<p dir="ltr">I am not arguing for a introspection endpoint.</p>
<p dir="ltr">It would allow the client to do less crypto and have the mno validate the signature. That might also help avoid any problem caused by key rotation. ( I pointed out that since you can have multiple keys in the JWKS that rotation is not a real problem). </p>
<p dir="ltr">If subjects are not stable, the client would need to look in the token to find the old mno to use there introspection endpoint(or you could add extra paramaters). </p>
<p dir="ltr">If sub are stable( what the GSMA proposal was) then the client would not need anything in the JWT (no porting token if I understood) they would look at the old issue in the user record and introspect the subject with them. </p>
<p dir="ltr">The downside of that is that the donating IdP needs to keep all the records to provide the service. </p>
<p dir="ltr">If you can't to put the burden on the old IdP and allow sub to change then you could send the old sub and issuer in the id_token unsigned. The client would then send the sub to the old issuer to get the new issuer from the introspection endpoint. That is essentially the openid 2 flow. By using the signed jwt we eliminate the need for the doner to keep all the old records and run a service. </p>
<p dir="ltr">In the general case the doner might go out of business etc so making the IdP porting in responsible is probably safer. </p>
<p dir="ltr">John B. </p>
<div class="gmail_quote">On Jun 4, 2016 3:52 AM, "Torsten Lodderstedt" <<a href="mailto:torsten@lodderstedt.net">torsten@lodderstedt.net</a>> wrote:<br type="attribution"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div></div><div>Hi John,</div><div><br></div><div>what is the benefit of having such an introspection endpoint over providing all necessary data in a login response extension?</div><div><br></div><div>How is the RP supposed to determine a ported user account?</div><div><br></div><div>kind regards,</div><div>Torsten.</div><div class="elided-text"><div><br>Am 03.06.2016 um 17:16 schrieb John Bradley <<a href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a>>:<br><br></div><blockquote type="cite"><div>I did make those points.<div><br></div><div>For a Connect migration process we cannot assume that the sub value (pcr format in the GSMA case) will stay the same. In most cases it needs to change.</div><div><br></div><div>I am fine with the GSMA mandating that it stay the same between MNO but that would be a special case and RP should not depend on it or bad things will happen down the road.</div><div><br></div><div>I think that is harder for the MNO and has no real benefit.</div><div><br></div><div>I believe some people at the GSMA want it to stay the same because currently they think that some/ all mobile connect RP are ignoring the issuer.</div><div>That really needs to be corrected is should be a separate issue.</div><div><br></div><div>The one downside of keeping it the same is that it may encourage people to make bad assumptions about the importance of issuer. </div><div>The nuge nuge wink wink yes issuer is required but if you are using mobile connect the sub values are unique and you could just use it as a primary key for your users.</div><div><br></div><div>That could be dpangerious long term and cause serious security issues for RP if they were to treat all open ID connect providers that way.</div><div><br></div><div>My main concern at this point is that the migration spec allow for the sub value to change even if the MNO don’t by policy.</div><div><br></div><div>The issue if the signing keys is not a big one.</div><div><br></div><div>The MNO publishes a JWKS that can contain multiple keys, and each key has its own keyid.</div><div>The MNO doesn’t need to use the same signing key that is used for JWT if that is on a fast rotation. </div><div>Having two porting signing keys in the JWKS and rotating once a year is probably food enough. You could leave a two year window if required.</div><div>These are RSA keys most likely and it used to be that rotating them every five years was good enough, so using the same key for a year for the porting info should not be a big deal.</div><div><br></div><div>You could have a introspection endpoint and pass the signed JWT for the MNO to validate if you want. </div><div><br></div><div>The idea put forward by the GSMA of keeping the PCR stable and having the RP use the old PCR to query a MNO endpoint to get the porting information requires the MNO to keep the old info for longer. It requires the identifier to be stable so would not work for a general connect spec. I appreciate that it is simple for the RP, but I think it rises too many risks.</div><div><br></div><div>John B.</div><div><br></div><div><br></div><div><div><blockquote type="cite"><div>On Jun 3, 2016, at 7:51 AM, <a href="mailto:Torsten.Lodderstedt@telekom.de" target="_blank">Torsten.Lodderstedt@telekom.de</a> wrote:</div><br><div><div style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">HI all,<u></u><u></u></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">did you discuss scoping of sub/PCR values by the issuer value? Will the respective GSMA spec be changed or are Mobile Connect RP/SPs still supposed to recognize an user account based on the sub claim only?