<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-2022-jp">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:"MS PGothic";
        panose-1:2 11 6 0 7 2 5 8 2 4;}
@font-face
        {font-family:"\@MS PGothic";
        panose-1:2 11 6 0 7 2 5 8 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:#0563C1;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:#954F72;
        text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
        {mso-style-priority:99;
        mso-style-link:"Plain Text Char";
        margin:0cm;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";}
span.PlainTextChar
        {mso-style-name:"Plain Text Char";
        mso-style-priority:99;
        mso-style-link:"Plain Text";
        font-family:"Calibri","sans-serif";}
span.EmailStyle19
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Hi James,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">The current status of addressing your comments is:<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt"><s><span lang="EN-AU">1.</span></s><s><span lang="EN-AU" style="font-size:7.0pt;font-family:"Times New Roman","serif"">      
</span></s><s><span lang="EN-AU">[Abstract] The abstract is too long with too much background and the intro too short. Swap them over. The abstract would be better as 1 paragraph on what CIBA delivers, while the intro can explain the relationship of other OpenID
 Connect flows.<o:p></o:p></span></s></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt"><s><span lang="EN-AU">2.</span></s><s><span lang="EN-AU" style="font-size:7.0pt;font-family:"Times New Roman","serif"">      
</span></s><s><span lang="EN-AU">[intro] CIBA isn$B!G(Bt $B!H(Ban authentication flow of the [OIDC] Core 1.0 specification$B!I(B. Perhaps describe it as an extension of OIDC.<o:p></o:p></span></s></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt"><s><span lang="EN-AU">3.</span></s><s><span lang="EN-AU" style="font-size:7.0pt;font-family:"Times New Roman","serif"">      
</span></s><s><span lang="EN-AU">[3.1] specifiy $B"*(B specify<o:p></o:p></span></s></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt"><s><span lang="EN-AU">4.</span></s><s><span lang="EN-AU" style="font-size:7.0pt;font-family:"Times New Roman","serif"">      
</span></s><s><span lang="EN-AU">[3.1] Move the $B!H(Bregistration at the OP$B!I(B sentence from 3rd paragraph to the first, deleting the poorer duplicates in the 1st para.<o:p></o:p></span></s></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt"><s><span lang="EN-AU">5.</span></s><s><span lang="EN-AU" style="font-size:7.0pt;font-family:"Times New Roman","serif"">      
</span></s><s><span lang="EN-AU">[3.2] The bank example doesn$B!G(Bt have enough (any) context. How about: $B!H(BA bank teller wants to authenticate a customer in a bank branch$B!I(B — so it is using CIBA for auth in a face-to-face scenario.<o:p></o:p></span></s></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt"><s><span lang="EN-AU">6.</span></s><s><span lang="EN-AU" style="font-size:7.0pt;font-family:"Times New Roman","serif"">      
</span></s><s><span lang="EN-AU">[4.1] Don$B!G(Bt say a CIBA request is an OAuth 2.0 authz request, because it is different (it doesn$B!G(Bt redirect the user, and uses JSON not x-www-form-urlencoded). Say it uses some of the same parameters as an OAuth 2.0 (or OIDC)
 auth request.<o:p></o:p></span></s></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt"><s><span lang="EN-AU">7.</span></s><s><span lang="EN-AU" style="font-size:7.0pt;font-family:"Times New Roman","serif"">      
</span></s><s><span lang="EN-AU">[4.1] $B!H(Bscope$B!I(B parameter: put the $B!H(Bopenid$B!I(B scope value in quotes.<o:p></o:p></span></s></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt"><s><span lang="EN-AU">8.</span></s><s><span lang="EN-AU" style="font-size:7.0pt;font-family:"Times New Roman","serif"">      
</span></s><s><span lang="EN-AU">[4.1] Add a blank line between HTTP headers and the body<o:p></o:p></span></s></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt"><s><span lang="EN-AU">9.</span></s><s><span lang="EN-AU" style="font-size:7.0pt;font-family:"Times New Roman","serif"">      
</span></s><s><span lang="EN-AU">[4.2] Fix grammar around $B!H(Band is not expired$B!I(B<o:p></o:p></span></s></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt"><span lang="EN-AU">10.</span><span lang="EN-AU" style="font-size:7.0pt;font-family:"Times New Roman","serif"">  
</span><span lang="EN-AU">[4.3] Should the min polling interval be expressed in milliseconds, instead of seconds which is almost too coarse<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt"><span lang="EN-AU">11.</span><span lang="EN-AU" style="font-size:7.0pt;font-family:"Times New Roman","serif"">  
