<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mv="http://macVmlSchemaUri" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Arial;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Courier New";
panose-1:2 7 3 9 2 2 5 2 4 4;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Apple Color Emoji";
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:Calibri;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:Calibri;
mso-fareast-language:EN-US;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:Calibri;}
p.emailquote, li.emailquote, div.emailquote
{mso-style-name:emailquote;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:1.0pt;
font-size:11.0pt;
font-family:Calibri;}
span.EmailStyle20
{mso-style-type:personal;
font-family:Calibri;
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal;
font-family:Arial;
color:black;
font-weight:normal;
font-style:normal;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Courier;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:Calibri;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:699009858;
mso-list-type:hybrid;
mso-list-template-ids:-91452576 -782705608 67895299 67895301 67895297 67895299 67895301 67895297 67895299 67895301;}
@list l0:level1
{mso-level-start-at:3;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Arial;
mso-fareast-font-family:Calibri;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style>
</head>
<body bgcolor="white" lang="EN-GB" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Hi Nicolas,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">First of all, thank you for your feedback.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">I understand your view, I personally don't like to use an anti-spam code in CIBA, however it is only a proposal that try to fullfil the requirements of this opened issue, and if the WG don't agree
we can decide not include the anti-spam code :). However I have to say that in spite of the fact that I agree that a secret among more than 2 people is not a secret, what is proposed to be included in the CIBA spec in a way to carry-out the anti-spam code
in the protocol and the way that it is shared is out of the scope of this spec.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">The OpenID providers can offer a secure way to share the anti-spam code with the Service Providers asking the user for consent (of course). I personally don't see the utility of it, I only can think
about it as a way where a user could have potentially more control on what he wants to allow to Service Providers, that is, those who has the anti-spam code could interact with the user using the CIBA flow, otherwise they must use the Device flow.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Honestly I don't think these use cases makes sense, we don't have these kind of use cases reported by Petteri and we really think that a Service Provider shouldn't have any interest in doing spam
and others couldn't do it because CIBA authentication request uses an authenticated endpoint and only Service Providers can use it, but it was the only way I thought it could be supported by the protocol.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">P.D: agree that “spam-code” can be confusing
</span><span style="font-family:"Apple Color Emoji";mso-fareast-language:EN-US">☺</span><span style="mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Best,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Gonza.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="color:black">From: </span></b><span style="color:black">"nicolas.aillery@orange.com" <nicolas.aillery@orange.com><br>
<b>Date: </b>Friday, 9 March 2018 at 10:30<br>
<b>To: </b>GONZALO FERNANDEZ RODRIGUEZ <gonzalo.fernandezrodriguez@telefonica.com><br>
<b>Cc: </b>PABLO GUIJARRO ENRIQUEZ <pablo.guijarroenriquez@telefonica.com>, "openid-specs-mobile-profile@lists.openid.net" <openid-specs-mobile-profile@lists.openid.net><br>
<b>Subject: </b>RE: CIBA Issues Review: Feedback for #62</span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Times New Roman""><o:p> </o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Arial;color:black">Hello Gonzalo,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Arial;color:black"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:Arial;color:black"> Here are two remarks about your proposal :</span><o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo2"><![if !supportLists]><span style="font-family:Arial"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US" style="font-size:10.0pt;font-family:Arial;color:black">I think using the wording ‘spam-code’ to describe an *anti*spam code will introduce some confusion.</span><o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo2"><![if !supportLists]><span style="font-family:Arial"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US" style="font-size:10.0pt;font-family:Arial;color:black">I’m not sure it’s a good idea to expose the antispam code on CIBA. This code is similar to a user password, so it should be a secret between a user and
his MNO. It was created to protect the user in a situation where anybody was able to enter any MSISDN on a public form (e.g. the GSMA discovery page before an OpenId Connect interaction). In CIBA, it’s the SP that will call CIBA, so using an antispam code
implies that the secret is also shared amongst all SP (is this still a secret?). On another hand, is there still a spam risk in CIBA? Yes, if SP allow any user to enter any MSISDN, but in this situation the SP should use the classic OpenId Connect flow (because
the user is already using the SP to be able to enter a MSISDN). No, if the SP uses CIBA as a second factor. My proposal is that CIBA does not implement antispam code, and that MNO does not check the antispam code when CIBA is used.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:Arial;color:black"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:Arial;color:black"> What is your point of view about this proposal?
