<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Yes the document currently calls it singe factor, but that is probably to general.<div class=""><br class=""></div><div class="">This is one reason I prefer abstract names like silver and gold, that way as technology changes you don’t need to change the protocol.</div><div class=""><br class=""></div><div class="">So lets describe them and pick names after we agree on the description.</div><div class=""><br class=""></div><div class="">Silver:</div><div class="">The user is authenticated via possession of a device (phone) containing a secret key. </div><div class="">The user is required to provide no additional authentication information to use the key.</div><div class="">The user is interactively prompted to confirm the authentication. </div><div class="">The storage mechanism for the secret key and other relevant authentication information is returned via the ”amr” value.</div><div class="">The user is not re-prompted if prompt is not login and max_age is more than the elapsed time since the user last authenticated at this acr</div><div class=""><br class=""></div><div class="">Gold:</div><div class="">The user is authenticated via possession of a device (phone) containing a secret key. </div><div class="">The user is required to provide additional authentication information via a biometric, pin code or other appropriate factors such as bluetooth paring with a watch.</div><div class="">Given suitable Mobile device management unlocking the device is also sufficient along with user confirmation of desire to authenticate.</div><div class=""><div class="">The storage mechanism for the secret key and other relevant authentication information is returned via the ”amr” value.</div><div class="">The user is not re-prompted if prompt is not login and max_age is more than the elapsed time since the user last authenticated at this acr</div></div><div class=""><br class=""></div><div class="">Platinum:</div><div class="">The user is authenticated via possession of a device (phone) containing a secret key.</div><div class="">The user is required to provide additional authentication information via a local biometric, or a remote paring with a biometric capable device. </div><div class="">A pin or second biometric as a third factor may also be required.</div><div class="">Biometric device unlock may be used, but only in conjunction with a pin code or second biometric.</div><div class="">The user is always prompted to authenticate irrespective of the values of prompt and max_age.</div><div class=""><br class=""></div><div class="">So all 3 require possession of the phone.  Gold and Platinum require a second factor to unlock the phone.   </div><div class="">Platinum forces the use of a pin or second biometric.</div><div class=""><br class=""></div><div class="">I put in Platinum for argument to show that it is additional risk mitigations that we are interested in,  </div><div class="">as a single biometric like facial on a phone can be spoofed quite easily. (talking to Knock Knock they didn’t find any that they had confidence in as part of UAF if the attacker had a photo of the subject’s face)</div><div class=""><br class=""></div><div class="">So in the ACR</div><div class="">[ “Platinum”, “Gold”, “Silver”]  would cause the device to do the highest one posable but if it is incapable fall back to a lower one.</div><div class=""><br class=""></div><div class="">If we leave the ACR query parameter as is rather than changing it to essential then </div><div class=""><br class=""></div><div class="">[ “Platinum” ] would do exactly the same thing.</div><div class=""><br class=""></div><div class="">If we add the essential semantic to the ACR values then</div><div class="">[ “Platinum” ]  would return an error if the device can’t support a biometric.  You would need to always list them all unless you are willing to get an error.</div><div class=""><br class=""></div><div class="">That is my best attempt at trying to describe the scale of risk mitigation represented by the ACR that we are talking about.</div><div class=""><br class=""></div><div class="">John B.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><div><blockquote type="cite" class=""><div class="">On Nov 29, 2015, at 3:30 PM, Torsten Lodderstedt <<a href="mailto:torsten@lodderstedt.net" class="">torsten@lodderstedt.net</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
  
    <meta content="text/html; charset=windows-1252" http-equiv="Content-Type" class="">
  
  <div text="#000000" bgcolor="#FFFFFF" class="">
    Hi John,<br class="">
    <br class="">
    I understand your argument. It's always a trade off between being
    specific (and risking failed authentication attempts) and being to
    generic (and loose control). I think there is no difference between
    having two LOAs + 2 AMRs on one side or having 3 LOAs, if the AMR is
    required from a RP's perspective to assess the authentication. But
    let's assume we go with two LOAs for single and 2 factor authn.<br class="">
    <br class="">
    I think just single factor won't be enough, as Mobile Connect
    (according to my understanding/interpretation) is about
    password-less single factor authentication. So I assume we need to
    have a certain special single factor authentication ACR value.<br class="">
    <br class="">
    best regards,<br class="">
    Torsten.<br class="">
    <br class="">
    <div class="moz-cite-prefix">Am 28.11.2015 um 22:19 schrieb John
      Bradley:<br class="">
    </div>
    <blockquote cite="mid:B1A2BB98-ED4B-4658-B24F-2FB3134902FC@mac.com" type="cite" class="">
      <meta http-equiv="Content-Type" content="text/html;
        charset=windows-1252" class="">
      Operators will certainly have some users with devices that store
      keys in hardware (SIM) and others that are using software, and
      probably some that are using the HW keychain unlocked by a
      biometric or a pin.  
