<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Helvetica Neue";}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=EN-CA link=blue vlink="#954F72"><div class=WordSection1><p class=MsoNormal>One thing to look at is the overlap between this and the OAuth Device flow. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><a href="https://tools.ietf.org/html/draft-ietf-oauth-device-flow">https://tools.ietf.org/html/draft-ietf-oauth-device-flow</a></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>That could allow both the current method of the user entering the URL into there browser or the user entering a phone number into the device and pushing the URL or confirmation request to the phone. </p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I think some people have been looking at the latter.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>John B.</p><p class=MsoNormal>Sent from <a href="https://go.microsoft.com/fwlink/?LinkId=550986">Mail</a> for Windows 10</p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p> </o:p></span></p><div style='mso-element:para-border-div;border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='border:none;padding:0cm'><b>From: </b><a href="mailto:torsten@lodderstedt.net">Torsten Lodderstedt</a><br><b>Sent: </b>July 9, 2016 1:30 AM<br><b>To: </b><a href="mailto:ve7jtb@ve7jtb.com">John Bradley</a><br><b>Cc: </b><a href="mailto:gonzalo.fernandezrodriguez@telefonica.com">mobileconnect</a>; <a href="mailto:openid-specs-mobile-profile@lists.openid.net">openid-specs-mobile-profile@lists.openid.net</a>; <a href="mailto:Torsten.Lodderstedt@telekom.de">Torsten.Lodderstedt@telekom.de</a><br><b>Subject: </b>Re: [Openid-specs-mobile-profile] Server Initiation Authentication</p></div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>Hi John,</span><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p></o:p></span></p><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>in the WG call, we also came to the conclusion that a direct approach where RP and OP directly exchange messages is prefered.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>best regards,<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>Torsten.<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><br>Am 08.07.2016 um 18:26 schrieb John Bradley <<a href="mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>>:<o:p></o:p></span></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>We have two things that we need.<o:p></o:p></span></p><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>1. Server initiated backchannel authentication.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>2. Server initiated backchannel authorization.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>To my mind they are related, in both cases the client needs to know exactly who the user is to make the request. <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>That is different from the front channel where you can send a hint about the user but don’t need to know who they are upfront because the user is in the flow and could select a different account.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>The difference is really just what is being authorized.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>OAuth has server to server flows now, Resource owner credentials. Client credentials, and JWT assertion.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>I think trying to use a browser redirect flow in the back channel is just a bad design, as you get all of the pain and no real benefit other than the AS not needing another endpoint.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>I would prefer to have the client make a direct authenticated call to the token endpoint. We have Connect signed requests now that could be reused as a assertion containing the request. That can return AT directly, and that can be used to poll a new endpoint for the response.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>One question I have is if there is really a performance benefit to actively polling as opposed to just waiting for the token endpoint call to return.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>The other thing that might be possible is to return a refresh token immediately, then the client could use that to poll the token endpoint until a response is available.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>Adding polling to OAuth is the biggest problem here, but probably applies to both authentication and authorization.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>John B.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p> </o:p></span></p><div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>On Jun 26, 2016, at 7:37 AM, mobileconnect <<a href="mailto:gonzalo.fernandezrodriguez@telefonica.com">gonzalo.fernandezrodriguez@telefonica.com</a>> wrote:<o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p> </o:p></span></p><div><div><div><p class=MsoNormal><span style='font-size:10.5pt'>Hi Guys,</span><span style='font-size:10.5pt'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt'>We agreed to find out a solution for the Server initiation authentication, below you can find a first analyse with some possible solutions to discuss. I have added some diagrams to illustrate them (probably they have some errors).<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt'>Tomorrow I am travelling to Brazil and I am not sure If I will be able to attend our call, but I will try it.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt'><o:p> </o:p></span></p></div><div><p class=MsoNormal><b><span style='font-size:10.5pt'>SEVER INITIATION AUTH</span></b><span style='font-size:10.5pt'><o:p></o:p></span></p></div><div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Helvetica Neue",serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Helvetica Neue",serif'>As the authorisation code flow is a flow based on redirections, the client need to be able to follow HTTP redirections, this is something obvious for a web browser and nowadays is not a problem for a server because there are libraries in almost all the languages able to do it. Just using a parameter (e.g: prompt= RP or prompt= server, …) to indicate to the Identity Provider that the interaction is initiated by a sever will be sufficient to not send any html in the response to be rendered in the client side.