<u></u><u></u></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">My hypothesis: if the migration process is implemented properly and uses scoped user ids, then the value of a PCR, which is stable across MNOs, is rather small. The RP just saves the database update in case of the migration process.<u></u><u></u></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">kind regards,<u></u><u></u></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Torsten.<u></u><u></u></span></div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span lang="EN-US" style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></div><div><div style="border-style:solid none none;border-top-color:rgb(181,196,223);border-top-width:1pt;padding:3pt 0cm 0cm"><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><b><span style="font-size:10pt;font-family:Tahoma,sans-serif">Von:</span></b><span style="font-size:10pt;font-family:Tahoma,sans-serif"><span> </span><a href="mailto:philippe.clement@orange.com" target="_blank">philippe.clement@orange.com</a> [<a href="mailto:philippe.clement@orange.com" target="_blank">mailto:philippe.clement@orange.com</a>]<span> </span><br><b>Gesendet:</b><span> </span>Freitag, 3. Juni 2016 11:04<br><b>An:</b><span> </span>Lodderstedt, Torsten; <a href="mailto:openid-specs-mobile-profile@lists.openid.net" target="_blank">openid-specs-mobile-profile@lists.openid.net</a>; John Bradley<br><b>Cc:</b><span> </span><a href="mailto:philippe.clement.ft@gmail.com" target="_blank">philippe.clement.ft@gmail.com</a>; <a href="mailto:philippe.clement.ft@gmail.com" target="_blank">philippe.clement.ft@gmail.com</a><br><b>Betreff:</b><span> </span>RE: MODRNA WG Call June 1st 2016<u></u><u></u></span></div></div></div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><u></u> <u></u></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">Dear all,</span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)"> </span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">Please consider below a new version of the minutes of our call, following some suggestions from Siva, and contribute if you feel you have to.</span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">Updates in<span> </span><i>italics</i></span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> </span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><br></span><u><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">Participants</span></u><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">: John, Bjorn, Nat, Philippe, Siva, Jörg</span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> </span><u><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">Agenda</span></u><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)"> : Progress on GSMA PCR portability, Change to MC Authorisaiton minutes</span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div style="margin-top:5pt;margin-bottom:5pt"><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-family:Symbol;color:rgb(34,34,34)">·</span><span style="font-size:7pt;color:rgb(34,34,34)"> </span><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">Some discussions happened in CPAS about signing JWT and chain migration from a user to different MNOs</span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div style="margin-top:5pt;margin-bottom:5pt"><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-family:Symbol;color:rgb(80,0,80)">·</span><span style="font-size:7pt;color:rgb(80,0,80)"> </span><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">John explains that signing JWT is wishable and not complex for an MNO</span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div style="margin-top:5pt;margin-bottom:5pt"><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-family:Symbol;color:rgb(80,0,80)">·</span><span style="font-size:7pt;color:rgb(80,0,80)"> </span><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">An introspection endpoint is needed on MNO side to attest the signed JWT to the RP. Keys rotating will be taken into account. Special keys for the Use Case ?</span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div style="margin-top:5pt;margin-bottom:5pt"><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-family:Symbol;color:rgb(34,34,34)">·</span><span style="font-size:7pt;color:rgb(34,34,34)"> </span><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">Discussion about the PCR and the fact it must be stable in time or different from an MNO to another regarding the same user at the same RP. The generality of the migration process is wishable, so addressing different PCR for the same user at an RP for different MNO is acceptable. On the other hand, the MNO process to create PCR is not standardized yet, and no vision is available on the delay for all MNO to change their PCR method.