      <div class=""><br class="">
      </div>
      <div class="">The point I am trying to make is that a user has one
        device.  It will or will not have HW protection for the key.  
        If the RP is too specific about what it asks for all it will do
        is cause failed authentications.</div>
      <div class=""><br class="">
      </div>
      <div class="">I was counting click OK to the SIM applet as single
        factor (Because it is).    In the single factor case the AMR
        would differentiate between a SIM with click OK and a password
        or something else.</div>
      <div class=""><br class="">
      </div>
      <div class="">We can send more specific information back in the
        amr about what happened.</div>
      <div class="">
        <div class=""><br class="">
        </div>
        <div class="">The acr in the request shouldn’t be too specific
          because that just forces the IdP to return an error vs
          something useful.</div>
        <div class=""><br class="">
        </div>
        <div class="">I am bading these observations on the three levels
          in the current document. </div>
        <div class="">Two are effectively the same from a request point
          of view.   Give me a authentication where the user needs to
          locally authenticate to the device.   The only diffrence will
          be how the key is protected in the hardware and that depends
          on the device.  The RP can’t influence that in a meaningful
          way during authentication.</div>
        <div class=""><br class="">
        </div>
        <div class="">So far I don’t see having more than two LoA in the
          request as being useful from the description.</div>
        <div class=""><br class="">
        </div>
        <div class="">What behaviour at the IdP would the third one
          cause different from the second?</div>
        <div class=""><br class="">
        </div>
        <div class="">It may be that there is something, but it is not
          captured in the description.  That is what I am looking for.</div>
        <div class=""><br class="">
        </div>
        <div class="">John B.</div>
        <div class=""><br class="">
        </div>
        <div class=""><br class="">
        </div>
        <div class=""><br class="">
          <div class="">
            <blockquote type="cite" class="">
              <div class="">On Nov 28, 2015, at 2:51 PM, Lodderstedt,
                Torsten <<a moz-do-not-send="true" href="mailto:t.lodderstedt@telekom.de" class="">t.lodderstedt@telekom.de</a>>
                wrote:</div>
              <br class="Apple-interchange-newline">
              <div class="">
                <div class="WordSection1" style="page: WordSection1;
                  font-family: Helvetica; font-size: 12px; font-style:
                  normal; font-variant: normal; font-weight: normal;
                  letter-spacing: normal; line-height: normal; orphans:
                  auto; text-align: start; text-indent: 0px;
                  text-transform: none; white-space: normal; widows:
                  auto; word-spacing: 0px; -webkit-text-stroke-width:
                  0px;">
                  <div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
                    font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri,
                      sans-serif; color: rgb(31, 73, 125);" class="">Hi
                      John,<o:p class=""></o:p></span></div>
                  <div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
                    font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri,
                      sans-serif; color: rgb(31, 73, 125);" class=""> </span></div>
                  <div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
                    font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri,
                      sans-serif; color: rgb(31, 73, 125);" class="" lang="EN-US">why doesn’t it make sense for a RP to
                      specifically ask for HW protected keys? I could
                      imagine some operators use software-based  keys
                      (which should be ok in some cases) whereas the
                      majority will store them on the SIM card.<span class="Apple-converted-space"> </span><o:p class=""></o:p></span></div>
                  <div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
                    font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri,
                      sans-serif; color: rgb(31, 73, 125);" class="" lang="EN-US"> </span></div>
                  <div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
                    font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri,
                      sans-serif; color: rgb(31, 73, 125);" class="" lang="EN-US">And by the way: It’s not just about
                      asking the OP to perform 2nd factor authentication
                      or accept single factor. In the case of Mobile
                      Connect, it is also desirable to ask for certain
                      factors (or better said prohibit knowledge alone)
                      in the single factor case. The predominant example
                      is inherence in the case of SIM applet (click ok).<o:p class=""></o:p></span></div>
                  <div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
                    font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri,
                      sans-serif; color: rgb(31, 73, 125);" class="" lang="EN-US"> </span></div>
                  <div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
                    font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri,
                      sans-serif; color: rgb(31, 73, 125);" class="" lang="EN-US">best regards,<o:p class=""></o:p></span></div>
                  <div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
