<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40" xmlns:ns0="#unknown" xmlns:ns1="">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<meta name="Generator" content="Microsoft Word 15 (filtered medium)">

<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}

o\:* {behavior:url(#default#VML);}

w\:* {behavior:url(#default#VML);}

.shape {behavior:url(#default#VML);}

</style><![endif]--><style><!--

/* Font Definitions */

@font-face

        {font-family:Helvetica;

        panose-1:0 0 0 0 0 0 0 0 0 0;}

@font-face

        {font-family:"Cambria Math";

        panose-1:2 4 5 3 5 4 6 3 2 4;}

@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}

@font-face

        {font-family:"Segoe UI";

        panose-1:2 11 6 4 2 2 2 2 2 4;}

@font-face

        {font-family:Tahoma;

        panose-1:2 11 6 4 3 5 4 4 2 4;}

@font-face

        {font-family:"MS PGothic";

        panose-1:2 11 6 0 7 2 5 8 2 4;}

@font-face

        {font-family:"Yu Gothic UI";

        panose-1:2 11 5 0 0 0 0 0 0 0;}

@font-face

        {font-family:"\@Yu Gothic UI";}

@font-face

        {font-family:"\@MS PGothic";}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0cm;

        font-size:11.0pt;

        font-family:"Calibri",sans-serif;}

a:link, span.MsoHyperlink

        {mso-style-priority:99;

        color:blue;

        text-decoration:underline;}

pre

        {mso-style-priority:99;

        mso-style-link:"HTML Preformatted Char";

        margin:0cm;

        margin-bottom:.0001pt;

        font-size:10.0pt;

        font-family:"Courier New";}

span.apple-tab-span

        {mso-style-name:apple-tab-span;}

span.apple-converted-space

        {mso-style-name:apple-converted-space;}

span.xapple-converted-space

        {mso-style-name:xapple-converted-space;}

span.EmailStyle21

        {mso-style-type:personal-reply;

        font-family:"Calibri",sans-serif;

        color:windowtext;}

span.HTMLPreformattedChar

        {mso-style-name:"HTML Preformatted Char";

        mso-style-priority:99;

        mso-style-link:"HTML Preformatted";

        font-family:"Courier New";}

.MsoChpDefault

        {mso-style-type:export-only;

        font-size:10.0pt;}

@page WordSection1

        {size:612.0pt 792.0pt;

        margin:72.0pt 72.0pt 72.0pt 72.0pt;}

div.WordSection1

        {page:WordSection1;}

--></style><!--[if gte mso 9]><xml>

<o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

<o:shapelayout v:ext="edit">

<o:idmap v:ext="edit" data="1" />

</o:shapelayout></xml><![endif]-->

</head>

<body lang="en-DE" link="blue" vlink="purple" style="word-wrap:break-word">

<div class="WordSection1">

<pre><span lang="EN-US" style="font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">Hi,<o:p></o:p></span></pre>

<pre><span lang="EN-US" style="font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></pre>

<pre><span lang="EN-US" style="font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></pre>

<pre><span lang="EN-US" style="font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">Not sure this came up, but the flow outlined below sounds a lot like a OAuth </span><span style="font-family:"Calibri",sans-serif;color:black">2.0 Device Authorization Grant</span><span style="font-family:"Calibri",sans-serif;color:black"> </span><span lang="EN-US" style="font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">- <a href="https://datatracker.ietf.org/doc/html/rfc8628">https://datatracker.ietf.org/doc/html/rfc8628</a> .<o:p></o:p></span></pre>

<pre><span lang="EN-US" style="font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></pre>

<pre><span lang="EN-US" style="font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">Its mainly meant for limited input devices (SmartTVs for example). AppleTV and Disney+ are making use of it I think. <o:p></o:p></span></pre>

<pre><span lang="EN-US" style="font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></pre>

<pre><span lang="EN-US" style="font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">DHS use case would need extensions of course.<o:p></o:p></span></pre>

<pre><span lang="EN-US" style="font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></pre>

<pre><span lang="EN-US" style="font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">Best<o:p></o:p></span></pre>

<pre><span lang="EN-US" style="font-family:"Calibri",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></pre>

<pre><span lang="EN-US" style="font-family:"Calibri",sans-serif;mso-fareast-language:EN-US">Achim  <o:p></o:p></span></pre>

<p class="MsoNormal"><span lang="EN-US" style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>

<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>

<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">

<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:12.0pt;color:black">From:

</span></b><span style="font-size:12.0pt;color:black">Openid-specs-ab <openid-specs-ab-bounces@lists.openid.net> on behalf of Torsten Lodderstedt via Openid-specs-ab <openid-specs-ab@lists.openid.net><br>