</span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div style="margin-top:5pt;margin-bottom:5pt"><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-family:Symbol;color:rgb(34,34,34)">·</span><span style="font-size:7pt;color:rgb(34,34,34)"> </span><i><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">Siva informed forum members that CPAS members agreed the PCR new format (GUID, version 4, RFC 4112) and all MNOs will migrate to generate in this format, ( few MNOs are already working on this migration). PCR new format and migration is being executed as a separate deployment project for the moment. (De-coupled from current Mobile Connect release).</span></i><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div style="margin-top:5pt;margin-bottom:5pt"><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-family:Symbol;color:rgb(34,34,34)">·</span><span style="font-size:7pt;color:rgb(34,34,34)"> </span><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">Discussions about the period while to maintain the migration open for a user at an MNO.</span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div style="margin-top:5pt;margin-bottom:5pt"><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-family:Symbol;color:rgb(34,34,34)">·</span><span style="font-size:7pt;color:rgb(34,34,34)"> </span><i><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">John explains that if we keep the same PCR for migration, then it will be Mobile Connect specific migration, and it cannot be made as a generic solution from OpenID Connect specifications. (Perhaps specs can come with multiple options/choice).</span></i><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div style="margin-top:5pt;margin-bottom:5pt"><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-family:Symbol;color:rgb(34,34,34)">·</span><span style="font-size:7pt;color:rgb(34,34,34)"> </span><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">Chain migration: discussions on the management of the signed JWT and which MNOs the JWTs will be addressed to. Proposal: sent each signed JWT to respective MNOs.</span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div style="margin-top:5pt;margin-bottom:5pt"><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-family:Symbol;color:rgb(34,34,34)">·</span><span style="font-size:7pt;color:rgb(34,34,34)"> </span><i><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">Siva informed forum members of changing the wording in the minutes regarding MC Authorisation since it is creating much confusion for R2 activities. Also informed that MC Authorisation is just a marketing term w.r.t. Mobile Connect, whereas it is “Contextual Authentication” with additional features, which is well aligned with OIDC protocol and fit for purpose in R2. Joerg informed that there would not be a problem to change the minutes.</span></i><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div style="margin-top:5pt;margin-bottom:5pt"><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-family:Symbol;color:rgb(34,34,34)">·</span><span style="font-size:7pt;color:rgb(34,34,34)"> </span><i><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">If agreed/required all Mobile Connect improvements/discussions apply to Mobile Connect future releases only.</span></i><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div style="margin-top:5pt;margin-bottom:5pt"><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-family:Symbol;color:rgb(80,0,80)">·</span><span style="font-size:7pt;color:rgb(80,0,80)"> </span><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">Discussions in CPAS to be led by Siva</span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> </span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">Best regards,</span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">Philippe</span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> </span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:10pt;font-family:Tahoma,sans-serif">_____________________________________________<br><b>De :</b><span> </span>CLEMENT Philippe IMT TECHNO<span> </span><br><b>Envoyé :</b><span> </span>jeudi 2 juin 2016 09:41<br><b>À :</b><span> </span><a href="mailto:Torsten.Lodderstedt@telekom.de" style="color:purple;text-decoration:underline" target="_blank">Torsten.Lodderstedt@telekom.de</a>;<span> </span><a href="mailto:openid-specs-mobile-profile@lists.openid.net" style="color:purple;text-decoration:underline" target="_blank">openid-specs-mobile-profile@lists.openid.net</a>; John Bradley<br><b>Cc :</b><span> </span><a href="mailto:philippe.clement.ft@gmail.com" style="color:purple;text-decoration:underline" target="_blank">philippe.clement.ft@gmail.com</a><br><span><b>Objet</b></span><b> :</b><span> </span>MODRNA WG Call June 1st 2016</span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif"> </span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif"> </span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">Dear all,</span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)"> </span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">Please