</span><span lang="EN-AU">[5] Don$B!G(Bt start by saying $B!H(Bonce the end-user is authenticated$B!I(B. Need some words about that being done, eg "The OP authenticates the user identified by the client. How this occurs is up to the OP, and is out-of-scope of this specification.";
 might need to mention acr_values.<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt"><span lang="EN-AU">12.</span><span lang="EN-AU" style="font-size:7.0pt;font-family:"Times New Roman","serif"">  
</span><span lang="EN-AU">[6.1] The example$B!G(Bs body syntax is wrong (strange mix of part JSON, part x-www-form-urlencoded)<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt"><s><span lang="EN-AU">13.</span></s><s><span lang="EN-AU" style="font-size:7.0pt;font-family:"Times New Roman","serif"">  
</span></s><s><span lang="EN-AU">[4.3, 6.2] Drop the Pragma headers. I don$B!G(Bt think the Cache-Control headers help either as POSTs are not cacheable by default anyway.<o:p></o:p></span></s></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt"><s><span lang="EN-AU">14.</span></s><s><span lang="EN-AU" style="font-size:7.0pt;font-family:"Times New Roman","serif"">  
</span></s><s><span lang="EN-AU">[7] Mention the risk to an OP of accepting arbitrary URIs for the client notification endpoint that it will later call. At least need to check it doesn$B!G(Bt point $B!H(Binside$B!I(B the OP$B!G(Bs network.<o:p></o:p></span></s></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt"><s><span lang="EN-AU">15.</span></s><s><span lang="EN-AU" style="font-size:7.0pt;font-family:"Times New Roman","serif"">  
</span></s><s><span lang="EN-AU">[6.3.2] OAuth 2.0 uses $B!H(Baccess_token$B!I(B (& $B!H(Btoken_type$B!I(B) to deliver a bearer token that the other party then uses. Might be better to use the same names, instead of using $B!H(Bclient_req_id$B!I(B to deliver a bearer token.<o:p></o:p></span></s></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt"><s><span lang="EN-AU">16.</span></s><s><span lang="EN-AU" style="font-size:7.0pt;font-family:"Times New Roman","serif"">  
</span></s><s><span lang="EN-AU">[heading] The spec is dated $B!H(BAug 18, 2016$B!I(B; should update that with each commit.<o:p></o:p></span></s></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Kind regards<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Axel<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication-01.xml?at=default<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";mso-fareast-language:JA">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";mso-fareast-language:JA"> Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces@lists.openid.net]
<b>On Behalf Of </b>Manger, James<br>
<b>Sent:</b> Wednesday, November 30, 2016 7:42 AM<br>
<b>To:</b> openid-specs-mobile-profile@lists.openid.net<br>
<b>Subject:</b> [Openid-specs-mobile-profile] CIBA comments<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoPlainText"><span lang="EN-AU">Comment on OpenID Connect MODRNA Client initiated Backchannel Authentication Flow 1.0 <draft-mobile-client-initiated-backchannel-authentication-01>:<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-AU"><o:p> </o:p></span></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt"><span lang="EN-AU">1.</span><span lang="EN-AU" style="font-size:7.0pt;font-family:"Times New Roman","serif"">      
</span><span lang="EN-AU">[4.1] Client authentication to the CIBA endpoint is as per the token endpoint (eg with client creds), not as per an RS such as the UserInfo endpoint (eg with an access token). Good or Bad? I$B!G(Bm not certain.<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt"><span lang="EN-AU">2.</span><span lang="EN-AU" style="font-size:7.0pt;font-family:"Times New Roman","serif"">      
</span><span lang="EN-AU">The spec doesn$B!G(Bt indicate how the CIBA endpoint can be discovered from OP metadata.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-AU"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-AU">Mainly editorial:<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt"><span lang="EN-AU">1.</span><span lang="EN-AU" style="font-size:7.0pt;font-family:"Times New Roman","serif"">      
</span><span lang="EN-AU">[Abstract] The abstract is too long with too much background and the intro too short. Swap them over. The abstract would be better as 1 paragraph on what CIBA delivers, while the intro can explain the relationship of other OpenID Connect
 flows.<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt"><span lang="EN-AU">2.</span><span lang="EN-AU" style="font-size:7.0pt;font-family:"Times New Roman","serif"">      
</span><span lang="EN-AU">[intro] CIBA isn$B!G(Bt $B!H(Ban authentication flow of the [OIDC] Core 1.0 specification$B!I(B. Perhaps describe it as an extension of OIDC.<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt"><span lang="EN-AU">3.</span><span lang="EN-AU" style="font-size:7.0pt;font-family:"Times New Roman","serif"">      