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Helvetica Neue",serif'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Helvetica Neue",serif'>However the key problem is when the user is being authenticated by the selected authenticator, this interaction happens with a direct call from the client to the authenticator (or adapter), and, as the authentication takes place in a mobile device, it could takes a long time, what force us to return an HTTP 200 OK response immediately, and ends up in the redirection flow cut. When the client is a web browser this is not a problem because the 200 OK response can contain a body with a javascript code that will be executed in the browser to continue with the interactions without needing any additional code in the server side, that is, the client is only worried about making the <b>GET /authroize</b> request and the <b>POST /Token</b> request.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Helvetica Neue",serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Helvetica Neue",serif'>In case we don’t have a web browser in the client side but a server, we need somehow to avoid the communication cut and allow the client (server) to continue with an http flow to be able to receive the final redirection with the code and then get the token with the <b>POST /Token</b> request. To solve this problem I would consider the follow options:<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Helvetica Neue",serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Helvetica Neue",serif'><o:p> </o:p></span></p></div><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0 width="100%" style='width:100.0%;border-collapse:collapse'><tr><td width="33%" style='width:33.32%;border:solid #DBDBDB 1.0pt;padding:7.5pt 7.5pt 7.5pt 7.5pt'><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Times New Roman",serif'>OPTIONS</span><span style='font-size:10.5pt;font-family:"Times New Roman",serif'><o:p></o:p></span></p></div></td><td width="33%" style='width:33.32%;border:solid #DBDBDB 1.0pt;border-left:none;padding:7.5pt 7.5pt 7.5pt 7.5pt'><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Times New Roman",serif'>PROS<o:p></o:p></span></p></div></td><td width="33%" style='width:33.32%;border:solid #DBDBDB 1.0pt;border-left:none;padding:7.5pt 7.5pt 7.5pt 7.5pt'><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Times New Roman",serif'>CONS<o:p></o:p></span></p></div></td></tr><tr><td width="33%" style='width:33.32%;border:solid #DBDBDB 1.0pt;border-top:none;padding:7.5pt 7.5pt 7.5pt 7.5pt'><div><p class=MsoNormal><b><span style='font-size:10.5pt;font-family:"Times New Roman",serif'>Extend the Authentication flow with an standard Polling endpoint</span></b><span style='font-size:10.5pt;font-family:"Times New Roman",serif'>: we would need to standardise the initial response to an authenticator, returning a TransactionID, (maybe with more parameters like interval, instant, etc) (step 4) when the authenticator receives the request to authenticate the user. The RP in this case shall poll the ID-GW until it gets a redirection response with the code to get the Token. The ID-GW must also not return <o:p></o:p></span></p></div></td><td width="33%" style='width:33.32%;border-top:none;border-left:none;border-bottom:solid #DBDBDB 1.0pt;border-right:solid #DBDBDB 1.0pt;padding:7.5pt 7.5pt 7.5pt 7.5pt'><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Times New Roman",serif'>- Easy to implement<o:p></o:p></span></p></div></td><td width="33%" style='width:33.32%;border-top:none;border-left:none;border-bottom:solid #DBDBDB 1.0pt;border-right:solid #DBDBDB 1.0pt;padding:7.5pt 7.5pt 7.5pt 7.5pt'><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Times New Roman",serif'>- Needs a little implementation on the Server (Relay Party)<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Times New Roman",serif'>- Needs to implement something on the Identity Provider (authenticators or adapters) to differentiate the server initiated case and not render any HTML.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Times New Roman",serif'>- Impact on the RP server performance<o:p></o:p></span></p></div></td></tr><tr><td width="33%" style='width:33.32%;border:solid #DBDBDB 1.0pt;border-top:none;padding:7.5pt 7.5pt 7.5pt 7.5pt'><div><p class=MsoNormal><b><span style='font-size:10.5pt;font-family:"Times New Roman",serif'>Extend the Authentication flow with Polling redirection</span></b><span style='font-size:10.5pt;font-family:"Times New Roman",serif'>: in this case the ID-GW would return a redirection to automatically poll the result of the authentication, each poll request would return in turn other redirection with another poll request in case the authentication is still ongoing or with the code to get the Token in case the authentication is already done.<o:p></o:p></span></p></div></td><td width="33%" style='width:33.32%;border-top:none;border-left:none;border-bottom:solid #DBDBDB 1.0pt;border-right:solid #DBDBDB 1.0pt;padding:7.5pt 7.5pt 7.5pt 7.5pt'><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Times New Roman",serif'>- Easy to implement<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Times New Roman",serif'>- No need any additional implementations or modifications on the <o:p></o:p></span></p></div></td><td width="33%" style='width:33.32%;border-top:none;border-left:none;border-bottom:solid #DBDBDB 1.0pt;border-right:solid #DBDBDB 1.0pt;padding:7.5pt 7.5pt 7.5pt 7.5pt'><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Times New Roman",serif'>- Needs to implement something on the Identity Provider (authenticators or adapters) to differentiate the server initiated case and not render any HTML.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Times New Roman",serif'>- Impact on the RP server performance.<o:p></o:p></span></p></div></td></tr><tr><td width="33%" style='width:33.32%;border:solid #DBDBDB 1.0pt;border-top:none;padding:7.5pt 7.5pt 7.5pt 7.5pt'><div><p class=MsoNormal><b><span style='font-size:10.5pt;font-family:"Times New Roman",serif'>Headless web-browser</span></b><span style='font-size:10.5pt;font-family:"Times New Roman",serif'>: use a library in the server side that behaves like a web browser but without graphic interface. Here you can find an exhaust list of them: <a href="https://github.com/dhamaniasad/HeadlessBrowsers">https://github.com/dhamaniasad/HeadlessBrowsers</a>.