<b>Date: </b>Tuesday, 13. July 2021 at 10:21<br>

<b>To: </b>John Bradley <ve7jtb@ve7jtb.com><br>

<b>Cc: </b>Torsten Lodderstedt <torsten@lodderstedt.net>, Artifact Binding/Connect Working Group <openid-specs-ab@lists.openid.net><br>

<b>Subject: </b>Re: [Openid-specs-ab] DHS mDL RFI response from OpenID Foundation<o:p></o:p></span></p>

</div>

<p class="MsoNormal">Hi John, <o:p></o:p></p>

<div>

<p class="MsoNormal"><br>

<br>

<o:p></o:p></p>

<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">

<div>

<p class="MsoNormal">Am 13.07.2021 um 01:28 schrieb John Bradley <<a href="mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>>:<o:p></o:p></p>

</div>

<p class="MsoNormal"><o:p> </o:p></p>

<div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">There may be limited cases where the device presenting a QR code is trusted, but any general system using a QR code presented in the browser or CIBA opens a huge Phishing

 opportunity.<o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif"><o:p> </o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">The attacker only needs to reverse proxy the QR code and will wind up capturing the session once the user authenticates in the back channel.<o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif"><o:p> </o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">I would not recommend this as a general cross device solution. <o:p></o:p></span></p>

</div>

</div>

</blockquote>

<div>

<p class="MsoNormal"><o:p> </o:p></p>

</div>

<div>

<p class="MsoNormal">If neither QR code(ed) SIOP nor CIBA work, do you have any idea how to implement cross device scenarios? <o:p></o:p></p>

</div>

<div>

<p class="MsoNormal"><o:p> </o:p></p>

</div>

<div>

<p class="MsoNormal">I personally think cross device is always more vulnerable to phishing than on device flows due to the lack of binding to a user agent. Open Banking in Europe (PSD2) tries to cope with it using dynamic binding (transaction values are conveyed

 into authentication process and bound to token used for API request). Mapping this to identity means to give as much as possible information to the user about the transaction (origin, claims, …). <span class="apple-tab-span">

</span><o:p></o:p></p>

</div>

<div>

<p class="MsoNormal"><o:p> </o:p></p>

</div>

<div>

<p class="MsoNormal">best regards,<o:p></o:p></p>

</div>

<div>

<p class="MsoNormal">Torsten. <o:p></o:p></p>

</div>

<p class="MsoNormal"><br>

<br>

<o:p></o:p></p>

<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">

<div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif"><o:p> </o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">John B.<o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif"><o:p> </o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">------ Original Message ------<o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">From: "Torsten Lodderstedt via Openid-specs-ab" <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">To: "Kristina Yasuda" <<a href="mailto:kristina.yasuda@microsoft.com">kristina.yasuda@microsoft.com</a>><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">Cc: "Torsten Lodderstedt" <<a href="mailto:torsten@lodderstedt.net">torsten@lodderstedt.net</a>>; "<a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>"

 <<a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">Sent: 6/30/2021 4:06:28 PM<o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">Subject: Re: [Openid-specs-ab] DHS mDL RFI response from OpenID Foundation<o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif"><o:p> </o:p></span></p>

</div>

<div id="x33402571a3e44f2">

<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 8.0pt;margin-left:3.75pt;margin-top:2.25pt;margin-right:0cm;margin-bottom:5.0pt">

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">Hi Kristina,<o:p></o:p></span></p>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif"><br>

<br>

<o:p></o:p></span></p>

<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">Am 29.06.2021 um 18:48 schrieb Kristina Yasuda <<a href="mailto:kristina.yasuda@microsoft.com">kristina.yasuda@microsoft.com</a>>:<o:p></o:p></span></p>

</div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif"><o:p> </o:p></span></p>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:10.5pt;font-family:"Yu Gothic UI",sans-serif;color:black;border:none windowtext 1.0pt;padding:0cm;background:white">Hi Torsten, </span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white;vertical-align:baseline"><span lang="EN-US" style="font-size:10.5pt;font-family:"Yu Gothic UI",sans-serif;color:black;border:none windowtext 1.0pt;padding:0cm;background:white"><br>

