
> Axel
>
>
> From: John Bradley [mailto:ve7jtb at ve7jtb.com]
> Sent: Donnerstag, 8. Juni 2017 18:56
> To: Nennker, Axel <Axel.Nennker at telekom.de>
> Cc: openid-specs-mobile-profile at lists.openid.net
> Subject: Re: [Openid-specs-mobile-profile] Issue 52 CIBA Pairwise Identifiers Structuring Text
>
> Validation of the sector identifier is part of registration.
>
> The client registers its client_notification_endpoint as a new element. (Shouldn't that be an array vs a single URI if the request allows notification_uri to be specified? otherwise why send it in the request?)
>
> The registration process needs to check those URI against the URI in the JSON file returned from the sector_identifier_uri.
>
> I dont think registration is going to get updated anytime soon so it probably needs to be explained in this spec for those IDP that allow notifiction_uri to be specified.
>
> All AS should always use the sector_identifier_uri as the key for generating ppid. Nothing in that changes.
>
> I think for the polling we need to specify the client JWKS endpoint in the sector_identifier_uri as well.
>
> It is just a URI so that should not be an issue.
>
> If the registered jwks uri is not in the file then don’t allow polling.
> I know this precludes the use of symmetric keys but I think that may be a reasonable trade off if someone wants to use this with polling.
>
> John B.
>
>
>
> On Jun 8, 2017, at 3:38 AM, <Axel.Nennker at telekom.de <mailto:Axel.Nennker at telekom.de>> <Axel.Nennker at telekom.de <mailto:Axel.Nennker at telekom.de>> wrote:
>
> Hi all,
>
> can this issue be closed?
> https://bitbucket.org/openid/mobile/issues/52/ciba-pairwise-identifiers-structuring-text <https://bitbucket.org/openid/mobile/issues/52/ciba-pairwise-identifiers-structuring-text>
>
> The sector_identifier_url is now mandatory to be specified at Client registration time.
> Validation of the sector_identifier is out-of-scope for CIBA and should be in Discovery.
>
> Please comment on the issue in bitbucket or here.
>
> Kind regards
> Axel
>
>
>
>
>
> DEUTSCHE TELEKOM AG
> T-Labs (Research & Innovation)
> Axel Nennker
> Winterfeldtstr. 21, 10781 Berlin
> +491702275312 (Tel.)
> E-Mail: axel.nennker at telekom.de <mailto:axel.nennker at telekom.de>
>
>
>
> _______________________________________________
> Openid-specs-mobile-profile mailing list
> Openid-specs-mobile-profile at lists.openid.net <mailto:Openid-specs-mobile-profile at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile <http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170609/2ce59852/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4383 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170609/2ce59852/attachment-0001.p7s>
More information about the Openid-specs-mobile-profile
mailing list