<o:p></o:p></span></p></div></td><td width="33%" style='width:33.32%;border-top:none;border-left:none;border-bottom:solid #DBDBDB 1.0pt;border-right:solid #DBDBDB 1.0pt;padding:7.5pt 7.5pt 7.5pt 7.5pt'><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Times New Roman",serif'>- No need any additional implementations or modifications on the Identity Provider nor in the Relay Party<o:p></o:p></span></p></div></td><td width="33%" style='width:33.32%;border-top:none;border-left:none;border-bottom:solid #DBDBDB 1.0pt;border-right:solid #DBDBDB 1.0pt;padding:7.5pt 7.5pt 7.5pt 7.5pt'><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Times New Roman",serif'>- They usually have limitations: we would need them to be able to offer an API and <o:p></o:p></span></p></div></td></tr><tr><td width="33%" style='width:33.32%;border:solid #DBDBDB 1.0pt;border-top:none;padding:7.5pt 7.5pt 7.5pt 7.5pt'><div><p class=MsoNormal><b><span style='font-size:10.5pt;font-family:"Times New Roman",serif'>New Authentication flow</span></b><span style='font-size:10.5pt;font-family:"Times New Roman",serif'>: it would consist of a new Oauth flow to initiate an authorisation request with an HTTP POST request from a backend. The request would be authenticated and it would allow to return the token without needing an intermediate code.<o:p></o:p></span></p></div></td><td width="33%" style='width:33.32%;border-top:none;border-left:none;border-bottom:solid #DBDBDB 1.0pt;border-right:solid #DBDBDB 1.0pt;padding:7.5pt 7.5pt 7.5pt 7.5pt'><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Times New Roman",serif'>- The Relay Party can receive the token directly without any code interchange.<o:p></o:p></span></p></div></td><td width="33%" style='width:33.32%;border-top:none;border-left:none;border-bottom:solid #DBDBDB 1.0pt;border-right:solid #DBDBDB 1.0pt;padding:7.5pt 7.5pt 7.5pt 7.5pt'><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Times New Roman",serif'>- New OAut 2.0 flow. It is necessary to modify an standard.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Times New Roman",serif'>- Needs implementation in the server side (Relay Party)<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Times New Roman",serif'>- Needs implementation in the Identity Provider: the authenticators must be exposed with API’s instead of using redirections.<o:p></o:p></span></p></div></td></tr></table><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Helvetica Neue",serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Helvetica Neue",serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><b><span style='font-size:10.5pt;font-family:"Helvetica Neue",serif'>Standardising a Polling Endpoint</span></b><span style='font-size:10.5pt;font-family:"Helvetica Neue",serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Helvetica Neue",serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Helvetica Neue",serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Helvetica Neue",serif'><085B653B-16CC-4BC4-AA59-679A185C78ED.png><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Helvetica Neue",serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Helvetica Neue",serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Helvetica Neue",serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><b><span style='font-size:10.5pt;font-family:"Helvetica Neue",serif'>Polling Redirection</span></b><span style='font-size:10.5pt;font-family:"Helvetica Neue",serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Helvetica Neue",serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Helvetica Neue",serif'><4FAC7AFE-1DD3-4FFC-BB45-E25D51FA1EF6.png><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Helvetica Neue",serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><b><span style='font-size:10.5pt;font-family:"Helvetica Neue",serif'>New Oauth 2.0 Flow</span></b><span style='font-size:10.5pt;font-family:"Helvetica Neue",serif'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Helvetica Neue",serif'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt;font-family:"Helvetica Neue",serif'><6BDE2D0D-76E8-425F-8294-2FFF94A22F08.png><o:p></o:p></span></p></div></div><div><p class=MsoNormal><span style='font-size:10.5pt'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt'>Best,<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt'>Gonza.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.5pt'><o:p> </o:p></span></p></div><p class=MsoNormal><span style='font-size:10.5pt'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:10.5pt'><img border=0 width=280 height=1 style='width:2.9166in;height:.0069in' id="Horizontal_x0020_Line_x0020_1" src="cid:image001.png@01D1DCEF.7563BC20"></span><span style='font-size:10.5pt'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:7.5pt;font-family:"Arial",sans-serif;color:gray'><br>Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.<br><br>The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.<br><br>Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição</span><span style='font-size:10.5pt'><o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>_______________________________________________<br>Openid-specs-mobile-profile mailing list<br><a href="mailto:Openid-specs-mobile-profile@lists.openid.net">Openid-specs-mobile-profile@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile">http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile</a></span><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p></o:p></span></p></div></blockquote></div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman",serif'><o:p> </o:p></span></p></div></div></blockquote><p class=MsoNormal style='mso-margin-top-alt:5.0pt;margin-right:36.0pt;margin-bottom:5.0pt;margin-left:36.0pt'><span style='font-size:12.0pt;font-family:"Times New Roman",serif'>_______________________________________________<br>Openid-specs-mobile-profile mailing list<br><a href="mailto:Openid-specs-mobile-profile@lists.openid.net">Openid-specs-mobile-profile@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile">http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile</a><o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>