                    font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri,
                      sans-serif; color: rgb(31, 73, 125);" class="" lang="EN-US">Torsten.<o:p class=""></o:p></span></div>
                  <div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
                    font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri,
                      sans-serif; color: rgb(31, 73, 125);" class="" lang="EN-US"> </span></div>
                  <div class="">
                    <div style="border-style: solid none none;
                      border-top-color: rgb(181, 196, 223);
                      border-top-width: 1pt; padding: 3pt 0cm 0cm;" class="">
                      <div style="margin: 0cm 0cm 0.0001pt; font-size:
                        12pt; font-family: 'Times New Roman', serif;" class=""><b class=""><span style="font-size:
                            10pt; font-family: Tahoma, sans-serif;" class="">Von:</span></b><span style="font-size: 10pt; font-family: Tahoma,
                          sans-serif;" class=""><span class="Apple-converted-space"> </span>John
                          Bradley [<a moz-do-not-send="true" href="mailto:jbradley@mac.com" class="">mailto:jbradley@mac.com</a>]<span class="Apple-converted-space"> </span><br class="">
                          <b class="">Gesendet:</b><span class="Apple-converted-space"> </span>Freitag,
                          27. November 2015 20:02<br class="">
                          <b class="">An:</b><span class="Apple-converted-space"> </span>Lodderstedt,
                          Torsten<br class="">
                          <b class="">Cc:</b><span class="Apple-converted-space"> </span><a moz-do-not-send="true" href="mailto:openid-specs-mobile-profile@lists.openid.net" class=""></a><a class="moz-txt-link-abbreviated" href="mailto:openid-specs-mobile-profile@lists.openid.net">openid-specs-mobile-profile@lists.openid.net</a><br class="">
                          <b class="">Betreff:</b><span class="Apple-converted-space"> </span>Re:
                          [Openid-specs-mobile-profile] ACR values<o:p class=""></o:p></span></div>
                    </div>
                  </div>
                  <div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
                    font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
                  <div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt;
                    font-family: 'Times New Roman', serif;" class="">That
                    is true but normally the levels are not defined in a
                    protocol document.   They would be in a trust
                    framework document that details how to conform to
                    them including all the legal and business practice
                    agreements.<o:p class=""></o:p></div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class="">All we can say is that all of that is
                      dealt with someplace else and the URI indicate the
                      means by which the subject was most recently
                      authenticated.<o:p class=""></o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class="">One of the hard things with LoA is that
                      better might be subjective.  There is no guarantee
                      in general that one is better than another as they
                      might theoretically mitigate different risks.<o:p class=""></o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class="">For MODRNA LoA it looks like we are going
                      to have three dimensions for what would normally
                      all be bound up in a single loa number in
                      29115/SP800-63<o:p class=""></o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class="">a) Identtiy proofed   [ “True” ,
                       “False”]            (can the IdP legally identify
                      the subject)<o:p class=""></o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class="">b) Proof of Possession [ “True” ,
                      “False”]        (in 800-63 PoP is required for LoA
                      4,  but we can deal with it separately in the
                      protocol)<o:p class=""></o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class="">c) Strength of Primary credential  [
                      “single factor”, “multi-factor soft-key”,  “
                      multi-factor hard key” ]<o:p class=""></o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class="">In the first stage we are only asserting
                      non proofed subjects.<o:p class=""></o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class="">That gives us three levels now and
                      eventually six to plan for.<o:p class=""></o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class="">In reality the user will have a token
                      with a HW or software key, so as a RP asking
                      specifically for one or the other doesn’t make
                      much sense.<o:p class=""></o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class="">As a RP I think that you want to be able
                      to say force the user to 2nd factor if there
                      current login is single factor, or I will take
                      what the user is logged in as.<o:p class=""></o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class="">Lets assume for the moment that amr in
                      the response can differentiate between hard and
                      soft keys.<o:p class=""></o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class="">That would leave us with two acr values
                      to ask for.   Lets call them 1F and 2F for the
                      moment. <o:p class=""></o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class="">That would give us:<o:p class=""></o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class="">[ “1F” ]  ==  Give me what the user has