> Can you please elaborate? SIOP as it Stands today is tied to the response type<span class="apple-converted-space"> </span></span><span lang="EN-GB" style="font-size:10.5pt;font-family:"Yu Gothic UI",sans-serif;color:black;border:none windowtext 1.0pt;padding:0cm;background:white">„</span><span lang="EN-US" style="font-size:10.5pt;font-family:"Yu Gothic UI",sans-serif;color:black;border:none windowtext 1.0pt;padding:0cm;background:white">id_token</span><span lang="EN-GB" style="font-size:10.5pt;font-family:"Yu Gothic UI",sans-serif;color:black;border:none windowtext 1.0pt;padding:0cm;background:white">“</span><span lang="EN-US" style="font-size:10.5pt;font-family:"Yu Gothic UI",sans-serif;color:black;border:none windowtext 1.0pt;padding:0cm;background:white">,

 i.e. the RP sends the user agent to the SIOP on the same device. Transaction integrity is ensured by binding the nonce in the request to a cookie in this user agent. How do you envision to cross the boundary between devices and what are the consequences on

 the security of the flow? Can you share a sequence diagram?</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white;vertical-align:baseline"><span lang="EN-US" style="font-size:10.5pt;font-family:"Yu Gothic UI",sans-serif;color:black;border:none windowtext 1.0pt;padding:0cm;background:white"><br>

The cross device flow could look like this:</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white;vertical-align:baseline"><span lang="EN-US" style="font-size:10.5pt;font-family:"Yu Gothic UI",sans-serif;color:black;border:none windowtext 1.0pt;padding:0cm;background:white">1/ The user browses to the RP website</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white;vertical-align:baseline"><span lang="EN-US" style="font-size:10.5pt;font-family:"Yu Gothic UI",sans-serif;color:black;border:none windowtext 1.0pt;padding:0cm;background:white">2/ The RP displays a QR code with request_uri

 in the user browser on device A</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white;vertical-align:baseline"><span lang="EN-US" style="font-size:10.5pt;font-family:"Yu Gothic UI",sans-serif;color:black;border:none windowtext 1.0pt;padding:0cm;background:white">(deeplink will be used in same-device

 flow)</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white;vertical-align:baseline"><span lang="EN-US" style="font-size:10.5pt;font-family:"Yu Gothic UI",sans-serif;color:black;border:none windowtext 1.0pt;padding:0cm;background:white">3/ The user uses device B (Mobile Wallet)

 to scan the QR code, dereference it and fetch SIOP request object from the request_uri</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white;vertical-align:baseline"><span lang="EN-US" style="font-size:10.5pt;font-family:"Yu Gothic UI",sans-serif;color:black;border:none windowtext 1.0pt;padding:0cm;background:white">(processes like DID resolution can

 occur in-between)</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white;vertical-align:baseline"><span lang="EN-US" style="font-size:10.5pt;font-family:"Yu Gothic UI",sans-serif;color:black;border:none windowtext 1.0pt;padding:0cm;background:white">4/ Mobile wallet sends ID Token (with

 embedded VP when VP is returned) in HTTP POST request to the RP</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white;vertical-align:baseline"><span lang="EN-US" style="font-size:12.0pt;color:black"> </span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white;vertical-align:baseline"><span lang="EN-US" style="font-size:10.5pt;font-family:"Yu Gothic UI",sans-serif;color:black;border:none windowtext 1.0pt;padding:0cm;background:white">Sequence diagram of the implementation

 can be found here (note that some element of the flow might have changed from Dec. 2020):</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white;vertical-align:baseline"><span lang="EN-US" style="font-size:10.5pt;font-family:"Yu Gothic UI",sans-serif;color:black;border:none windowtext 1.0pt;padding:0cm;background:white"><a href="https://www.google.com/url?q=https://www.google.com/url?q%3Dhttps://us02web.zoom.us/rec/play/BRBDWWUtB9HsmE88cJQwC9OH4k-QM9cdg8UYJXm6wwj-Yt54f7QMPPFqmQn-vtGAVNJgV9fGBeGN3eZR.QYMKFKYkJzdmdyaG%26source%3Dgmail-imap%26ust%3D1625590112000000%26usg%3DAOvVaw1_bCqMWMvMUEJk1Ap7exgk&source=gmail-imap&ust=1626737315000000&usg=AOvVaw3EeBqlJ9qqINxUWXbniO-i">https://us02web.zoom.us/rec/play/BRBDWWUtB9HsmE88cJQwC9OH4k-QM9cdg8UYJXm6wwj-Yt54f7QMPPFqmQn-vtGAVNJgV9fGBeGN3eZR.QYMKFKYkJzdmdyaG</a><br>

It is a presentation at DIF Interoperability WG.</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

</blockquote>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif"><o:p> </o:p></span></p>

