<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI Emoji";
panose-1:2 11 5 2 4 2 4 2 2 3;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
h1
{mso-style-priority:9;
mso-style-link:"Heading 1 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:24.0pt;
font-family:"Calibri",sans-serif;}
h2
{mso-style-priority:9;
mso-style-link:"Heading 2 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:18.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.Heading1Char
{mso-style-name:"Heading 1 Char";
mso-style-priority:9;
mso-style-link:"Heading 1";
font-family:"Calibri Light",sans-serif;
color:#2F5496;}
p.part, li.part, div.part
{mso-style-name:part;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.Heading2Char
{mso-style-name:"Heading 2 Char";
mso-style-priority:9;
mso-style-link:"Heading 2";
font-family:"Calibri Light",sans-serif;
color:#2F5496;}
span.footnote-ref
{mso-style-name:footnote-ref;}
p.footnote-item, li.footnote-item, div.footnote-item
{mso-style-name:footnote-item;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#002060;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:440533988;
mso-list-template-ids:-69185494;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:1539121493;
mso-list-template-ids:-1015223442;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#002060">Hey DW,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#002060"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#002060">I really appreciate this thoughtful, constructive write-up and its contribution to the discussion! May I suggest that if you have a blog, or access to one (such as the Ping Identity blog), that you also post
it there, to make it an even more public contribution to the discourse on this important subject?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#002060"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#002060"> All the best,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#002060"> -- Mike<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#002060"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Openid-specs-ab <openid-specs-ab-bounces@lists.openid.net>
<b>On Behalf Of </b>David Waite via Openid-specs-ab<br>
<b>Sent:</b> Wednesday, May 12, 2021 1:46 PM<br>
<b>To:</b> Artifact Binding/Connect Working Group <openid-specs-ab@lists.openid.net><br>
<b>Cc:</b> David Waite <david@alkaline-solutions.com><br>
<b>Subject:</b> [Openid-specs-ab] A Case for SIOP and Trust Frameworks<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="mso-element:para-border-div;border:none;border-bottom:solid #EEEEEE 1.0pt;padding:0in 0in 4.0pt 0in">
<p class="part" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;border:none;padding:0in">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif;color:#333333;letter-spacing:.25pt">(Document version at <a href="https://hackmd.io/Isk5XmtfRamNY-MRWdGYYA">https://hackmd.io/Isk5XmtfRamNY-MRWdGYYA</a>)<o:p></o:p></span></p>
<p class="part" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;border:none;padding:0in;box-sizing: border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif;color:#333333;letter-spacing:.25pt">OpenID Connect was designed to meet the needs of both social authentication providers and those who want to support Bring Your Own Identity, where the user may
host or delegate their authentication process. In addition, it describes Self-Issued OpenID Providers (SIOP) as a way to have an OP-in-your-pocket, a provider which is not web-hosted but instead a piece of software running locally on a personal device.<o:p></o:p></span></p>
</div>
<div id="popover490295">
<div style="border:solid windowtext 6.0pt;border-bottom:solid windowtext 1.0pt;padding:0in 0in 0in 0in;margin-left:-8.25pt;box-sizing: border-box;border-color:transparent;bottom: -11px">
<div style="mso-element:para-border-div;border:none;border-bottom:solid #EEEEEE 1.0pt;padding:0in 0in 4.0pt 0in;background:#777777">
<h1 style="margin-bottom:0in;background:#777777;border:none;padding:0in"><span style="font-size:10.5pt;font-family:"Helvetica",sans-serif;color:white;font-weight:normal"><o:p> </o:p></span></h1>
</div>
</div>
</div>
<div style="mso-element:para-border-div;border:none;border-bottom:solid #EEEEEE 1.0pt;padding:0in 0in 4.0pt 0in">
<p class="part" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;border:none;padding:0in;box-sizing: border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif;color:#333333;letter-spacing:.25pt">Recent efforts have been focused on expanding the usefulness of SIOP by extending it beyond local authentication and self-asserted attributes. Such efforts aim
