[Openid-specs-mobile-profile] Issue 52 CIBA Pairwise Identifiers Structuring Text

[John Bradley]

Exactly.

In your description noting stops the bad client from registering the good client’s SIU and or redirect_uri.

The client is issued a client secret and uses that to authenticate to the authorization endpoint.  
They are a different client but are getting the same PPID generated as the good client without being associated with the good client.

This is a privacy not a security issue.

John B.
> On Jun 13, 2017, at 11:28 PM, Manger, James <James.H.Manger at team.telstra.com> wrote:
> 
> Axel,
>  
> > What are the threats if all client metadata is validated at registration time and all CIBA requests are authenticated?
> -          BadClient is not able to register for the same sector_identifier_uri as GoodPollingClient (regardless of CIBA or OIDC) This is nothing bad introduced by CIBA.
>  
> This is your mistake.
> Multiple clients can register the same sector_identifier_uri — that is the whole point of the sector_id concept (grouping multiple apps). The issue is how does the registration system distinguish BadClient from OtherGoodPollingClient when both register the same sector_id?
>  
> --
> James Manger

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170614/b078d3e1/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4383 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170614/b078d3e1/attachment-0001.p7s>