</div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">That’s an interesting flow, but not a standard SIOP flow for the following reasons: <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif"><o:p> </o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">- the RP needs to distinguish on device and split device flow. A standard OIDC RP should just send the request (with or w/o request object) to the SIOP on the same device

 via redirect. <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">- will most likely be received by the backend of the RP, whereas in the post respond mode, the OP is supposed to send the response to the RP through the front channel. Why

 is this important? Well, it allows the RP to (directly or indirectly) pick up the nonce from a Cookie and compare that to the nonce in the ID Token. This would ensure transaction integrity and prevents replay attacks, which is impossible in this flow simply

 because the RP does not have access to any data on the originating device.<o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif"><o:p> </o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">Question: is the user supposed to scan a QR code shown on the device of the police officer when presenting her mDL? <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif"><o:p> </o:p></span></p>

</div>

<div>

<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">

<div>

<div>

<p class="MsoNormal" style="background:white;vertical-align:baseline"><span lang="EN-US" style="font-size:10.5pt;font-family:"Yu Gothic UI",sans-serif;color:black"> </span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white;vertical-align:baseline"><span lang="EN-US" style="font-size:10.5pt;font-family:"Yu Gothic UI",sans-serif;color:black;border:none windowtext 1.0pt;padding:0cm;background:white">> I think the SIOP should expose a

 CIBA style interface to allow direct engagement from the verifier with the reader. The device engagement data could be used to share the endpoint location and so on.</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white;vertical-align:baseline"><span lang="EN-US" style="font-size:10.5pt;font-family:"Yu Gothic UI",sans-serif;color:black"> </span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white;vertical-align:baseline"><span lang="EN-US" style="font-size:10.5pt;font-family:"Yu Gothic UI",sans-serif;color:black;border:none windowtext 1.0pt;padding:0cm;background:white">Interesting. Do you mean holder sending

 a request direcly to the reader's Backchannel Authentication Endpoint? I am not very familiar with CIBA flows but we should probably explore more (cc: Tony)</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

</blockquote>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif"><o:p> </o:p></span></p>

</div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">yes. That’s what I mean. <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif"><o:p> </o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">best regards,<o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">Torsten. <o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif"><br>

<br>

<o:p></o:p></span></p>

<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">

<div>

<div>

<p class="MsoNormal" style="background:white;vertical-align:baseline"><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif;color:black"> </span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white;vertical-align:baseline"><span lang="EN-US" style="font-size:10.5pt;font-family:"Yu Gothic UI",sans-serif;color:black;border:none windowtext 1.0pt;padding:0cm;background:white">Thank you,</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white;vertical-align:baseline"><span lang="EN-US" style="font-size:10.5pt;font-family:"Yu Gothic UI",sans-serif;color:black;border:none windowtext 1.0pt;padding:0cm;background:white">Kristina</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-family:"Arial",sans-serif;color:#4472C4"> </span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

<div>

<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">

<div>

<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span class="apple-converted-space"><span lang="EN-US"> </span></span><span lang="EN-US">Torsten Lodderstedt <<a href="mailto:torsten@lodderstedt.net">torsten@lodderstedt.net</a>><span class="apple-converted-space"> </span><br>

<b>Sent:</b><span class="apple-converted-space"> </span>Saturday, June 26, 2021 1:35 AM<br>

<b>To:</b><span class="apple-converted-space"> </span>Kristina Yasuda <<a href="mailto:Kristina.Yasuda@microsoft.com">Kristina.Yasuda@microsoft.com</a>><br>

<b>Cc:</b><span class="apple-converted-space"> </span><a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>

<b>Subject:</b><span class="apple-converted-space"> </span>Re: [Openid-specs-ab] DHS mDL RFI response from OpenID Foundation</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

</div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"> </span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif">Hi Kristina,</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p> </o:p></span></p>

</div>

<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">

<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif">Am 26.06.2021 um 04:32 schrieb Kristina Yasuda <<a href="mailto:Kristina.Yasuda@microsoft.com">Kristina.Yasuda@microsoft.com</a>>:</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</blockquote>

</div>

<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"Tahoma",sans-serif"></span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt">Thank you for the feedback, Torsten. Please find comments in-line below.</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt">@Everyone, I am attaching the current version of the response. Kind reminder that we set the new deadline for comments to be<span class="apple-converted-space"> </span><b>June 30th</b>.</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt"> </span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<div>

<p class="MsoNormal" style="background:white"><span lang="EN-US" style="color:#201F1E">- the example on p7 uses „verified_claims“ syntax, so it might be worthwhile mentioning OpenID Connect 4 Identity Assurance in the document</span><span style="font-size:9.0pt;font-family:Helvetica"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span lang="EN-US" style="color:#201F1E">-> I added the following text after the example on p7. Let me know if you want it changed. </span><span style="font-size:9.0pt;font-family:Helvetica"><o:p></o:p></span></p>

</div>

<div>

<div>

<p class="MsoNormal" style="background:white"><span lang="EN-US" style="color:#201F1E">"The “verified_claims” container element used in the example above is taken from OpenID Connect for Identity Assurance 1.0 specification (ekyc-ida) in OpenID Foundation.