to add the ability to provide claims about authentication and user attributes from third party issuers. This includes statements about external authentication systems (such as DID-backed authentication), aggregated JWT claims, and W3C verifiable presentations.<o:p></o:p></span></p>
<p class="part" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;border:none;padding:0in;box-sizing: border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif;color:#333333;letter-spacing:.25pt">However, a relying party is limited in their ability to rely on these features when they are optional extensions. This inability to rely on the presence and
presentation of features has both operational and user experience perspectives. The user also does not have guarantees that the software supporting SIOP is secure or acting in their best interest.<o:p></o:p></span></p>
<p class="part" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;border:none;padding:0in;box-sizing: border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif;color:#333333;letter-spacing:.25pt">Here, we make the case that Trust Frameworks are an important tool in fixing operational, experience, and trust-related issues, and that trust frameworks can
address these issues additively without compromising the original SIOP model.<o:p></o:p></span></p>
<h2 style="mso-margin-top-alt:.25in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;border:none;padding:0in;box-sizing: border-box;caret-color: rgb(51, 51, 51)" id="Background">
<span style="font-family:"Segoe UI",sans-serif;color:#333333;letter-spacing:.25pt">Background<o:p></o:p></span></h2>
<p class="part" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;border:none;padding:0in;box-sizing: border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif;color:#333333;letter-spacing:.25pt">With using a custom URL scheme for launching an authentication/credentials request, we have several limitations.<o:p></o:p></span></p>
<p class="part" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;border:none;padding:0in;box-sizing: border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif;color:#333333;letter-spacing:.25pt">In terms of user experience, platforms may not support controlling which installed application is launched, or even make guarantees the launched application
will be consistent. If there are no applications installed which can handle a URL scheme, the user may not get a meaningful error.<o:p></o:p></span></p>
<p class="part" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;border:none;padding:0in;box-sizing: border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif;color:#333333;letter-spacing:.25pt">The ability for arbitrary applications to register support for such a scheme also creates phishing and other abuse possibilities.<o:p></o:p></span></p>
<p class="part" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;border:none;padding:0in;box-sizing: border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif;color:#333333;letter-spacing:.25pt">App Links are an alternative where a website registers applications which may be launched for given HTTPS paths, and an App opts in to handling requests for
said website. This functionality is also called Web App Links on Windows, and Universal Links on iOS.<o:p></o:p></span></p>
<p class="part" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;border:none;padding:0in;box-sizing: border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif;color:#333333;letter-spacing:.25pt">App Links provide an ordered list of applications which can be launched instead of a web browser. The behavior of which of several applications is launched may
be configurable on the platform, but is consistent across platforms based on priority ordering. Since the list of potential applications is controlled by the website itself, registration of arbitrary handlers is restricted by the platform</span><span class="footnote-ref"><span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif;color:#333333;letter-spacing:.25pt"><a href="https://hackmd.io/Isk5XmtfRamNY-MRWdGYYA#fn1"><span style="color:#337AB7;text-decoration:none">[1]</span></a></span></span><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif;color:#333333;letter-spacing:.25pt">.<o:p></o:p></span></p>
<p class="part" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;border:none;padding:0in;box-sizing: border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif;color:#333333;letter-spacing:.25pt">Finally, the ability to invoke via a HTTPS URL means that a sensible web-based fallback can be established. This could be used to inform the user about such
things as: what is being attempted, to give the option to install a native application, or present one of several web-based alternatives.<o:p></o:p></span></p>
