<div dir="ltr"><div>Hi all,<br><br>Thanks for a great job on the draft, Torsten. I have some further suggestions:<br><br><div>1) The draft explicitly states that chained migration is out of scope. However, as far as I read the current draft, if we just allow the <u><i>from</i></u> clause of a <u><i>migration_data</i></u> claim to itself contain a nested <u><i>migration_data</i></u> claim, we would have it for free.<br><br>2) We are inflating the size of the id_token a bit. What if we
instead of (or as an alternative to) the <u><i>migration_data</i></u> claim had a <i><u>migration_data_url</u></i> claim, indicating an endpoint that could be accessed to obtain the actual migration data payload? (This
endpoint should be accessed with authorization bearer carrying the
user's access token.)<br><br></div>3) Regarding time-to-live of migration proofs and the required verification key material: I think it would be wise if we gave some thought to how we want to enable RPs to verify migration proofs even if the original OP is unavailable/has retired the required key material. Could we perhaps allow <u><i>migration_data</i></u> to have the alternate form<br><span style="font-family:monospace,monospace"><br></span></div><div><span style="font-family:monospace,monospace">{<br> "notarized": {<br></span></div><div><span style="font-family:monospace,monospace"> "iss": "<a href="https://ttp.com">https://ttp.com</a>",<br></span></div><div><span style="font-family:monospace,monospace"> "iat":</span><span style="font-family:monospace,monospace"> 1468925762986,</span></div><div><span style="font-family:monospace,monospace"> "migration_data": "ey..."<br> }<br>}<br></span></div><div><br></div><div>With the semantics that the signature protecting the encapsulated <i><u>migration_data</u></i> JWT was verified to the issuer's satisfaction at the given time? This presupposes a service at the TTP that could verify a JWT signature and produce a notarized encapsulating JWT, and that the TTP pledged to keep verification key material accessible for a significant amount of time. The RP could then, provided they recognize the issuer of the notarized claim as a trusted third party, use the payload section of the encapsulated JWT without themselves verifying the signature. (RPs not happy with deferring signature verification can choose to ignore the notarized wrapper and verify the original signature themselves, accepting the life cycle risks of OPs and JWT verification key material.)<br><br></div><div><div>4) On a minor note, it looks like the <u><i>migration_data</i></u> JWT in section 4 does not match the JSON shown below it, which I assume it is intended to.<br><br></div><div>Thanks,<br><br></div><div>Arne.<br><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Aug 2, 2016 at 10:11 AM, <span dir="ltr"><<a href="mailto:Torsten.Lodderstedt@telekom.de" target="_blank">Torsten.Lodderstedt@telekom.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="DE">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Hi all,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" lang="EN-US">I just republished the draft in order to fix a problem regarding references (thanks
to Axel!). You can find the new version at <a href="http://openid.net/wordpress-content/uploads/2016/08/draft-account-migration-01.html" target="_blank">
http://openid.net/wordpress-content/uploads/2016/08/draft-account-migration-01.html</a><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" lang="EN-US">best regards,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" lang="EN-US">Torsten.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" lang="EN-US"><u></u> <u></u></span></p>
<div>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Von:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<span>Openid</span>-<span>specs</span>-mobile-<span>profile</span> [mailto:<a href="mailto:openid-specs-mobile-profile-bounces@lists.openid.net" target="_blank">openid-specs-mobile-profile-bounces@lists.openid.net</a>]
<b>Im Auftrag von </b>Lodderstedt, Torsten<br>
<b>Gesendet:</b> Dienstag, 19. Juli 2016 13:30<br>
<b>An:</b> <a href="mailto:openid-specs-mobile-profile@lists.openid.net" target="_blank">openid-specs-mobile-profile@lists.openid.net</a><br>
<b>Betreff:</b> [Openid-specs-mobile-profile] New Version of Account Migration Draft<u></u><u></u></span></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Hi all,<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">I just published -01 of the account migration draft at <a href="http://openid.net" target="_blank">openid.net</a> (<a href="http://openid.net/wordpress-content/uploads/2014/04/draft-account-migration-01.html" target="_blank">http://openid.net/wordpress-content/uploads/2014/04/draft-account-migration-01.html</a>).
The source code can be found in our Bitbucket repo.<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">This is a significant rewrite of the specification based on your valuable feedback. Thank you! Although I tried to incorporate all
review comments, please bear with me if I missed a comment. Please let me know, so I can incorporate it in the next revision.
<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">I applied the following changes to the document:<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <u></u><u></u></span></p>
</div>
<p class="MsoNormal" style="margin-left:0cm">
<u></u><span style="font-size:10.0pt;font-family:Symbol"><span>·<span style="font:7.0pt "Times New Roman"">
</span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">reorganized the draft<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:0cm">
<u></u><span style="font-size:10.0pt;font-family:Symbol"><span>·<span style="font:7.0pt "Times New Roman"">
</span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">extended introduction and overview<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:0cm">
<u></u><span style="font-size:10.0pt;font-family:Symbol"><span>·<span style="font:7.0pt "Times New Roman"">
</span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">stated scope of the draft and what is currently out of scope<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:0cm">
<u></u><span style="font-size:10.0pt;font-family:Symbol"><span>·<span style="font:7.0pt "Times New Roman"">
</span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">changed terminology from porting to migration<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:0cm">
<u></u><span style="font-size:10.0pt;font-family:Symbol"><span>·<span style="font:7.0pt "Times New Roman"">
</span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">changed migration data structure to be different from an id token<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:0cm">
<u></u><span style="font-size:10.0pt;font-family:Symbol"><span>·<span style="font:7.0pt "Times New Roman"">
</span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">cleaned up references<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:0cm">
<u></u><span style="font-size:10.0pt;font-family:Symbol"><span>·<span style="font:7.0pt "Times New Roman"">
</span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">added initial security considerations<u></u><u></u></span></p>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Please post your feedback to the list.<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">best regards,<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Torsten.<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <u></u><u></u></span></p>
</div>
</div>
</div>
<br>_______________________________________________<br>
Openid-specs-mobile-profile mailing list<br>
<a href="mailto:Openid-specs-mobile-profile@lists.openid.net">Openid-specs-mobile-profile@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile</a><br>
<br></blockquote></div><br></div>