<div dir="ltr"><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif">Hi Axel,</div><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif"><br></div><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif">I don't think the authentication result object needs to be signed as it is the response to a request by the RP that will be authenticated. </div><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif">The closest we have to this in the FAPI spec is the success response when registering a request object:</div><div class="gmail_default"><font face="trebuchet ms, sans-serif"><a href="https://bitbucket.org/openid/fapi/src/53d8de443d6727ea547fef173ee532858c183e14/Financial_API_WD_002.md?at=master&fileviewer=file-view-default#markdown-header-73-successful-response" target="_blank">https://bitbucket.org/openid/f<wbr>api/src/53d8de443d6727ea547fef<wbr>173ee532858c183e14/Financial_A<wbr>PI_WD_002.md?at=master&filevie<wbr>wer=file-view-default#markdown<wbr>-header-73-successful-response</a></font><br></div><div class="gmail_default">This response is not signed.</div><div class="gmail_default"><font face="trebuchet ms, sans-serif"><br></font></div><div class="gmail_default"><span style="font-family:"trebuchet ms",sans-serif">I do think the token notification object needs to be signed as this request is made by the OP to the RP and the endpoint is currently only protected by a bearer token. In response to your other email, the signed token notification object could be the recommended authentication method.</span></div><div class="gmail_default"><span style="font-family:"trebuchet ms",sans-serif"><br></span></div><div class="gmail_default"><span style="font-family:"trebuchet ms",sans-serif">Also, we discussed on the last FAPI call starting a FAPI profile of the CIBA spec. I've started work on this and hope to share it shortly.</span></div><div class="gmail_default"><span style="font-family:"trebuchet ms",sans-serif"><br></span></div><div class="gmail_default"><font face="trebuchet ms, sans-serif">Thanks</font></div><div class="gmail_default"><font face="trebuchet ms, sans-serif"><br></font></div><div class="gmail_default"><font face="trebuchet ms, sans-serif">Dave</font></div><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif"><br></div><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif"><br></div><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif"><br></div><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On 14 June 2017 at 17:42, <span dir="ltr"><<a href="mailto:Axel.Nennker@telekom.de" target="_blank">Axel.Nennker@telekom.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="DE" link="#0563C1" vlink="#954F72">
<div class="m_8631456266214544493m_-5728843775849736252m_7510793004832261789m_8736024720724084235WordSection1">
<p class="MsoNormal">Hi,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><span lang="EN-US">some of you looked at the MODRNA Backchannel specification and I would like to get your opion on whether the backchannel result object should be signed by the OP?<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">The issue in the MODRNA repository is: <a href="https://bitbucket.org/openid/mobile/issues/55/ciba-signed-result-objects" target="_blank">https://bitbucket.org/openid/m<wbr>obile/issues/55/ciba-signed-re<wbr>sult-objects</a><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Kind regards<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Axel<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p><span lang="EN-US">Should we - at least - recommend that the OP signs the authentication result object? Here:
</span><a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default#successful_authentication_request_acknowdlegment" target="_blank"><span lang="EN-US">https://xml2rfc.tools.ietf.org<wbr>/cgi-bin/xml2rfc.cgi?Submit=Su<wbr>bmit&format=ascii&mode=html&ty<wbr>pe=ascii&url=https://bitbucket<wbr>.org/openid/mobile/raw/tip/dra<wbr>ft-mobile-client-initiated-bac<wbr>kchannel-authentication.xml?<wbr>at=default#successful_authenti<wbr>cation_request_acknowdlegment</span></a><span lang="EN-US"><u></u><u></u></span></p>
<p><span lang="EN-US">and here: </span><a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default#issuing_successful_token" target="_blank"><span lang="EN-US">https://xml2rfc.tools.ietf.org<wbr>/cgi-bin/xml2rfc.cgi?Submit=Su<wbr>bmit&format=ascii&mode=html&ty<wbr>pe=ascii&url=https://bitbucket<wbr>.org/openid/mobile/raw/tip/dra<wbr>ft-mobile-client-initiated-bac<wbr>kchannel-authentication.xml?<wbr>at=default#issuing_successful_<wbr>token</span></a><span lang="EN-US"><u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><b><span style="font-size:8.0pt;font-family:"Arial",sans-serif">DEUTSCHE TELEKOM AG</span></b><span style="font-size:8.0pt;font-family:"Arial",sans-serif"><br>