<h2 style="mso-margin-top-alt:.25in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;border:none;padding:0in;box-sizing: border-box;caret-color: rgb(51, 51, 51)" id="Trust-Frameworks">
<span style="font-family:"Segoe UI",sans-serif;color:#333333;letter-spacing:.25pt">Trust Frameworks<o:p></o:p></span></h2>
<p class="part" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;border:none;padding:0in;box-sizing: border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif;color:#333333;letter-spacing:.25pt">The adaption of common metadata and content for multiple independent entities posits the creation of a trust framework for that group of entities. An issuer,
holder, or verifier could participate across several trust frameworks for different requests. The trust framework can itself specify the technical and interoperability requirements. It can also dictate policy such as the consent process necessary for a holder
to release information on a subject, and have restrictions on a verifier sharing said information with other parties.<o:p></o:p></span></p>
<p class="part" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;border:none;padding:0in;box-sizing: border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif;color:#333333;letter-spacing:.25pt">The ability to specify such policies as metadata pushes dynamic negotiations of capabilities to static policy sets. In this way, the technical stack necessary
for interoperability within a given trust framework can be substantially reduced.<o:p></o:p></span></p>
<h2 style="mso-margin-top-alt:.25in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;border:none;padding:0in;box-sizing: border-box;caret-color: rgb(51, 51, 51)" id="The-Evolution-of-SIOP">
<span style="font-family:"Segoe UI",sans-serif;color:#333333;letter-spacing:.25pt">The Evolution of SIOP<o:p></o:p></span></h2>
<p class="part" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;border:none;padding:0in;box-sizing: border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif;color:#333333;letter-spacing:.25pt">The current Self-issued OpenID Provider functionality is limited in several regards:<o:p></o:p></span></p>
</div>
<div style="mso-element:para-border-div;border:none;border-bottom:solid #EEEEEE 1.0pt;padding:0in 0in 4.0pt 0in;margin-left:.25in;margin-right:0in">
<h1 style="margin-left:.25in;text-indent:-.25in;mso-list:l0 level1 lfo1;border:none;padding:0in">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol;color:#333333;letter-spacing:.25pt;font-weight:normal"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif;color:#333333;letter-spacing:.25pt;font-weight:normal">SIOP has a limited set of required features and open participation, as well as no established interoperability
or evolution process<o:p></o:p></span></h1>
<h1 style="margin-left:.25in;text-indent:-.25in;mso-list:l0 level1 lfo1;border:none;padding:0in">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol;color:#333333;letter-spacing:.25pt;font-weight:normal"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif;color:#333333;letter-spacing:.25pt;font-weight:normal">Existing SIOP code may not have newer functionality which entities may require, such as portable identifiers
or support for presentations<o:p></o:p></span></h1>
<h1 style="margin-left:.25in;text-indent:-.25in;mso-list:l0 level1 lfo1;border:none;padding:0in">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol;color:#333333;letter-spacing:.25pt;font-weight:normal"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif;color:#333333;letter-spacing:.25pt;font-weight:normal">Even in environments where the user is given a choice of SIOP apps, that choice is not filtered based on the
request and the user may be left with a list where some or all of the options will always fail<o:p></o:p></span></h1>
</div>
<div style="mso-element:para-border-div;border:none;border-bottom:solid #EEEEEE 1.0pt;padding:0in 0in 4.0pt 0in">
<p class="part" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;border:none;padding:0in;box-sizing: border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif;color:#333333;letter-spacing:.25pt">This instead proposes that several of the features in SIOP can be broken out and made more generally available so that different trust frameworks can define
their own alternatives. Part of this would be allowing these ‘provider collectives’ to use univeral links as an additional alternative to the custom URL scheme and to implement the alternative behaviors and policies described above.<o:p></o:p></span></p>
