[Openid-specs-mobile-profile] CIBA Issues Review: Feedback for #54

GONZALO FERNANDEZ RODRIGUEZ gonzalo.fernandezrodriguez at telefonica.com
Thu Mar 1 21:24:32 UTC 2018

Sorry, I forgot to include my colleague Pablo.

From: GONZALO FERNANDEZ RODRIGUEZ <gonzalo.fernandezrodriguez at telefonica.com>
Date: Thursday, 1 March 2018 at 14:12
To: "openid-specs-mobile-profile at lists.openid.net" <openid-specs-mobile-profile at lists.openid.net>
Cc: "Hjelm, Bjorn" <Bjorn.Hjelm at verizonwireless.com>
Subject: CIBA Issues Review: Feedback for #54

Hi again,

First of all, sorry for not asking all the issues’ feedback in one only e-mail, but I think that maybe is easy for you to answer only the e-mails where you are interested in or you have an opinion.

This time I would like to ask you feedback for the #54 https://bitbucket.org/openid/mobile/issues/54/ciba-client-notification-endpoint in order to resolve it.

The proposal is to add a comment in the spec to recommend a short expiration for the bearer token that will be used to authenticate the client_notification_endpoint. We can consider the bearer token is secure enough to deliver the authentication response, because it is under SSL protocol. In spite of the fact that the response is not signed, the id_token is signed and it could be verified that it has been signed by the operator, moreover the access_token will be verified once the resource is accessed. So it doesn't seem there is any malicious use case that could be harmed. If anyone thinks that such use cases exist, please give an example.



Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.

The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.

Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20180301/df2423c3/attachment.html>

More information about the Openid-specs-mobile-profile mailing list