[Openid-specs-mobile-profile] MODRNA WG preliminary minutes of call on April 17th 2018

philippe.clement at orange.com philippe.clement at orange.com
Wed Apr 18 08:08:59 UTC 2018


Dear all,
Please find below the preliminary minutes of our call on April 17th 2018. In any case of error or misunderstanding, please let me know.

Proposed agenda :
1.      Roll Call
2.      Adoption of the Agenda [Bjorn/John]
3.      External Updates
*       IETF 101 [John]
*       OpenID Foundation Workshop [John]
*       IIW [John]
4.      Liaisons Updates
*       GSMA [Siva]
5.      Working Group Updates
*       FAPI WG [John/Dave]
6.      Issue Tracker
*       CIBA [Gonzalo]
*       Authentication Profile [Joerg]
*       Other
7.      AOB

Discussion:
1.      Roll Call

Participants (Gotomeeting) :  Bjorn Hjelm (Verizon),  John Bradley,  Gonza,  Petteri Stenius (Ubisecure),  Philippe Clement (Orange),  Siva(GSMA)IETF
2.      Adoption of the Agenda [Bjorn/John]

Adopted
3.      External Updates
*       IETF 101 [John]

work in progress on proof of possession and device flow
*       OpenID Foundation Workshop [John]

discussions around Ciba, security concerns brought up by people, already known concerns. Was the main topic of conversation.
*       IIW [John]

Ciba discussions. Questioning on the real need to use Ciba with MNOs. Following conversations of John with banks: they already have ways to authenticate customers. Banks would prefer to redirect the user for authentication  rather than use Ciba through MNOs.
Using Ciba between banks and the front app (TPP) could be envisioned, banks consider themselves as IdPs, what they are now. They can use or not MNOs (their choice).
Banks can use additional biometrics in their app to strengthen Id proofing or authentication. Banks already use the smartphonre geoloc in their apps.
Gonzalo: following discussions In Madrid with BBVA: banks have a risk engine.
TC68, mutual TLS, token binding, proof of possession, IESG conf... banks have a look on this.
4.      Liaisons Updates
*       GSMA [Siva]

PSD2 analysis. Attribute sharing work on progress. PSD2 strong authentication is decoupled. From CPAS point of view, 2 types of authentication must be considered.
User Questioning API still discussed.
The question of technical changes required for User Questioning is set. There can be an impact on authenticators on SIM applets. Commercial discussions are ongoing.
5.      Working Group Updates
*       FAPI WG [John/Dave]

Topics to address: FAPI profile of CIBA, mutual TLS is under discussion.
6.      Issue Tracker
*       CIBA [Gonzalo]

54: Dave proposal accepted., Gonzalo added a reference about how to calculate the hash.
52: token endpoint authentication:  in case of polling mechanism, it is mandatory to register an URI. On the other hand, MTLS is mandatory to authenticate the endpoint.
Attention to separate client authentication and proof of possession on resource server, these are different issues.
Using MTLS can be sufficient instead of using signing things. Alternative is using the private key and signed JWT.
John: having a JWT doesn't prove anything. You have to sign something if you want to prove your possession on an object. Sending a JWT signed during the authentication request is probably enough.
The 2 possibilities focus on these 2 approaches: Either send a signed request object or use MTLS. Using MTLS is possible on the 2 types of request (token request or authentication request), but recommendation is to stay coherent on the 2 types of request.
It is considered mandatory to use an authentication method that proves that you are the owner and you possess the things you send .
Questions about the case where a redirection to the browser is triggered, in this case an alternative to MTLS must be used.
==>     Gonza: send an email to the list about merging 2 commits and updated text.

*       Authentication Profile [Joerg]

Not addressed

Best regards,
Philippe


_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20180418/4cab38b8/attachment.html>


More information about the Openid-specs-mobile-profile mailing list