<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
pre
{mso-style-priority:99;
mso-style-link:"Préformaté HTML Car";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Texte de bulles Car";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.PrformatHTMLCar
{mso-style-name:"Préformaté HTML Car";
mso-style-priority:99;
mso-style-link:"Préformaté HTML";
font-family:Consolas;}
span.TextedebullesCar
{mso-style-name:"Texte de bulles Car";
mso-style-priority:99;
mso-style-link:"Texte de bulles";
font-family:"Tahoma","sans-serif";}
p.htmlvorformatiert, li.htmlvorformatiert, div.htmlvorformatiert
{mso-style-name:htmlvorformatiert;
mso-style-priority:99;
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
p.msochpdefault, li.msochpdefault, div.msochpdefault
{mso-style-name:msochpdefault;
mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
p.HTMLVorformatiert0, li.HTMLVorformatiert0, div.HTMLVorformatiert0
{mso-style-name:"HTML Vorformatiert";
mso-style-link:"HTML Vorformatiert Zchn";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.HTMLVorformatiertZchn
{mso-style-name:"HTML Vorformatiert Zchn";
mso-style-priority:99;
mso-style-link:"HTML Vorformatiert";
font-family:Consolas;}
p.Sprechblasentext, li.Sprechblasentext, div.Sprechblasentext
{mso-style-name:Sprechblasentext;
mso-style-link:"Sprechblasentext Zchn";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.SprechblasentextZchn
{mso-style-name:"Sprechblasentext Zchn";
mso-style-priority:99;
mso-style-link:Sprechblasentext;
font-family:"Tahoma","sans-serif";}
span.prformathtmlcar0
{mso-style-name:prformathtmlcar;
font-family:Consolas;}
span.emailstyle19
{mso-style-name:emailstyle19;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.htmlvorformatiertzchn0
{mso-style-name:htmlvorformatiertzchn;
font-family:Consolas;}
span.emailstyle22
{mso-style-name:emailstyle22;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.emailstyle24
{mso-style-name:emailstyle24;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.textedebullescar0
{mso-style-name:textedebullescar;
font-family:"Tahoma","sans-serif";}
span.EmailStyle35
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle36
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle37
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle38
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle40
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:2111006191;
mso-list-type:hybrid;
mso-list-template-ids:-1868037294 1963234146 67895299 67895301 67895297 67895299 67895301 67895297 67895299 67895301;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="FR" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">AMEA = AFrica, Middle-East, Asia,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">De :</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Torsten.Lodderstedt@telekom.de [mailto:Torsten.Lodderstedt@telekom.de]
<br>
<b>Envoyé :</b> jeudi 1 décembre 2016 16:00<br>
<b>À :</b> AILLERY Nicolas IMT/OLPS<br>
<b>Cc :</b> openid-specs-mobile-profile@lists.openid.net<br>
<b>Objet :</b> AW: [UQ API] SMS OTP requirement<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="DE" style="color:#1F497D">AMEA stands for?</span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="DE" style="color:#1F497D"> </span><span lang="DE"><o:p></o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="DE" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Von:</span></b><span lang="DE" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Openid-specs-mobile-profile [<a href="mailto:openid-specs-mobile-profile-bounces@lists.openid.net">mailto:openid-specs-mobile-profile-bounces@lists.openid.net</a>]
<b>Im Auftrag von </b><a href="mailto:nicolas.aillery@orange.com">nicolas.aillery@orange.com</a><br>
<b>Gesendet:</b> Donnerstag, 1. Dezember 2016 15:33<br>
<b>An:</b> Lodderstedt, Torsten<br>
<b>Cc:</b> <a href="mailto:openid-specs-mobile-profile@lists.openid.net">openid-specs-mobile-profile@lists.openid.net</a><br>
<b>Betreff:</b> Re: [Openid-specs-mobile-profile] [UQ API] SMS OTP requirement</span><span lang="DE"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="DE"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Torsten,</span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> In AMEA (lots of basic phones, limited mobile data), a basic mechanism, like SMS OTP, makes sense,</span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Nicolas</span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><span lang="DE"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">De :</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
</span><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""><a href="mailto:Torsten.Lodderstedt@telekom.de"><span lang="EN-US">Torsten.Lodderstedt@telekom.de</span></a></span><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
[</span><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""><a href="mailto:Torsten.Lodderstedt@telekom.de"><span lang="EN-US">mailto:Torsten.Lodderstedt@telekom.de</span></a></span><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">]
<br>
<b>Envoyé :</b> jeudi 1 décembre 2016 13:48<br>
<b>À :</b> AILLERY Nicolas IMT/OLPS<br>
<b>Cc :</b> </span><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""><a href="mailto:openid-specs-mobile-profile@lists.openid.net"><span lang="EN-US">openid-specs-mobile-profile@lists.openid.net</span></a></span><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""><br>