                      logged in at, don’t force step up.<o:p class=""></o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class="">[ “2F” , "1F" ]  ==  Force the user to do
                      two factor if there device supports it, but I will
                      take single if that is all there device supports.<o:p class=""></o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class="">[ “2F” ]            ==  Force the user to
                      do two factor if there device supports it, return
                      an error if 2F is not available.<o:p class=""></o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class="">In the response the “amr” will indicate
                      if the authentication was with  HW or SW based
                      keys.<o:p class=""></o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class="">It strikes me that trying to add another
                      LoA complicates things for the RP.  <o:p class=""></o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class="">I suspect that for initial login most
                      sites will want [ “1F” ] and do [ “2F” , "1F" ]
                       for step up around specific transactions.  <o:p class=""></o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class="">Banks will want [ “2F” , "1F" ]  all the
                      time.<o:p class=""></o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class="">Asking for [ “2F” ]  on its own is not as
                      useful as asking for [ “2F” , "1F" ]  at-least if
                      you get back a LoA with “1F” then you know it is
                      probably the correct person as opposed to any
                      random person who could generate an error,   at
                      that point you can guide them through some other
                      step up or tell them to use a different device
                      etc.  However some people may have limited RP
                      logic and be happier with an error.<o:p class=""></o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class="">So as an example if the user has
                      authenticated with “2F”  but the RP asks for [
                      “1F” ] then we would expect the IdP not to prompt
                      (assuming max-age is ok)  and return “2F” as the
                      acr in the response along with a amr indicating if
                      the key was HW or SW protected. <o:p class=""></o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class="">It might make sense in non modrna cases
                      to have a RP specifically ask for a HW backed
                      multi-factor.   The IdP could force the user to
                      use a smart card with match on card biometrics on
                      a different computer, rather than using the soft
                      token on the phone.  How ever I don’t think that
                      is our use-case, and having an extra thing the RP
                      can ask for just adds to the complexity.<o:p class=""></o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class="">If we need to have three for some
                      political reason I would have the IdP treat the
                      two multi-factor as equivalent in the request, and
                      only differentiated in the response.<o:p class=""></o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class="">Thoughts on paring it down to two?<o:p class=""></o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class="">John B.<o:p class=""></o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
                  </div>
                  <div class="">
                    <div style="margin: 0cm 0cm 0.0001pt; font-size:
                      12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
                  </div>
                  <div class="">
                    <div class="">
                      <blockquote style="margin-top: 5pt; margin-bottom:
                        5pt;" class="">
                        <div class="">
                          <div style="margin: 0cm 0cm 0.0001pt;
                            font-size: 12pt; font-family: 'Times New
                            Roman', serif;" class="">On Nov 27, 2015, at
                            2:19 PM, Lodderstedt, Torsten <<a moz-do-not-send="true" href="mailto:t.lodderstedt@telekom.de" style="color: purple; text-decoration:
                              underline;" class=""></a><a class="moz-txt-link-abbreviated" href="mailto:t.lodderstedt@telekom.de">t.lodderstedt@telekom.de</a>>
                            wrote:<o:p class=""></o:p></div>
                        </div>
                        <div style="margin: 0cm 0cm 0.0001pt; font-size:
                          12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div>
                        <div class="">
                          <div class="">
                            <div style="margin: 0cm 0cm 0.0001pt;
                              font-size: 12pt; font-family: 'Times New
                              Roman', serif;" class=""><span style="font-size: 11pt; font-family:
                                Calibri, sans-serif; color: rgb(31, 73,
                                125);" class="" lang="EN-US">As a RP, I
                                would prefer to send the minimal level I
                                would like the OP to fulfill, e.g. mc2,
                                and I would accept if the OP did better,
                                i.e. authenticated using mc3.</span><o:p class=""></o:p></div>
                          </div>
                          <div class="">
                            <div style="margin: 0cm 0cm 0.0001pt;
                              font-size: 12pt; font-family: 'Times New
                              Roman', serif;" class=""><span style="font-size: 11pt; font-family:
