<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Yes the document currently calls it singe factor, but that is probably to general.<div class=""><br class=""></div><div class="">This is one reason I prefer abstract names like silver and gold, that way as technology changes you don’t need to change the protocol.</div><div class=""><br class=""></div><div class="">So lets describe them and pick names after we agree on the description.</div><div class=""><br class=""></div><div class="">Silver:</div><div class="">The user is authenticated via possession of a device (phone) containing a secret key. </div><div class="">The user is required to provide no additional authentication information to use the key.</div><div class="">The user is interactively prompted to confirm the authentication. </div><div class="">The storage mechanism for the secret key and other relevant authentication information is returned via the ”amr” value.</div><div class="">The user is not re-prompted if prompt is not login and max_age is more than the elapsed time since the user last authenticated at this acr</div><div class=""><br class=""></div><div class="">Gold:</div><div class="">The user is authenticated via possession of a device (phone) containing a secret key. </div><div class="">The user is required to provide additional authentication information via a biometric, pin code or other appropriate factors such as bluetooth paring with a watch.</div><div class="">Given suitable Mobile device management unlocking the device is also sufficient along with user confirmation of desire to authenticate.</div><div class=""><div class="">The storage mechanism for the secret key and other relevant authentication information is returned via the ”amr” value.</div><div class="">The user is not re-prompted if prompt is not login and max_age is more than the elapsed time since the user last authenticated at this acr</div></div><div class=""><br class=""></div><div class="">Platinum:</div><div class="">The user is authenticated via possession of a device (phone) containing a secret key.</div><div class="">The user is required to provide additional authentication information via a local biometric, or a remote paring with a biometric capable device. </div><div class="">A pin or second biometric as a third factor may also be required.</div><div class="">Biometric device unlock may be used, but only in conjunction with a pin code or second biometric.</div><div class="">The user is always prompted to authenticate irrespective of the values of prompt and max_age.</div><div class=""><br class=""></div><div class="">So all 3 require possession of the phone. Gold and Platinum require a second factor to unlock the phone. </div><div class="">Platinum forces the use of a pin or second biometric.</div><div class=""><br class=""></div><div class="">I put in Platinum for argument to show that it is additional risk mitigations that we are interested in, </div><div class="">as a single biometric like facial on a phone can be spoofed quite easily. (talking to Knock Knock they didn’t find any that they had confidence in as part of UAF if the attacker had a photo of the subject’s face)</div><div class=""><br class=""></div><div class="">So in the ACR</div><div class="">[ “Platinum”, “Gold”, “Silver”] would cause the device to do the highest one posable but if it is incapable fall back to a lower one.</div><div class=""><br class=""></div><div class="">If we leave the ACR query parameter as is rather than changing it to essential then </div><div class=""><br class=""></div><div class="">[ “Platinum” ] would do exactly the same thing.</div><div class=""><br class=""></div><div class="">If we add the essential semantic to the ACR values then</div><div class="">[ “Platinum” ] would return an error if the device can’t support a biometric. You would need to always list them all unless you are willing to get an error.</div><div class=""><br class=""></div><div class="">That is my best attempt at trying to describe the scale of risk mitigation represented by the ACR that we are talking about.</div><div class=""><br class=""></div><div class="">John B.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><div><blockquote type="cite" class=""><div class="">On Nov 29, 2015, at 3:30 PM, Torsten Lodderstedt <<a href="mailto:torsten@lodderstedt.net" class="">torsten@lodderstedt.net</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta content="text/html; charset=windows-1252" http-equiv="Content-Type" class="">
<div text="#000000" bgcolor="#FFFFFF" class="">
Hi John,<br class="">
<br class="">
I understand your argument. It's always a trade off between being
specific (and risking failed authentication attempts) and being to
generic (and loose control). I think there is no difference between
having two LOAs + 2 AMRs on one side or having 3 LOAs, if the AMR is
required from a RP's perspective to assess the authentication. But
let's assume we go with two LOAs for single and 2 factor authn.<br class="">
<br class="">
I think just single factor won't be enough, as Mobile Connect
(according to my understanding/interpretation) is about
password-less single factor authentication. So I assume we need to
have a certain special single factor authentication ACR value.<br class="">
<br class="">
best regards,<br class="">
Torsten.<br class="">
<br class="">
<div class="moz-cite-prefix">Am 28.11.2015 um 22:19 schrieb John
Bradley:<br class="">
</div>
<blockquote cite="mid:B1A2BB98-ED4B-4658-B24F-2FB3134902FC@mac.com" type="cite" class="">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252" class="">
Operators will certainly have some users with devices that store
keys in hardware (SIM) and others that are using software, and
probably some that are using the HW keychain unlocked by a
biometric or a pin.