<b>Objet :</b> AW: [UQ API] SMS OTP requirement</span><span lang="DE"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Hi Nicolas,</span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">I buy argument 2 (as argument 1 is covered by SMS-URL). But for which markets is this relevant?</span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">best regards,</span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Torsten.</span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><span lang="DE"><o:p></o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="DE" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Von:</span></b><span lang="DE" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Openid-specs-mobile-profile [<a href="mailto:openid-specs-mobile-profile-bounces@lists.openid.net">mailto:openid-specs-mobile-profile-bounces@lists.openid.net</a>]
<b>Im Auftrag von </b><a href="mailto:nicolas.aillery@orange.com">nicolas.aillery@orange.com</a><br>
<b>Gesendet:</b> Donnerstag, 1. Dezember 2016 10:17<br>
<b>An:</b> Lodderstedt, Torsten<br>
<b>Cc:</b> <a href="mailto:openid-specs-mobile-profile@lists.openid.net">openid-specs-mobile-profile@lists.openid.net</a><br>
<b>Betreff:</b> Re: [Openid-specs-mobile-profile] [UQ API] SMS OTP requirement</span><span lang="DE"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="DE"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Torsten,</span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> I see 2 advantages in supporting mechnanisms like SMS OTP in the UQ API:
</span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo2"><![if !supportLists]><span lang="DE"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US" style="color:#1F497D">Offering a unique API to Client</span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo2"><![if !supportLists]><span lang="DE"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US" style="color:#1F497D">Addressing any user (even those with a very basic phone)</span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Regards,</span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Nicolas</span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><span lang="DE"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">De :</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
</span><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""><a href="mailto:Torsten.Lodderstedt@telekom.de"><span lang="EN-US">Torsten.Lodderstedt@telekom.de</span></a></span><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
[</span><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""><a href="mailto:Torsten.Lodderstedt@telekom.de"><span lang="EN-US">mailto:Torsten.Lodderstedt@telekom.de</span></a></span><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">]
<br>
<b>Envoyé :</b> jeudi 1 décembre 2016 09:43<br>
<b>À :</b> AILLERY Nicolas IMT/OLPS<br>
<b>Cc :</b> </span><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""><a href="mailto:openid-specs-mobile-profile@lists.openid.net"><span lang="EN-US">openid-specs-mobile-profile@lists.openid.net</span></a></span><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">;
MARAIS Charles IMT/OLPS; VASSELET Mickaël IMT/OLN; CLEMENT Philippe IMT TECHNO<br>
<b>Objet :</b> RE: [UQ API] SMS OTP requirement</span><span lang="DE"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span><span lang="DE"><o:p></o:p></span></p>
<p>Hi Nicolas,<span lang="DE"><o:p></o:p></span></p>
<p>why do you want to reimplement SMS-OTP as it works today? The only difference to SMS-URL is the fact the user needs to transfer the code from the authentication device to the consumption device. Is this seen as security advantage? I see it as a UX burden.<span lang="DE"><o:p></o:p></span></p>
<p>best regards,<span lang="DE"><o:p></o:p></span></p>
<p>Torsten. <span lang="DE"><o:p></o:p></span></p>
<p>-------- Originale Nachricht --------<span lang="DE"><o:p></o:p></span></p>
<p>Betreff: RE: [UQ API] SMS OTP requirement<span lang="DE"><o:p></o:p></span></p>
<p>Von: <a href="mailto:nicolas.aillery@orange.com">nicolas.aillery@orange.com</a><span lang="DE"><o:p></o:p></span></p>
<p>An: 1. Dez. 2016, 09:24<span lang="DE"><o:p></o:p></span></p>
<p>CC: "Lodderstedt, Torsten" <<a href="mailto:Torsten.Lodderstedt@telekom.de">Torsten.Lodderstedt@telekom.de</a>><span lang="DE"><o:p></o:p></span></p>
<div>
<div>
<p class="MsoNormal"><span style="color:#1F497D">Hello Torsten,</span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> It will work for sure (it’s implemented in Orange’s prototype) but it’s not a universal mechanim like SMS OTP.</span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> As UQ API is a server-to-server API, if we use SMS OTP, the User has to enter the OTP on the Client side. But, in order to sign the UserStatementToken, the OP must check the code. So, there is
a need to convey the OTP from the Client to the OP.</span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> In the Pulled-by-Client flow, the OTP could be conveyed in a polling request. It would be a minor modification.</span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> In the Pushed-to-Client flow, there is no such simple way.</span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> Therefore, allowing the Client to add an OTP in the polling request (new query param), could be a way to easily handle the SMS OTP use case,</span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Regards,</span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Nicolas</span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><span lang="DE"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">De :</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a href="mailto:Torsten.Lodderstedt@telekom.de">Torsten.Lodderstedt@telekom.de</a> [<a href="mailto:Torsten.Lodderstedt@telekom.de">mailto:Torsten.Lodderstedt@telekom.de</a>]