</span><span lang="EN-AU">[3.1] specifiy $B"*(B specify<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt"><span lang="EN-AU">4.</span><span lang="EN-AU" style="font-size:7.0pt;font-family:"Times New Roman","serif"">      
</span><span lang="EN-AU">[3.1] Move the $B!H(Bregistration at the OP$B!I(B sentence from 3<sup>rd</sup> paragraph to the first, deleting the poorer duplicates in the 1<sup>st</sup> para.<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt"><span lang="EN-AU">5.</span><span lang="EN-AU" style="font-size:7.0pt;font-family:"Times New Roman","serif"">      
</span><span lang="EN-AU">[3.2] The bank example doesn$B!G(Bt have enough (any) context. How about: $B!H(BA bank teller wants to authenticate a customer in a bank branch$B!I(B — so it is using CIBA for auth in a face-to-face scenario.<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt"><span lang="EN-AU">6.</span><span lang="EN-AU" style="font-size:7.0pt;font-family:"Times New Roman","serif"">      
</span><span lang="EN-AU">[4.1] Don$B!G(Bt say a CIBA request is an OAuth 2.0 authz request, because it is different (it doesn$B!G(Bt redirect the user, and uses JSON not x-www-form-urlencoded). Say it uses some of the same parameters as an OAuth 2.0 (or OIDC) auth request.<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt"><span lang="EN-AU">7.</span><span lang="EN-AU" style="font-size:7.0pt;font-family:"Times New Roman","serif"">      
</span><span lang="EN-AU">[4.1] $B!H(Bscope$B!I(B parameter: put the $B!H(Bopenid$B!I(B scope value in quotes.<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt"><span lang="EN-AU">8.</span><span lang="EN-AU" style="font-size:7.0pt;font-family:"Times New Roman","serif"">      
</span><span lang="EN-AU">[4.1] Add a blank line between HTTP headers and the body<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt"><span lang="EN-AU">9.</span><span lang="EN-AU" style="font-size:7.0pt;font-family:"Times New Roman","serif"">      
</span><span lang="EN-AU">[4.2] Fix grammar around $B!H(Band is not expired$B!I(B<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt"><span lang="EN-AU">10.</span><span lang="EN-AU" style="font-size:7.0pt;font-family:"Times New Roman","serif"">  
</span><span lang="EN-AU">[4.3] Should the min polling interval be expressed in milliseconds, instead of seconds which is almost too coarse<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt"><span lang="EN-AU">11.</span><span lang="EN-AU" style="font-size:7.0pt;font-family:"Times New Roman","serif"">  
</span><span lang="EN-AU">[5] Don$B!G(Bt start by saying $B!H(Bonce the end-user is authenticated$B!I(B. Need some words about that being done, eg "The OP authenticates the user identified by the client. How this occurs is up to the OP, and is out-of-scope of this specification.";
 might need to mention acr_values.<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt"><span lang="EN-AU">12.</span><span lang="EN-AU" style="font-size:7.0pt;font-family:"Times New Roman","serif"">  
</span><span lang="EN-AU">[6.1] The example$B!G(Bs body syntax is wrong (strange mix of part JSON, part x-www-form-urlencoded)<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt"><span lang="EN-AU">13.</span><span lang="EN-AU" style="font-size:7.0pt;font-family:"Times New Roman","serif"">  
</span><span lang="EN-AU">[4.3, 6.2] Drop the Pragma headers. I don$B!G(Bt think the Cache-Control headers help either as POSTs are not cacheable by default anyway.<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt"><span lang="EN-AU">14.</span><span lang="EN-AU" style="font-size:7.0pt;font-family:"Times New Roman","serif"">  
</span><span lang="EN-AU">[7] Mention the risk to an OP of accepting arbitrary URIs for the client notification endpoint that it will later call. At least need to check it doesn$B!G(Bt point $B!H(Binside$B!I(B the OP$B!G(Bs network.<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt"><span lang="EN-AU">15.</span><span lang="EN-AU" style="font-size:7.0pt;font-family:"Times New Roman","serif"">  
</span><span lang="EN-AU">[6.3.2] OAuth 2.0 uses $B!H(Baccess_token$B!I(B (& $B!H(Btoken_type$B!I(B) to deliver a bearer token that the other party then uses. Might be better to use the same names, instead of using $B!H(Bclient_req_id$B!I(B to deliver a bearer token.<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt"><span lang="EN-AU">16.</span><span lang="EN-AU" style="font-size:7.0pt;font-family:"Times New Roman","serif"">  
</span><span lang="EN-AU">[heading] The spec is dated $B!H(BAug 18, 2016$B!I(B; should update that with each commit.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-AU"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-AU">--<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-AU">James Manger<o:p></o:p></span></p>
</div>
</body>
</html>