[Openid-specs-mobile-profile] MODRNA WG Call on dec 12th 2017 preliminary minutes

[philippe.clement at orange.com]

Please find below the minutes of our call. In any case of error or misunderstanding, please let me know.

1.      Roll Call :
2.      - Petteri, John, Jörg, Bjorn, Philippe, Siva, Gonzalo, Celestin
3.
4.      Adoption of the Agenda [Bjorn/John]
5.      – agreed
6.
7.      Liaisons Updates
•       GSMA [Siva]
•       - no update
4.      Working Group Updates
•       FAPI WG
•       - John : another FAPI workshop is scheduled in January with Open Banking people to educate on standard.
•       Questions with the FAPI group about sending the all registration as a JWT, some people could want to have a signed registration, and OB group has already a key to use. Probable Incompatibility with OIDC dynamic registration.
5.      Issue Tracker

Not addressed
•       Authentication Profile
   Open issues for the authentication profile:
==>     Bjorn to send a mail to the group for progressing on the status
6.      AOB

BBVA case
Gonzalo : a proposal following a meeting with BBVA bank in Spain.
BBVA Has concerns with the way that OP gives the token back to the SP. Mobile Connect doesn’t allow both modes (push and pull). They want to have a synchronized way to get the token. The proposal is to include into CIBA a way to return the token directly in the first request because different countries will have different approaches on requesting consent of the user, some won’t have this mandatory and some others will.

BBVA is not interested in the authentication mode and wish to get back the token in the first access, eventually limited by a timeout written in the system.
The concern with polling is that it is not allowed in Mobile Connect. Are we inventing a new kind of polling ?. To be correlated with the pairwise identifier approach. The SP only wants an access token to access the protected resource.
BBVA said in some cases there is no use to send back an evidence of consent, this one could be taken out of band, and no need to return an ID Token.
In any case, we need a process in place to be sure that no other entity will try to connect to the resource with the same PPID.
Investigate to give BBVA a sector identifier and in any case, avoid to create a new flow.

Adding something to the client registration could be: I want to collect the consent, the MNO says yes or no in return. But both flows could be CIBA.

==>     Gonzalo to write an issue tracker on this.

Next call on the dec 26th.


Kind regards,
Philippe


_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20171212/eb49a899/attachment-0001.html>