<br>
<b>Envoyé :</b> jeudi 1 décembre 2016 09:09<br>
<b>À :</b> AILLERY Nicolas IMT/OLPS; <a href="mailto:openid-specs-mobile-profile@lists.openid.net">
openid-specs-mobile-profile@lists.openid.net</a><br>
<b>Objet :</b> AW: [UQ API] SMS OTP requirement</span><span lang="DE"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"> <span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="DE" style="color:#1F497D">Hi Nicolas,</span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="DE" style="color:#1F497D"> </span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">one question: I think one could implement SMS-based authorization without the need to extend the protocol by sending a SMS containing a URL instead of a TAN code. The user either accepts by clicking
on the link or the link opens a web page, where the question is presented to the user along with the different options to answer it.</span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">What do you think?</span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Best regards,</span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Torsten.</span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><span lang="DE"><o:p></o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="DE" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Von:</span></b><span lang="DE" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Openid-specs-mobile-profile [<a href="mailto:openid-specs-mobile-profile-bounces@lists.openid.net">mailto:openid-specs-mobile-profile-bounces@lists.openid.net</a>]
<b>Im Auftrag von </b><a href="mailto:nicolas.aillery@orange.com">nicolas.aillery@orange.com</a><br>
<b>Gesendet:</b> Mittwoch, 30. November 2016 18:15<br>
<b>An:</b> <a href="mailto:openid-specs-mobile-profile@lists.openid.net">openid-specs-mobile-profile@lists.openid.net</a><br>
<b>Betreff:</b> [Openid-specs-mobile-profile] [UQ API] SMS OTP requirement</span><span lang="DE"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="DE"> <o:p></o:p></span></p>
<p class="MsoNormal">Hello everybody,<span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> In User Questioning API draft 3, we removed the Terminated-by-Client flow that handled user interactions like SMS OTP.</span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> In this flow, the User receives a code to enter on the Client GUI, the client then transmit the code to the OP and the OP check if the code is correct. Note that if the code is checked by the Client, the current draft
handles it.</span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> </span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> Within Orange, the requirement for a SMS OTP (verified by the OP) has been mentioned again.</span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> </span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> Have other OIF contributors been challenged for such a requirement?</span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"> </span><span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal">Regards,<span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="DE"><o:p></o:p></span></p>
<p class="MsoNormal">Nicolas<span lang="DE"><o:p></o:p></span></p>
<pre><span style="font-size:10.0pt;font-family:"Courier New"">_________________________________________________________________________________________________________________________</span><span lang="DE"><o:p></o:p></span></pre>
<pre><span style="font-size:10.0pt;font-family:"Courier New""> </span><span lang="DE"><o:p></o:p></span></pre>
<pre><span style="font-size:10.0pt;font-family:"Courier New"">Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc</span><span lang="DE"><o:p></o:p></span></pre>
<pre><span style="font-size:10.0pt;font-family:"Courier New"">pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler</span><span lang="DE"><o:p></o:p></span></pre>
<pre><span style="font-size:10.0pt;font-family:"Courier New"">a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,</span><span lang="DE"><o:p></o:p></span></pre>
<pre><span style="font-size:10.0pt;font-family:"Courier New"">Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.</span><span lang="DE"><o:p></o:p></span></pre>
<pre><span style="font-size:10.0pt;font-family:"Courier New""> </span><span lang="DE"><o:p></o:p></span></pre>
<pre><span style="font-size:10.0pt;font-family:"Courier New"">This message and its attachments may contain confidential or privileged information that may be protected by law;</span><span lang="DE"><o:p></o:p></span></pre>
<pre><span style="font-size:10.0pt;font-family:"Courier New"">they should not be distributed, used or copied without authorisation.</span><span lang="DE"><o:p></o:p></span></pre>
<pre><span style="font-size:10.0pt;font-family:"Courier New"">If you have received this email in error, please notify the sender and delete this message and its attachments.</span><span lang="DE"><o:p></o:p></span></pre>
<pre><span style="font-size:10.0pt;font-family:"Courier New"">As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.</span><span lang="DE"><o:p></o:p></span></pre>