                                Calibri, sans-serif; color: rgb(31, 73,
                                125);" class="" lang="EN-US"> </span><o:p class=""></o:p></div>
                          </div>
                          <div class="">
                            <div style="margin: 0cm 0cm 0.0001pt;
                              font-size: 12pt; font-family: 'Times New
                              Roman', serif;" class=""><span style="font-size: 11pt; font-family:
                                Calibri, sans-serif; color: rgb(31, 73,
                                125);" class="" lang="EN-US">I think it
                                is evenly important to be clear on the
                                meaning of the levels. Otherwise, the RP
                                does not know what to expect and the OP
                                does not know exactly know what to
                                implement.</span><o:p class=""></o:p></div>
                          </div>
                          <div class="">
                            <div style="margin: 0cm 0cm 0.0001pt;
                              font-size: 12pt; font-family: 'Times New
                              Roman', serif;" class=""><span style="font-size: 11pt; font-family:
                                Calibri, sans-serif; color: rgb(31, 73,
                                125);" class="" lang="EN-US"> </span><o:p class=""></o:p></div>
                          </div>
                          <div class="">
                            <div style="margin: 0cm 0cm 0.0001pt;
                              font-size: 12pt; font-family: 'Times New
                              Roman', serif;" class=""><span style="font-size: 11pt; font-family:
                                Calibri, sans-serif; color: rgb(31, 73,
                                125);" class="" lang="EN-US">Best
                                regards,</span><o:p class=""></o:p></div>
                          </div>
                          <div class="">
                            <div style="margin: 0cm 0cm 0.0001pt;
                              font-size: 12pt; font-family: 'Times New
                              Roman', serif;" class=""><span style="font-size: 11pt; font-family:
                                Calibri, sans-serif; color: rgb(31, 73,
                                125);" class="" lang="EN-US">Torsten.</span><o:p class=""></o:p></div>
                          </div>
                          <div class="">
                            <div style="margin: 0cm 0cm 0.0001pt;
                              font-size: 12pt; font-family: 'Times New
                              Roman', serif;" class=""><span style="font-size: 11pt; font-family:
                                Calibri, sans-serif; color: rgb(31, 73,
                                125);" class="" lang="EN-US"> </span><o:p class=""></o:p></div>
                          </div>
                          <div class="">
                            <div style="border-style: solid none none;
                              border-top-color: rgb(181, 196, 223);
                              border-top-width: 1pt; padding: 3pt 0cm
                              0cm;" class="">
                              <div class="">
                                <div style="margin: 0cm 0cm 0.0001pt;
                                  font-size: 12pt; font-family: 'Times
                                  New Roman', serif;" class=""><b class=""><span style="font-size:
                                      10pt; font-family: Tahoma,
                                      sans-serif;" class="">Von:</span></b><span class="apple-converted-space"><span style="font-size: 10pt;
                                      font-family: Tahoma, sans-serif;" class=""> </span></span><span style="font-size: 10pt; font-family:
                                    Tahoma, sans-serif;" class="">John
                                    Bradley [<a moz-do-not-send="true" href="mailto:jbradley@mac.com" style="color: purple;
                                      text-decoration: underline;" class="">mailto:jbradley@mac.com</a>]<span class="apple-converted-space"> </span><br class="">
                                    <b class="">Gesendet:</b><span class="apple-converted-space"> </span>Freitag,
                                    27. November 2015 15:14<br class="">
                                    <b class="">An:</b><span class="apple-converted-space"> </span>Lodderstedt,
                                    Torsten<br class="">
                                    <b class="">Cc:</b><span class="apple-converted-space"> </span><a moz-do-not-send="true" href="mailto:philippe.clement@orange.com" style="color: purple;
                                      text-decoration: underline;" class=""></a><a class="moz-txt-link-abbreviated" href="mailto:philippe.clement@orange.com">philippe.clement@orange.com</a>;<span class="Apple-converted-space"> </span><a moz-do-not-send="true" href="mailto:openid-specs-mobile-profile@lists.openid.net" style="color: purple;
                                      text-decoration: underline;" class=""></a><a class="moz-txt-link-abbreviated" href="mailto:openid-specs-mobile-profile@lists.openid.net">openid-specs-mobile-profile@lists.openid.net</a><br class="">
                                    <b class="">Betreff:</b><span class="apple-converted-space"> </span>Re:
                                    [Openid-specs-mobile-profile] ACR
                                    values</span><o:p class=""></o:p></div>
                              </div>
                            </div>
                          </div>
                          <div class="">
                            <div style="margin: 0cm 0cm 0.0001pt;
                              font-size: 12pt; font-family: 'Times New
                              Roman', serif;" class=""> <o:p class=""></o:p></div>
                          </div>