</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:Arial;color:black"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:Arial;color:black">Best regards,</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:Arial;color:black">Nicolas</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:Arial;color:black"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:Tahoma">De :</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:Tahoma"> Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces@lists.openid.net]
<b>De la </b></span><b><span style="font-size:10.0pt;font-family:Tahoma">part de</span></b><span style="font-size:10.0pt;font-family:Tahoma"> GONZALO FERNANDEZ RODRIGUEZ<br>
<b>Envoyé :</b> vendredi 2 mars 2018 14:40<br>
<b>À :</b> openid-specs-mobile-profile@lists.openid.net<br>
<b>Cc :</b> PABLO GUIJARRO ENRIQUEZ<br>
<b>Objet :</b> [Openid-specs-mobile-profile] CIBA Issues Review: Feedback for #62</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-top:6.0pt"><span lang="EN-US">Hi all,</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-top:6.0pt"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal" style="margin-top:6.0pt"><span lang="EN-US">I continue asking you for feedback about another CIBA issue, in that cases is the #62
</span><a href="https://bitbucket.org/openid/mobile/issues/62/ciba-support-for-spam-prevention-code-in"><span lang="EN-US">https://bitbucket.org/openid/mobile/issues/62/ciba-support-for-spam-prevention-code-in</span></a><o:p></o:p></p>
<p class="MsoNormal" style="margin-top:6.0pt"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal" style="margin-top:6.0pt"><span lang="EN-US">The spam-code belongs to the end-user, so it should be configured by the end-user in the OpenID Provider.</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-top:6.0pt"><span lang="EN-US">The CIBA flow doesn't have an interactive session with the end-user, but is the user who is contacted directly in his authentication device, what means that the end-user won't have the possibility
to introduce the spam-code in his authentication, so, it only could be done by the Client.</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-top:6.0pt"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal" style="margin-top:6.0pt"><span lang="EN-US">We think that it would be possible to add support for that in CIBA as follow:</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-top:6.0pt"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal" style="margin-top:6.0pt"><span lang="EN-US">1. A new OPTIONAL field "spam-code" in the CIBA authentication request.</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-top:6.0pt"><span lang="EN-US">2. An specific error in case of the end-user had the anti-spam activatedin the OIDC and the Service Provider didn't include it in the authentication request.</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-top:6.0pt"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal" style="margin-top:6.0pt"><span lang="EN-US">It is worth it to highlight that this would be an optional feature implemented by the OIDC's and it should be "out of the scope" of CIBA to define how the end-user would share the spam-code with
the Service Provider and how the end-user would configure the spam-code in the OIDC.</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-top:6.0pt"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal" style="margin-top:6.0pt"><span lang="EN-US">I would like to know again your point of view on that in order to resolve this issue.</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-top:6.0pt"><span lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal" style="margin-top:6.0pt"><span lang="ES">Best,</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-top:6.0pt"><span lang="ES">Gonza.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="ES"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="ES" style="font-size:12.0pt;font-family:"Times New Roman""> </span><o:p></o:p></p>
<div class="MsoNormal" align="center" style="text-align:center"><span lang="ES" style="font-size:12.0pt;font-family:"Times New Roman"">
<hr size="2" width="100%" align="center">
</span></div>
<p class="MsoNormal"><span lang="ES" style="font-size:7.5pt;font-family:Arial;color:gray"><br>
Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la
lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.<br>
<br>
The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.<br>
<br>
Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a
leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição</span><o:p></o:p></p>
<pre>_________________________________________________________________________________________________________________________<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc<o:p></o:p></pre>
<pre>pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler<o:p></o:p></pre>
<pre>a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,<o:p></o:p></pre>
<pre>Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>This message and its attachments may contain confidential or privileged information that may be protected by law;<o:p></o:p></pre>
<pre>they should not be distributed, used or copied without authorisation.<o:p></o:p></pre>
<pre>If you have received this email in error, please notify the sender and delete this message and its attachments.<o:p></o:p></pre>
<pre>As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.<o:p></o:p></pre>
<pre>Thank you.<o:p></o:p></pre>
</div>
<br>
<hr>
<font face="Arial" color="Gray" size="1"><br>
Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la
lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.<br>
<br>
The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.<br>
<br>
Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a
leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição<br>
</font>
</body>
</html>