<pre><span style="font-size:10.0pt;font-family:"Courier New"">Thank you.</span><span lang="DE"><o:p></o:p></span></pre>
</div>
</div>
<pre><span style="font-size:10.0pt;font-family:"Courier New"">_________________________________________________________________________________________________________________________</span><span lang="DE"><o:p></o:p></span></pre>
<pre><span style="font-size:10.0pt;font-family:"Courier New""> </span><span lang="DE"><o:p></o:p></span></pre>
<pre><span style="font-size:10.0pt;font-family:"Courier New"">Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc</span><span lang="DE"><o:p></o:p></span></pre>
<pre><span style="font-size:10.0pt;font-family:"Courier New"">pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler</span><span lang="DE"><o:p></o:p></span></pre>
<pre><span style="font-size:10.0pt;font-family:"Courier New"">a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,</span><span lang="DE"><o:p></o:p></span></pre>
<pre><span style="font-size:10.0pt;font-family:"Courier New"">Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.</span><span lang="DE"><o:p></o:p></span></pre>
<pre><span style="font-size:10.0pt;font-family:"Courier New""> </span><span lang="DE"><o:p></o:p></span></pre>
<pre><span style="font-size:10.0pt;font-family:"Courier New"">This message and its attachments may contain confidential or privileged information that may be protected by law;</span><span lang="DE"><o:p></o:p></span></pre>
<pre><span style="font-size:10.0pt;font-family:"Courier New"">they should not be distributed, used or copied without authorisation.</span><span lang="DE"><o:p></o:p></span></pre>
<pre><span style="font-size:10.0pt;font-family:"Courier New"">If you have received this email in error, please notify the sender and delete this message and its attachments.</span><span lang="DE"><o:p></o:p></span></pre>
<pre><span style="font-size:10.0pt;font-family:"Courier New"">As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.</span><span lang="DE"><o:p></o:p></span></pre>
<pre><span style="font-size:10.0pt;font-family:"Courier New"">Thank you.</span><span lang="DE"><o:p></o:p></span></pre>
</div>
<pre><span style="font-size:10.0pt;font-family:"Courier New"">_________________________________________________________________________________________________________________________</span><span lang="DE"><o:p></o:p></span></pre>
<pre><span style="font-size:10.0pt;font-family:"Courier New""> </span><span lang="DE"><o:p></o:p></span></pre>
<pre><span style="font-size:10.0pt;font-family:"Courier New"">Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc</span><span lang="DE"><o:p></o:p></span></pre>
<pre><span style="font-size:10.0pt;font-family:"Courier New"">pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler</span><span lang="DE"><o:p></o:p></span></pre>
<pre><span style="font-size:10.0pt;font-family:"Courier New"">a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,</span><span lang="DE"><o:p></o:p></span></pre>
<pre><span style="font-size:10.0pt;font-family:"Courier New"">Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.</span><span lang="DE"><o:p></o:p></span></pre>
<pre><span style="font-size:10.0pt;font-family:"Courier New""> </span><span lang="DE"><o:p></o:p></span></pre>
<pre><span style="font-size:10.0pt;font-family:"Courier New"">This message and its attachments may contain confidential or privileged information that may be protected by law;</span><span lang="DE"><o:p></o:p></span></pre>
<pre><span style="font-size:10.0pt;font-family:"Courier New"">they should not be distributed, used or copied without authorisation.</span><span lang="DE"><o:p></o:p></span></pre>
<pre><span style="font-size:10.0pt;font-family:"Courier New"">If you have received this email in error, please notify the sender and delete this message and its attachments.</span><span lang="DE"><o:p></o:p></span></pre>
<pre><span style="font-size:10.0pt;font-family:"Courier New"">As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.</span><span lang="DE"><o:p></o:p></span></pre>
<pre><span style="font-size:10.0pt;font-family:"Courier New"">Thank you.</span><span lang="DE"><o:p></o:p></span></pre>
</div>
<pre>_________________________________________________________________________________________________________________________<span lang="DE"><o:p></o:p></span></pre>
<pre> <span lang="DE"><o:p></o:p></span></pre>
<pre>Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc<span lang="DE"><o:p></o:p></span></pre>
<pre>pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler<span lang="DE"><o:p></o:p></span></pre>
<pre>a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,<span lang="DE"><o:p></o:p></span></pre>
<pre>Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.<span lang="DE"><o:p></o:p></span></pre>
<pre> <span lang="DE"><o:p></o:p></span></pre>
<pre>This message and its attachments may contain confidential or privileged information that may be protected by law;<span lang="DE"><o:p></o:p></span></pre>
<pre>they should not be distributed, used or copied without authorisation.<span lang="DE"><o:p></o:p></span></pre>
<pre>If you have received this email in error, please notify the sender and delete this message and its attachments.<span lang="DE"><o:p></o:p></span></pre>
<pre>As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.<span lang="DE"><o:p></o:p></span></pre>
<pre>Thank you.<span lang="DE"><o:p></o:p></span></pre>
</div>
</div>
<PRE>_________________________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.
</PRE></body>
</html>