                          <div class="">
                            <div style="margin: 0cm 0cm 0.0001pt;
                              font-size: 12pt; font-family: 'Times New
                              Roman', serif;" class="">That is not the
                              normal behaviour for Connect when using
                              the query parameter.  <o:p class=""></o:p></div>
                          </div>
                          <div class="">
                            <div class="">
                              <div style="margin: 0cm 0cm 0.0001pt;
                                font-size: 12pt; font-family: 'Times New
                                Roman', serif;" class="">We had much
                                debate at the time. <o:p class=""></o:p></div>
                            </div>
                          </div>
                          <div class="">
                            <div class="">
                              <div style="margin: 0cm 0cm 0.0001pt;
                                font-size: 12pt; font-family: 'Times New
                                Roman', serif;" class=""> <o:p class=""></o:p></div>
                            </div>
                          </div>
                          <div class="">
                            <div class="">
                              <div style="margin: 0cm 0cm 0.0001pt;
                                font-size: 12pt; font-family: 'Times New
                                Roman', serif;" class="">We can achieve
                                that with server side policy however.   <o:p class=""></o:p></div>
                            </div>
                          </div>
                          <div class="">
                            <div class="">
                              <div style="margin: 0cm 0cm 0.0001pt;
                                font-size: 12pt; font-family: 'Times New
                                Roman', serif;" class=""> <o:p class=""></o:p></div>
                            </div>
                          </div>
                          <div class="">
                            <div class="">
                              <div style="margin: 0cm 0cm 0.0001pt;
                                font-size: 12pt; font-family: 'Times New
                                Roman', serif;" class="">What I think
                                people want is to send a list in
                                preference order  eg [ “mc-2”, “mc-3” ] <o:p class=""></o:p></div>
                            </div>
                          </div>
                          <div class="">
                            <div class="">
                              <div style="margin: 0cm 0cm 0.0001pt;
                                font-size: 12pt; font-family: 'Times New
                                Roman', serif;" class=""> <o:p class=""></o:p></div>
                            </div>
                          </div>
                          <div class="">
                            <div class="">
                              <div style="margin: 0cm 0cm 0.0001pt;
                                font-size: 12pt; font-family: 'Times New
                                Roman', serif;" class="">The IdP must
                                try to do the highest one in the list
                                that the users device supports, if that
                                fails then the IDP will return an error.<o:p class=""></o:p></div>
                            </div>
                          </div>
                          <div class="">
                            <div class="">
                              <div style="margin: 0cm 0cm 0.0001pt;
                                font-size: 12pt; font-family: 'Times New
                                Roman', serif;" class=""> <o:p class=""></o:p></div>
                            </div>
                          </div>
                          <div class="">
                            <div class="">
                              <div style="margin: 0cm 0cm 0.0001pt;
                                font-size: 12pt; font-family: 'Times New
                                Roman', serif;" class="">That is the
                                semantic if you use make it an essential
                                claim in the request object.<o:p class=""></o:p></div>
                            </div>
                          </div>
                          <div class="">
                            <div class="">
                              <div style="margin: 0cm 0cm 0.0001pt;
                                font-size: 12pt; font-family: 'Times New
                                Roman', serif;" class=""> <o:p class=""></o:p></div>
                            </div>
                          </div>
                          <div class="">
                            <div class="">
                              <div style="margin: 0cm 0cm 0.0001pt;
                                font-size: 12pt; font-family: 'Times New
                                Roman', serif;" class="">Normally if the
                                device only supported “mc-1” or “mc-4"
                                the IdP could try that and return it if
                                successful.  <o:p class=""></o:p></div>
                            </div>
                          </div>
                          <div class="">
                            <div class="">
                              <div style="margin: 0cm 0cm 0.0001pt;
                                font-size: 12pt; font-family: 'Times New
                                Roman', serif;" class=""> <o:p class=""></o:p></div>
                            </div>
                          </div>
                          <div class="">
                            <div class="">
                              <div style="margin: 0cm 0cm 0.0001pt;