T-Labs (Research & Innovation)<br>
Axel Nennker<br>
Winterfeldtstr. 21, 10781 Berlin<br>
+491702275312 (Tel.)<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:8.0pt;font-family:"Arial",sans-serif">E-Mail: <a href="mailto:axel.nennker@telekom.de" target="_blank">axel.nennker@telekom.de</a><u></u><u></u></span></p>
<p class="MsoNormal"><span><u></u> <u></u></span></p>
<p class="MsoNormal"><span><u></u> <u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
<br>______________________________<wbr>_________________<br>
Openid-specs-mobile-profile mailing list<br>
<a href="mailto:Openid-specs-mobile-profile@lists.openid.net" target="_blank">Openid-specs-mobile-profile@li<wbr>sts.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile" rel="noreferrer" target="_blank">http://lists.openid.net/mailma<wbr>n/listinfo/openid-specs-mobile<wbr>-profile</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="m_8631456266214544493m_-5728843775849736252m_7510793004832261789gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="font-size:1em;font-weight:bold;line-height:1.4"><div style="color:rgb(97,97,97);font-family:'Open Sans';font-size:14px;font-weight:normal;line-height:21px"><div style="font-family:Arial,Helvetica,sans-serif;font-size:0.925em;line-height:1.4;color:rgb(220,41,30);font-weight:bold"><div style="font-size:14px;font-weight:normal;color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;line-height:normal"><div style="color:rgb(0,164,183);font-weight:bold;font-size:1em;line-height:1.4">Dave Tonge</div><div style="font-size:0.8125em;line-height:1.4">CTO</div><div style="font-size:0.8125em;line-height:1.4;margin:0px"><a href="http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A" style="color:rgb(131,94,165);text-decoration:none" target="_blank"><img alt="Moneyhub Enterprise" height="50" src="http://content.moneyhub.co.uk/images/teal_Moneyhub-Ent_logo_200x50.png" title="Moneyhub Enterprise" width="200" style="border:none;padding:0px;border-radius:2px;margin:7px"></a></div><div style="padding:8px 0px"><span style="color:rgb(0,164,183);font-size:11px;background-color:transparent">10 Temple Back, Bristol, BS1 6FL</span></div><span style="font-size:11px;line-height:15.925px;color:rgb(0,164,183);font-weight:bold">t: </span><span style="font-size:11px;line-height:15.925px">+44 (0)117 280 5120</span><br></div><div style="color:rgb(97,97,97);font-size:14px;font-weight:normal;font-family:lato,"open sans",arial,sans-serif"><font color="#00a4b7"><span style="font-size:11px;line-height:15.925px"><br></span></font><div style="color:rgb(51,51,51);line-height:1.4"><span style="font-size:0.75em">Moneyhub Enterprise is a trading style of Momentum Financial Technology Limited which is authorised and regulated by the Financial Conduct Authority ("FCA"). Momentum Financial Technology is entered on the Financial Services Register </span><span style="font-size:0.75em;background-color:transparent">(FRN </span><span style="font-size:0.75em;background-color:transparent;color:rgb(0,164,183);font-weight:bold">561538</span><span style="font-size:0.75em;background-color:transparent">) at <a href="http://fca.org.uk/register" target="_blank">fca.org.uk/register</a>. Momentum Financial Technology is registered in England & Wales, company registration number </span><span style="font-size:0.75em;color:rgb(0,164,183);font-weight:bold;background-color:transparent">06909772</span><span style="font-size:0.75em;background-color:transparent"> </span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;background-color:transparent"><font size="1">©</font></span><span style="font-size:0.75em;background-color:transparent"> . </span><span style="background-color:transparent;font-size:0.75em">Momentum Financial Technology Limited 2016. </span><span style="background-color:transparent;font-size:0.75em;color:rgb(136,136,136)">DISCLAIMER: This email (including any attachments) is subject to copyright, and the information in it is confidential. Use of this email or of any information in it other than by the addressee is unauthorised and unlawful. Whilst reasonable efforts are made to ensure that any attachments are virus-free, it is the recipient's sole responsibility to scan all attachments for viruses. All calls and emails to and from this company may be monitored and recorded for legitimate purposes relating to this company's business. Any opinions expressed in this email (or in any attachments) are those of the author and do not necessarily represent the opinions of Momentum Financial Technology Limited or of any other group company.</span></div></div></div></div></div></div></div></div></div></div></div>
</div></div>