<div class=""><br class="">
</div>
<div class="">The point I am trying to make is that a user has one
device. It will or will not have HW protection for the key.
If the RP is too specific about what it asks for all it will do
is cause failed authentications.</div>
<div class=""><br class="">
</div>
<div class="">I was counting click OK to the SIM applet as single
factor (Because it is). In the single factor case the AMR
would differentiate between a SIM with click OK and a password
or something else.</div>
<div class=""><br class="">
</div>
<div class="">We can send more specific information back in the
amr about what happened.</div>
<div class="">
<div class=""><br class="">
</div>
<div class="">The acr in the request shouldn’t be too specific
because that just forces the IdP to return an error vs
something useful.</div>
<div class=""><br class="">
</div>
<div class="">I am bading these observations on the three levels
in the current document. </div>
<div class="">Two are effectively the same from a request point
of view. Give me a authentication where the user needs to
locally authenticate to the device. The only diffrence will
be how the key is protected in the hardware and that depends
on the device. The RP can’t influence that in a meaningful
way during authentication.</div>
<div class=""><br class="">
</div>
<div class="">So far I don’t see having more than two LoA in the
request as being useful from the description.</div>
<div class=""><br class="">
</div>
<div class="">What behaviour at the IdP would the third one
cause different from the second?</div>
<div class=""><br class="">
</div>
<div class="">It may be that there is something, but it is not
captured in the description. That is what I am looking for.</div>
<div class=""><br class="">
</div>
<div class="">John B.</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On Nov 28, 2015, at 2:51 PM, Lodderstedt,
Torsten <<a moz-do-not-send="true" href="mailto:t.lodderstedt@telekom.de" class="">t.lodderstedt@telekom.de</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class="WordSection1" style="page: WordSection1;
font-family: Helvetica; font-size: 12px; font-style:
normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: normal; orphans:
auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows:
auto; word-spacing: 0px; -webkit-text-stroke-width:
0px;">
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri,
sans-serif; color: rgb(31, 73, 125);" class="">Hi
John,<o:p class=""></o:p></span></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri,
sans-serif; color: rgb(31, 73, 125);" class=""> </span></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri,
sans-serif; color: rgb(31, 73, 125);" class="" lang="EN-US">why doesn’t it make sense for a RP to
specifically ask for HW protected keys? I could
imagine some operators use software-based keys
(which should be ok in some cases) whereas the
majority will store them on the SIM card.<span class="Apple-converted-space"> </span><o:p class=""></o:p></span></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri,
sans-serif; color: rgb(31, 73, 125);" class="" lang="EN-US"> </span></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri,
sans-serif; color: rgb(31, 73, 125);" class="" lang="EN-US">And by the way: It’s not just about
asking the OP to perform 2nd factor authentication
or accept single factor. In the case of Mobile
Connect, it is also desirable to ask for certain
factors (or better said prohibit knowledge alone)
in the single factor case. The predominant example
is inherence in the case of SIM applet (click ok).<o:p class=""></o:p></span></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri,
sans-serif; color: rgb(31, 73, 125);" class="" lang="EN-US"> </span></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri,
sans-serif; color: rgb(31, 73, 125);" class="" lang="EN-US">best regards,<o:p class=""></o:p></span></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri,
sans-serif; color: rgb(31, 73, 125);" class="" lang="EN-US">Torsten.<o:p class=""></o:p></span></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri,
sans-serif; color: rgb(31, 73, 125);" class="" lang="EN-US"> </span></div>
<div class="">
<div style="border-style: solid none none;
border-top-color: rgb(181, 196, 223);
border-top-width: 1pt; padding: 3pt 0cm 0cm;" class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class=""><b class=""><span style="font-size:
10pt; font-family: Tahoma, sans-serif;" class="">Von:</span></b><span style="font-size: 10pt; font-family: Tahoma,
sans-serif;" class=""><span class="Apple-converted-space"> </span>John
Bradley [<a moz-do-not-send="true" href="mailto:jbradley@mac.com" class="">mailto:jbradley@mac.com</a>]<span class="Apple-converted-space"> </span><br class="">
<b class="">Gesendet:</b><span class="Apple-converted-space"> </span>Freitag,
27. November 2015 20:02<br class="">
<b class="">An:</b><span class="Apple-converted-space"> </span>Lodderstedt,
Torsten<br class="">
<b class="">Cc:</b><span class="Apple-converted-space"> </span><a moz-do-not-send="true" href="mailto:openid-specs-mobile-profile@lists.openid.net" class=""></a><a class="moz-txt-link-abbreviated" href="mailto:openid-specs-mobile-profile@lists.openid.net">openid-specs-mobile-profile@lists.openid.net</a><br class="">
<b class="">Betreff:</b><span class="Apple-converted-space"> </span>Re:
[Openid-specs-mobile-profile] ACR values<o:p class=""></o:p></span></div>
</div>
</div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
font-family: 'Times New Roman', serif;" class="">That
is true but normally the levels are not defined in a
protocol document. They would be in a trust
framework document that details how to conform to
them including all the legal and business practice
agreements.<o:p class=""></o:p></div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class="">All we can say is that all of that is
dealt with someplace else and the URI indicate the
means by which the subject was most recently
authenticated.<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class="">One of the hard things with LoA is that
better might be subjective. There is no guarantee
in general that one is better than another as they
might theoretically mitigate different risks.<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class="">For MODRNA LoA it looks like we are going
to have three dimensions for what would normally
all be bound up in a single loa number in
29115/SP800-63<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class="">a) Identtiy proofed [ “True” ,
“False”] (can the IdP legally identify
the subject)<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class="">b) Proof of Possession [ “True” ,
“False”] (in 800-63 PoP is required for LoA
4, but we can deal with it separately in the
protocol)<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class="">c) Strength of Primary credential [
“single factor”, “multi-factor soft-key”, “
multi-factor hard key” ]<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class="">In the first stage we are only asserting
non proofed subjects.<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class="">That gives us three levels now and
eventually six to plan for.<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class="">In reality the user will have a token
with a HW or software key, so as a RP asking
specifically for one or the other doesn’t make
much sense.<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class="">As a RP I think that you want to be able
to say force the user to 2nd factor if there
current login is single factor, or I will take
what the user is logged in as.<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class="">Lets assume for the moment that amr in
the response can differentiate between hard and
soft keys.<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class="">That would leave us with two acr values
to ask for. Lets call them 1F and 2F for the
moment. <o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class="">That would give us:<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class="">[ “1F” ] == Give me what the user has
logged in at, don’t force step up.<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class="">[ “2F” , "1F" ] == Force the user to do
two factor if there device supports it, but I will
take single if that is all there device supports.<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class="">[ “2F” ] == Force the user to
do two factor if there device supports it, return
an error if 2F is not available.<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class="">In the response the “amr” will indicate
if the authentication was with HW or SW based
keys.<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class="">It strikes me that trying to add another
LoA complicates things for the RP. <o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class="">I suspect that for initial login most