                                font-size: 12pt; font-family: 'Times New
                                Roman', serif;" class="">I suppose that
                                we could say that if the user can be
                                authenticated at a higher level by the
                                IdP it can do that and return a lower
                                level from the requested list.<o:p class=""></o:p></div>
                            </div>
                          </div>
                          <div class="">
                            <div class="">
                              <div style="margin: 0cm 0cm 0.0001pt;
                                font-size: 12pt; font-family: 'Times New
                                Roman', serif;" class=""> <o:p class=""></o:p></div>
                            </div>
                          </div>
                          <div class="">
                            <div class="">
                              <div style="margin: 0cm 0cm 0.0001pt;
                                font-size: 12pt; font-family: 'Times New
                                Roman', serif;" class="">This is
                                probably more important to be clear on
                                than the levels themselves in some ways.<o:p class=""></o:p></div>
                            </div>
                          </div>
                          <div class="">
                            <div class="">
                              <div style="margin: 0cm 0cm 0.0001pt;
                                font-size: 12pt; font-family: 'Times New
                                Roman', serif;" class=""> <o:p class=""></o:p></div>
                            </div>
                          </div>
                          <div class="">
                            <div class="">
                              <div style="margin: 0cm 0cm 0.0001pt;
                                font-size: 12pt; font-family: 'Times New
                                Roman', serif;" class="">Is that the
                                behaviour we want to require of the IdP?<o:p class=""></o:p></div>
                            </div>
                          </div>
                          <div class="">
                            <div class="">
                              <div style="margin: 0cm 0cm 0.0001pt;
                                font-size: 12pt; font-family: 'Times New
                                Roman', serif;" class=""> <o:p class=""></o:p></div>
                            </div>
                          </div>
                          <div class="">
                            <div class="">
                              <div style="margin: 0cm 0cm 0.0001pt;
                                font-size: 12pt; font-family: 'Times New
                                Roman', serif;" class="">John B.<o:p class=""></o:p></div>
                            </div>
                          </div>
                          <div class="">
                            <div class="">
                              <div style="margin: 0cm 0cm 0.0001pt;
                                font-size: 12pt; font-family: 'Times New
                                Roman', serif;" class=""> <o:p class=""></o:p></div>
                            </div>
                            <div class="">
                              <blockquote style="margin-top: 5pt;
                                margin-bottom: 5pt;" class="">
                                <div class="">
                                  <div class="">
                                    <div style="margin: 0cm 0cm
                                      0.0001pt; font-size: 12pt;
                                      font-family: 'Times New Roman',
                                      serif;" class="">On Nov 27, 2015,
                                      at 8:51 AM, Lodderstedt, Torsten
                                      <<a moz-do-not-send="true" href="mailto:t.lodderstedt@telekom.de" style="color: purple;
                                        text-decoration: underline;" class=""><span style="color:
                                          purple;" class="">t.lodderstedt@telekom.de</span></a>>
                                      wrote:<o:p class=""></o:p></div>
                                  </div>
                                </div>
                                <div class="">
                                  <div style="margin: 0cm 0cm 0.0001pt;
                                    font-size: 12pt; font-family: 'Times
                                    New Roman', serif;" class=""> <o:p class=""></o:p></div>
                                </div>
                                <div class="">
                                  <div class="">
                                    <div class="">
                                      <div class="">
                                        <div style="margin: 0cm 0cm
                                          0.0001pt; font-size: 12pt;
                                          font-family: 'Times New
                                          Roman', serif;" class=""><span style="color: rgb(31, 73,
                                            125);" class="" lang="EN-US">></span><span class="" lang="EN-US">If the
                                            IdP cant supply one of the
                                            acr values by getting the
                                            user to step up then it must
                                            return a failed
                                            authentication<span class="apple-converted-space"><span style="color: rgb(31,
                                                73, 125);" class=""> </span></span>attempt.</span><o:p class=""></o:p></div>
                                      </div>
                                    </div>
                                  </div>