find below the preliminary notes of the meeting</span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">Any error or adjustment needed, please let me know</span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)"> </span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><u><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">Participants</span></u><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">: John, Bjorn, Nat, Philippe, Siva, Jörg</span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)"> </span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><u><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">Agenda</span></u><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)"> : Progress on GSMA PCR portability</span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> </span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">Some discussions happened in CPAS about signing JWT and chain migration from a user to different MNOs</span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">John explains that signing JWT is wishable and not complex for an MNO</span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">An introspection endpoint is needed on MNO side to attest the signed JWT to the RP. Keys rotating will be taken into account. Special keys for the Use Case ?</span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)"> </span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">Discussion about the PCR and the fact it must be stable in time or different from an MNO to another regrding the same user at the same RP. The genericity of the migration process is wishable, so addressing different PCR for the same user at an RP for different MNO is acceptable. On the other hand, the MNO process to create PCR is not standardized yet, and no vision is available on the delay for all MNO to change their PCR method.</span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">Discussions about the period while to maintain the migration open for a user at an MNO.</span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">Chain migration: discussions on the management of the signed JWT and which MNOs the JWTs will be addressed to. Proposal: sent each signed JWT to respective MNOs.</span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)"> </span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:10pt;font-family:Symbol;color:rgb(31,73,125)"><span>·<span style="font-style:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'"> <span> </span></span></span></span><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">Discussions in CPAS to be led by Siva<span> </span><u></u><u></u></span></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"> </span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">Kind regards,</span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">Philippe</span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(31,73,125)"> </span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:10pt;font-family:Tahoma,sans-serif">-----Rendez-vous d'origine-----<br><b>De :</b><span> </span><a href="mailto:Torsten.Lodderstedt@telekom.de" style="color:purple;text-decoration:underline" target="_blank">Torsten.Lodderstedt@telekom.de</a><span> </span>[<a href="mailto:Torsten.Lodderstedt@telekom.de" style="color:purple;text-decoration:underline" target="_blank">mailto:Torsten.Lodderstedt@telekom.de</a>]<span> </span><br><b>Envoyé :</b><span> </span>lundi 30 mai 2016 13:55<br><b>À :</b><span> </span><a href="mailto:Torsten.Lodderstedt@telekom.de" style="color:purple;text-decoration:underline" target="_blank">Torsten.Lodderstedt@telekom.de</a>;<span> </span><a href="mailto:openid-specs-mobile-profile@lists.openid.net" style="color:purple;text-decoration:underline" target="_blank">openid-specs-mobile-profile@lists.openid.net</a><br><b>Objet :</b><span> </span>[Openid-specs-mobile-profile] MODRNA WG Call<br><b>Date :</b><span> </span>mercredi 1 juin 2016 16:00-17:00 (UTC+01:00) Amsterdam, Berlin, Berne, Rome, Stockholm, Vienne.<br><b>Où :</b><span> </span><a href="https://global.gotomeeting.com/join/927253461" style="color:purple;text-decoration:underline" target="_blank">https://global.gotomeeting.com/join/927253461</a></span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif"> </span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif"> </span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif"> </span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif"> </span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:10pt;font-family:Calibri,sans-serif">Zeit: Mittwoch, 1. Juni 2016 16:00-17:00 (UTC+01:00) Amsterdam, Berlin, Bern, Rom, Stockholm, Wien.</span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:10pt;font-family:Calibri,sans-serif">Ort:<span> </span><a href="https://global.gotomeeting.com/join/927253461" style="color:purple;text-decoration:underline" target="_blank">https://global.gotomeeting.com/join/927253461</a></span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:10pt;font-family:Calibri,sans-serif"> </span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:10pt;font-family:Calibri,sans-serif">Hinweis: Die oben angegebene Abweichung von GMT berücksichtigt keine Anpassungen für Sommerzeit.