sites will want [ “1F” ] and do [ “2F” , "1F" ]
for step up around specific transactions. <o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class="">Banks will want [ “2F” , "1F" ] all the
time.<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class="">Asking for [ “2F” ] on its own is not as
useful as asking for [ “2F” , "1F" ] at-least if
you get back a LoA with “1F” then you know it is
probably the correct person as opposed to any
random person who could generate an error, at
that point you can guide them through some other
step up or tell them to use a different device
etc. However some people may have limited RP
logic and be happier with an error.<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class="">So as an example if the user has
authenticated with “2F” but the RP asks for [
“1F” ] then we would expect the IdP not to prompt
(assuming max-age is ok) and return “2F” as the
acr in the response along with a amr indicating if
the key was HW or SW protected. <o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class="">It might make sense in non modrna cases
to have a RP specifically ask for a HW backed
multi-factor. The IdP could force the user to
use a smart card with match on card biometrics on
a different computer, rather than using the soft
token on the phone. How ever I don’t think that
is our use-case, and having an extra thing the RP
can ask for just adds to the complexity.<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class="">If we need to have three for some
political reason I would have the IdP treat the
two multi-factor as equivalent in the request, and
only differentiated in the response.<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class="">Thoughts on paring it down to two?<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class="">John B.<o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
</div>
<div class="">
<div class="">
<blockquote style="margin-top: 5pt; margin-bottom:
5pt;" class="">
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif;" class="">On Nov 27, 2015, at
2:19 PM, Lodderstedt, Torsten <<a moz-do-not-send="true" href="mailto:t.lodderstedt@telekom.de" style="color: purple; text-decoration:
underline;" class=""></a><a class="moz-txt-link-abbreviated" href="mailto:t.lodderstedt@telekom.de">t.lodderstedt@telekom.de</a>>
wrote:<o:p class=""></o:p></div>
</div>
<div style="margin: 0cm 0cm 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
<div class="">
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif;" class=""><span style="font-size: 11pt; font-family:
Calibri, sans-serif; color: rgb(31, 73,
125);" class="" lang="EN-US">As a RP, I
would prefer to send the minimal level I
would like the OP to fulfill, e.g. mc2,
and I would accept if the OP did better,
i.e. authenticated using mc3.</span><o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif;" class=""><span style="font-size: 11pt; font-family:
Calibri, sans-serif; color: rgb(31, 73,
125);" class="" lang="EN-US"> </span><o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif;" class=""><span style="font-size: 11pt; font-family:
Calibri, sans-serif; color: rgb(31, 73,
125);" class="" lang="EN-US">I think it
is evenly important to be clear on the
meaning of the levels. Otherwise, the RP
does not know what to expect and the OP
does not know exactly know what to
implement.</span><o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif;" class=""><span style="font-size: 11pt; font-family:
Calibri, sans-serif; color: rgb(31, 73,
125);" class="" lang="EN-US"> </span><o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif;" class=""><span style="font-size: 11pt; font-family:
Calibri, sans-serif; color: rgb(31, 73,
125);" class="" lang="EN-US">Best
regards,</span><o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif;" class=""><span style="font-size: 11pt; font-family:
Calibri, sans-serif; color: rgb(31, 73,
125);" class="" lang="EN-US">Torsten.</span><o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif;" class=""><span style="font-size: 11pt; font-family:
Calibri, sans-serif; color: rgb(31, 73,
125);" class="" lang="EN-US"> </span><o:p class=""></o:p></div>
</div>
<div class="">
<div style="border-style: solid none none;
border-top-color: rgb(181, 196, 223);
border-top-width: 1pt; padding: 3pt 0cm
0cm;" class="">
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 'Times
New Roman', serif;" class=""><b class=""><span style="font-size:
10pt; font-family: Tahoma,
sans-serif;" class="">Von:</span></b><span class="apple-converted-space"><span style="font-size: 10pt;
font-family: Tahoma, sans-serif;" class=""> </span></span><span style="font-size: 10pt; font-family:
Tahoma, sans-serif;" class="">John
Bradley [<a moz-do-not-send="true" href="mailto:jbradley@mac.com" style="color: purple;
text-decoration: underline;" class="">mailto:jbradley@mac.com</a>]<span class="apple-converted-space"> </span><br class="">
<b class="">Gesendet:</b><span class="apple-converted-space"> </span>Freitag,
27. November 2015 15:14<br class="">
<b class="">An:</b><span class="apple-converted-space"> </span>Lodderstedt,
Torsten<br class="">
<b class="">Cc:</b><span class="apple-converted-space"> </span><a moz-do-not-send="true" href="mailto:philippe.clement@orange.com" style="color: purple;
text-decoration: underline;" class=""></a><a class="moz-txt-link-abbreviated" href="mailto:philippe.clement@orange.com">philippe.clement@orange.com</a>;<span class="Apple-converted-space"> </span><a moz-do-not-send="true" href="mailto:openid-specs-mobile-profile@lists.openid.net" style="color: purple;
text-decoration: underline;" class=""></a><a class="moz-txt-link-abbreviated" href="mailto:openid-specs-mobile-profile@lists.openid.net">openid-specs-mobile-profile@lists.openid.net</a><br class="">
<b class="">Betreff:</b><span class="apple-converted-space"> </span>Re:
[Openid-specs-mobile-profile] ACR
values</span><o:p class=""></o:p></div>
</div>
</div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif;" class=""> <o:p class=""></o:p></div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif;" class="">That is not the
normal behaviour for Connect when using
the query parameter. <o:p class=""></o:p></div>
</div>
<div class="">
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif;" class="">We had much
debate at the time. <o:p class=""></o:p></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif;" class=""> <o:p class=""></o:p></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif;" class="">We can achieve
that with server side policy however. <o:p class=""></o:p></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif;" class=""> <o:p class=""></o:p></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif;" class="">What I think
people want is to send a list in
preference order eg [ “mc-2”, “mc-3” ] <o:p class=""></o:p></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif;" class=""> <o:p class=""></o:p></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif;" class="">The IdP must
try to do the highest one in the list
that the users device supports, if that
fails then the IDP will return an error.<o:p class=""></o:p></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif;" class=""> <o:p class=""></o:p></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif;" class="">That is the
semantic if you use make it an essential
claim in the request object.<o:p class=""></o:p></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif;" class=""> <o:p class=""></o:p></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif;" class="">Normally if the
device only supported “mc-1” or “mc-4"
the IdP could try that and return it if
successful. <o:p class=""></o:p></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif;" class=""> <o:p class=""></o:p></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif;" class="">I suppose that
we could say that if the user can be
authenticated at a higher level by the
IdP it can do that and return a lower
level from the requested list.<o:p class=""></o:p></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif;" class=""> <o:p class=""></o:p></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif;" class="">This is
probably more important to be clear on
than the levels themselves in some ways.<o:p class=""></o:p></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif;" class=""> <o:p class=""></o:p></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif;" class="">Is that the
behaviour we want to require of the IdP?<o:p class=""></o:p></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif;" class=""> <o:p class=""></o:p></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif;" class="">John B.<o:p class=""></o:p></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif;" class=""> <o:p class=""></o:p></div>
</div>
<div class="">
<blockquote style="margin-top: 5pt;
margin-bottom: 5pt;" class="">