                                  <div class="">
                                    <div class="">
                                      <div class="">
                                        <div style="margin: 0cm 0cm
                                          0.0001pt; font-size: 12pt;
                                          font-family: 'Times New
                                          Roman', serif;" class=""><span style="color: rgb(31, 73,
                                            125);" class="" lang="EN-US"> </span><o:p class=""></o:p></div>
                                      </div>
                                    </div>
                                    <div class="">
                                      <div class="">
                                        <div style="margin: 0cm 0cm
                                          0.0001pt; font-size: 12pt;
                                          font-family: 'Times New
                                          Roman', serif;" class=""><span style="font-size: 11pt;
                                            font-family: Calibri,
                                            sans-serif; color: rgb(31,
                                            73, 125);" class="" lang="EN-US">I think this is
                                            the desired behavior for
                                            MODRNA</span><o:p class=""></o:p></div>
                                      </div>
                                    </div>
                                  </div>
                                  <div class="">
                                    <div style="margin: 0cm 0cm
                                      0.0001pt; font-size: 12pt;
                                      font-family: 'Times New Roman',
                                      serif;" class=""><span style="font-size: 9pt;
                                        font-family: Helvetica,
                                        sans-serif;" class="">_______________________________________________<br class="">
                                        Openid-specs-mobile-profile
                                        mailing list<br class="">
                                      </span><a moz-do-not-send="true" href="mailto:Openid-specs-mobile-profile@lists.openid.net" style="color: purple;
                                        text-decoration: underline;" class=""><span style="font-size:
                                          9pt; font-family: Helvetica,
                                          sans-serif; color: purple;" class="">Openid-specs-mobile-profile@lists.openid.net</span></a><span style="font-size: 9pt;
                                        font-family: Helvetica,
                                        sans-serif;" class=""><br class="">
                                      </span><a moz-do-not-send="true" href="http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile" style="color: purple;
                                        text-decoration: underline;" class=""><span style="font-size:
                                          9pt; font-family: Helvetica,
                                          sans-serif; color: purple;" class="">http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile</span></a><o:p class=""></o:p></div>
                                  </div>
                                </div>
                              </blockquote>
                            </div>
                            <div class="">
                              <div style="margin: 0cm 0cm 0.0001pt;
                                font-size: 12pt; font-family: 'Times New
                                Roman', serif;" class=""> <o:p class=""></o:p></div>
                            </div>
                          </div>
                          <div style="margin: 0cm 0cm 0.0001pt;
                            font-size: 12pt; font-family: 'Times New
                            Roman', serif;" class=""><span style="font-size: 9pt; font-family:
                              Helvetica, sans-serif;" class="">_______________________________________________<br class="">
                              Openid-specs-mobile-profile mailing list<br class="">
                            </span><a moz-do-not-send="true" href="mailto:Openid-specs-mobile-profile@lists.openid.net" style="color: purple; text-decoration:
                              underline;" class=""><span style="font-size: 9pt; font-family:
                                Helvetica, sans-serif; color: purple;" class="">Openid-specs-mobile-profile@lists.openid.net</span></a><span style="font-size: 9pt; font-family:
                              Helvetica, sans-serif;" class=""><br class="">
                            </span><a moz-do-not-send="true" href="http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile" style="color: purple; text-decoration:
                              underline;" class=""><span style="font-size: 9pt; font-family:
                                Helvetica, sans-serif; color: purple;" class="">http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile</span></a></div>
                        </div>
                      </blockquote>
                    </div>
                  </div>
                </div>
              </div>
            </blockquote>
          </div>
          <br class="">
        </div>
      </div>
      <br class="">
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br class="">
      <pre wrap="" class="">_______________________________________________
Openid-specs-mobile-profile mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-mobile-profile@lists.openid.net">Openid-specs-mobile-profile@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile">http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile</a>
</pre>
    </blockquote>
    <br class="">
  </div>

</div></blockquote></div><br class=""></div></body></html>