</span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:10pt;font-family:Calibri,sans-serif"> </span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:10pt;font-family:Calibri,sans-serif">*~*~*~*~*~*~*~*~*~*</span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:10pt;font-family:Calibri,sans-serif"> </span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:10pt;font-family:Calibri,sans-serif">Hi all,</span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:10pt;font-family:Calibri,sans-serif"> </span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:10pt;font-family:Calibri,sans-serif">the objective of this call is to discuss the tasks we came up with during the technical workshop. Please take a look onto the respective issues in our tracker in advance:<span> </span><a href="https://bitbucket.org/openid/mobile/issues?milestone=TWS_DA_05_2016" style="color:purple;text-decoration:underline" target="_blank">https://bitbucket.org/openid/mobile/issues?milestone=TWS_DA_05_2016</a></span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:10pt;font-family:Calibri,sans-serif"> </span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:10pt;font-family:Calibri,sans-serif"> </span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:10pt;font-family:Calibri,sans-serif">best regards,</span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:10pt;font-family:Calibri,sans-serif">Torsten.</span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:10pt;font-family:Calibri,sans-serif"> << Fichier: ATT00001.txt >><span> </span></span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><div><div style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif"> </span><span style="font-size:11pt;font-family:Arial,sans-serif"><u></u><u></u></span></div></div><pre style="margin:0cm 0cm 0.0001pt;font-size:10pt;font-family:'Courier New'">_________________________________________________________________________________________________________________________<u></u><u></u></pre><pre style="margin:0cm 0cm 0.0001pt;font-size:10pt;font-family:'Courier New'"><u></u> <u></u></pre><pre style="margin:0cm 0cm 0.0001pt;font-size:10pt;font-family:'Courier New'">Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc<u></u><u></u></pre><pre style="margin:0cm 0cm 0.0001pt;font-size:10pt;font-family:'Courier New'">pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler<u></u><u></u></pre><pre style="margin:0cm 0cm 0.0001pt;font-size:10pt;font-family:'Courier New'">a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,<u></u><u></u></pre><pre style="margin:0cm 0cm 0.0001pt;font-size:10pt;font-family:'Courier New'">Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.<u></u><u></u></pre><pre style="margin:0cm 0cm 0.0001pt;font-size:10pt;font-family:'Courier New'"><u></u> <u></u></pre><pre style="margin:0cm 0cm 0.0001pt;font-size:10pt;font-family:'Courier New'">This message and its attachments may contain confidential or privileged information that may be protected by law;<u></u><u></u></pre><pre style="margin:0cm 0cm 0.0001pt;font-size:10pt;font-family:'Courier New'">they should not be distributed, used or copied without authorisation.<u></u><u></u></pre><pre style="margin:0cm 0cm 0.0001pt;font-size:10pt;font-family:'Courier New'">If you have received this email in error, please notify the sender and delete this message and its attachments.<u></u><u></u></pre><pre style="margin:0cm 0cm 0.0001pt;font-size:10pt;font-family:'Courier New'">As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.<u></u><u></u></pre><pre style="margin:0cm 0cm 0.0001pt;font-size:10pt;font-family:'Courier New'">Thank you.<u></u><u></u></pre></div><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">_______________________________________________</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">Openid-specs-mobile-profile mailing list</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><a href="mailto:Openid-specs-mobile-profile@lists.openid.net" style="color:purple;text-decoration:underline;font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank">Openid-specs-mobile-profile@lists.openid.net</a><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><a href="http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile" style="color:purple;text-decoration:underline;font-family:Helvetica;font-size:12px;font-style:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile</a></div></blockquote></div><br></div></div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Openid-specs-mobile-profile mailing list</span><br><span><a href="mailto:Openid-specs-mobile-profile@lists.openid.net" target="_blank">Openid-specs-mobile-profile@lists.openid.net</a></span><br><span><a href="http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile</a></span><br></div></blockquote></div></div></blockquote></div>