<p class="part" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;border:none;padding:0in;box-sizing: border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif;color:#333333;letter-spacing:.25pt">Such collectives would be able specify technical (such as supported credential formats) and non-technical (such as privacy/consent) requirements. They can limit
participation to only members which support the protocols and formats desired, which not only provides a more consistent and successful experience for the user but also allows some dynamic negotiation steps to be skipped entirely. They can define how to best
deal with cases where there is no native application installed or multiple native applications installed.<o:p></o:p></span></p>
<p class="part" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;border:none;padding:0in;box-sizing: border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif;color:#333333;letter-spacing:.25pt">Under such a proposal, SIOP changes from being the umbrella name for a set of technologies to being one definition of an existing open collective with very few
limitations.<o:p></o:p></span></p>
<p class="part" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;border:none;padding:0in;box-sizing: border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif;color:#333333;letter-spacing:.25pt">As universal links require both the the trust framework and the individual app to indicate trust</span><span class="footnote-ref"><span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif;color:#333333;letter-spacing:.25pt"><a href="https://hackmd.io/Isk5XmtfRamNY-MRWdGYYA#fn1"><span style="color:#337AB7;text-decoration:none">[1:1]</span></a></span></span><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif;color:#333333;letter-spacing:.25pt">,
it is appropriate for a ‘closed’ or ‘permission-based’ trust framework. The governance model controls certification and provides a technical means of providing evidence of certification. Such a certification process can also validate non-technical criteria,
such as the process of prompting for and capturing user consent.<o:p></o:p></span></p>
<p class="part" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;border:none;padding:0in;box-sizing: border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif;color:#333333;letter-spacing:.25pt">Likewise, use of a custom URL scheme is typically only controlled by the platform and not delegated to a decision by an external trust framework. This may still
be appropriate for an ‘open’ or ‘public’ trust framework like the traditional SIOP system, where entities are expected to self-certify conformance.<o:p></o:p></span></p>
</div>
<div style="mso-element:para-border-div;border:none;border-bottom:solid #EEEEEE 1.0pt;padding:0in 0in 4.0pt 0in">
<h1 align="center" style="mso-margin-top-alt:.25in;margin-right:0in;margin-bottom:.25in;margin-left:0in;text-align:center;border:none;padding:0in">
<span style="font-family:"Segoe UI",sans-serif;color:#333333;letter-spacing:.25pt">
<hr size="4" width="100%" align="center">
</span></h1>
</div>
<div style="mso-element:para-border-div;border:none;border-bottom:solid #EEEEEE 1.0pt;padding:0in 0in 4.0pt 0in;margin-left:.25in;margin-right:0in">
<ol style="margin-top:0in;box-sizing: border-box" start="1" type="1">
<li class="footnote-item" style="color:#333333;margin-top:12.0pt;margin-bottom:12.0pt;margin-left:-.25in;mso-list:l1 level1 lfo2;border:none;padding:0in;box-sizing: border-box" id="fn1">
<b><span style="font-size:24.0pt;font-family:"Segoe UI",sans-serif;letter-spacing:.25pt">Android allows other apps to publish their ability to handle a web domain regardless of of an app link being declared on the website, but this functionality is being limited
such that launching the app can only be done via user action or user settings configuration. A trust framework might additionally indicate certification via a cryptographic process (trust chain, trust mark, or acceptable list of externally generated attestations)
to distinguish entities within a closed trust framework <a href="https://hackmd.io/Isk5XmtfRamNY-MRWdGYYA#fnref1"><span style="font-family:"Segoe UI Emoji",sans-serif;color:#337AB7;text-decoration:none">↩</span><span style="color:#337AB7;text-decoration:none">︎</span></a> <a href="https://hackmd.io/Isk5XmtfRamNY-MRWdGYYA#fnref1:1"><span style="font-family:"Segoe UI Emoji",sans-serif;color:#337AB7;text-decoration:none">↩</span><span style="color:#337AB7;text-decoration:none">︎</span></a><o:p></o:p></span></b></li></ol>
</div>
<div>
<div style="mso-element:para-border-div;border:none;border-bottom:solid #EEEEEE 1.0pt;padding:0in 0in 4.0pt 0in">
<h1 style="margin:0in;border:none;padding:0in"><span style="font-family:"Segoe UI",sans-serif;color:#333333;letter-spacing:.25pt"><o:p> </o:p></span></h1>
</div>
</div>
</div>
</body>
</html>