<div class="">
<div class="">
<div style="margin: 0cm 0cm
0.0001pt; font-size: 12pt;
font-family: 'Times New Roman',
serif;" class="">On Nov 27, 2015,
at 8:51 AM, Lodderstedt, Torsten
<<a moz-do-not-send="true" href="mailto:t.lodderstedt@telekom.de" style="color: purple;
text-decoration: underline;" class=""><span style="color:
purple;" class="">t.lodderstedt@telekom.de</span></a>>
wrote:<o:p class=""></o:p></div>
</div>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 'Times
New Roman', serif;" class=""> <o:p class=""></o:p></div>
</div>
<div class="">
<div class="">
<div class="">
<div class="">
<div style="margin: 0cm 0cm
0.0001pt; font-size: 12pt;
font-family: 'Times New
Roman', serif;" class=""><span style="color: rgb(31, 73,
125);" class="" lang="EN-US">></span><span class="" lang="EN-US">If the
IdP cant supply one of the
acr values by getting the
user to step up then it must
return a failed
authentication<span class="apple-converted-space"><span style="color: rgb(31,
73, 125);" class=""> </span></span>attempt.</span><o:p class=""></o:p></div>
</div>
</div>
</div>
<div class="">
<div class="">
<div class="">
<div style="margin: 0cm 0cm
0.0001pt; font-size: 12pt;
font-family: 'Times New
Roman', serif;" class=""><span style="color: rgb(31, 73,
125);" class="" lang="EN-US"> </span><o:p class=""></o:p></div>
</div>
</div>
<div class="">
<div class="">
<div style="margin: 0cm 0cm
0.0001pt; font-size: 12pt;
font-family: 'Times New
Roman', serif;" class=""><span style="font-size: 11pt;
font-family: Calibri,
sans-serif; color: rgb(31,
73, 125);" class="" lang="EN-US">I think this is
the desired behavior for
MODRNA</span><o:p class=""></o:p></div>
</div>
</div>
</div>
<div class="">
<div style="margin: 0cm 0cm
0.0001pt; font-size: 12pt;
font-family: 'Times New Roman',
serif;" class=""><span style="font-size: 9pt;
font-family: Helvetica,
sans-serif;" class="">_______________________________________________<br class="">
Openid-specs-mobile-profile
mailing list<br class="">
</span><a moz-do-not-send="true" href="mailto:Openid-specs-mobile-profile@lists.openid.net" style="color: purple;
text-decoration: underline;" class=""><span style="font-size:
9pt; font-family: Helvetica,
sans-serif; color: purple;" class="">Openid-specs-mobile-profile@lists.openid.net</span></a><span style="font-size: 9pt;
font-family: Helvetica,
sans-serif;" class=""><br class="">
</span><a moz-do-not-send="true" href="http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile" style="color: purple;
text-decoration: underline;" class=""><span style="font-size:
9pt; font-family: Helvetica,
sans-serif; color: purple;" class="">http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile</span></a><o:p class=""></o:p></div>
</div>
</div>
</blockquote>
</div>
<div class="">
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif;" class=""> <o:p class=""></o:p></div>
</div>
</div>
<div style="margin: 0cm 0cm 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif;" class=""><span style="font-size: 9pt; font-family:
Helvetica, sans-serif;" class="">_______________________________________________<br class="">
Openid-specs-mobile-profile mailing list<br class="">
</span><a moz-do-not-send="true" href="mailto:Openid-specs-mobile-profile@lists.openid.net" style="color: purple; text-decoration:
underline;" class=""><span style="font-size: 9pt; font-family:
Helvetica, sans-serif; color: purple;" class="">Openid-specs-mobile-profile@lists.openid.net</span></a><span style="font-size: 9pt; font-family:
Helvetica, sans-serif;" class=""><br class="">
</span><a moz-do-not-send="true" href="http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile" style="color: purple; text-decoration:
underline;" class=""><span style="font-size: 9pt; font-family:
Helvetica, sans-serif; color: purple;" class="">http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile</span></a></div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
<br class="">
<fieldset class="mimeAttachmentHeader"></fieldset>
<br class="">
<pre wrap="" class="">_______________________________________________
Openid-specs-mobile-profile mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-mobile-profile@lists.openid.net">Openid-specs-mobile-profile@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile">http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile</a>
</pre>
</blockquote>
<br class="">
</div>
</div></blockquote></div><br class=""></div></body></html>