 The usage of “verified_claims” container element allows to include information how the identity of a natural person has been verified in compliance with a certain law."</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<p class="MsoNormal" style="background:white"><span lang="EN-US" style="color:#201F1E">Note that the Annex part has been submitted to the ISO mDL WG prior to this DHS response document, and this change will be proposed in the ISO document in the next revision

 cycle.</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<p class="MsoNormal" style="background:white"><span lang="EN-US" style="color:#201F1E"> </span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

</div>

<div>

<div>

<p class="MsoNormal" style="background:white"><span lang="EN-US" style="color:#201F1E">- section 7.1.3.4.4: how is the request sent from the reader to the SIOP? I’m asking since I thought those parties would live on different devices</span><span style="font-size:9.0pt;font-family:Helvetica"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span lang="EN-US" style="color:#201F1E">->"Over the Internet", to borrow the terminology used in ISO. RP does not have to be on the same device as SIOP.</span><span style="font-size:9.0pt;font-family:Helvetica"><o:p></o:p></span></p>

</div>

</div>

</div>

</div>

</blockquote>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"> </span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif">Can you please elaborate? SIOP as it Stands today is tied to the response type

</span><span lang="EN-GB" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif">„</span><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif">id_token</span><span lang="EN-GB" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif">“</span><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif">,

 i.e. the RP sends the user agent to the SIOP on the same device. Transaction integrity is ensured by binding the nonce in the request to a cookie in this user agent. How do you envision to cross the boundary between devices and what are the consequences on

 the security of the flow? Can you share a sequence diagram?</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

<div>

<div>

<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p> </o:p></span></p>

</div>

<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">

<div>

<div>

<div>

<div>

<p class="MsoNormal" style="background:white"><span lang="EN-US" style="color:#201F1E">The question made me think that mDL specification does have a specific "device engagement" step during which registration/discovery information is passed in CBOR over NFC

 or QR code, so maybe we can leverage that for SIOP discovery/registration - need to think more.</span><span style="font-size:9.0pt;font-family:Helvetica"><o:p></o:p></span></p>

</div>

</div>

</div>

</div>

</blockquote>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"> </span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif">I think the SIOP should expose a CIBA style interface to allow direct engagement from the verifier with the reader. The device engagement data could be used

 to share the endpoint location and so on.</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p> </o:p></span></p>

</div>

<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">

<div>

<div>

<div>

<div>

<p class="MsoNormal" style="background:white"><span lang="EN-US" style="color:#201F1E"> </span><span style="font-size:9.0pt;font-family:Helvetica"><o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<p class="MsoNormal" style="background:white"><span lang="EN-US" style="color:#201F1E">- Generally: would it be possible to share more context with the WG? It seems like a lot of knowledge about ISO/IEC 18013-5 is required to understand the proposal</span><span style="font-size:9.0pt;font-family:Helvetica"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span lang="EN-US" style="color:#201F1E">-> Currently, OIDC in mDL is used for the verifier to talk to the Issuing authority to retrieve mDL data using the access token received from the user. This direct path to

 the Issuing Authority has raised concerns from verifiers and resulted in the need for "over the internet" solution directly between user and the verifier, so the SIOP was proposed. </span><span style="font-size:9.0pt;font-family:Helvetica"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span lang="EN-US" style="color:#201F1E"> </span><span style="font-size:9.0pt;font-family:Helvetica"><o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<p class="MsoNormal" style="background:white"><span lang="EN-US" style="color:#201F1E">- typo on p2 2nd paragraph: "OpenII Connect“ -> OpenID Connect </span><span style="font-size:9.0pt;font-family:Helvetica"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="background:white"><span lang="EN-US" style="color:#201F1E">-> corrected.</span><span style="font-size:9.0pt;font-family:Helvetica"><o:p></o:p></span></p>

</div>

</div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt"> </span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

</div>

</blockquote>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><br>

best regards,</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif">Torsten.</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">

<div>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt">Best,</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt">Kristina</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div class="MsoNormal" align="center" style="text-align:center"><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif">

<hr size="0" width="81%" align="center">

</span></div>

<div id="divRplyFwdMsg">

<div>

<p class="MsoNormal"><b><span lang="EN-GB" style="font-family:"MS PGothic",sans-serif">差出人</span></b><b><span lang="EN-US">:</span></b><span class="apple-converted-space"><span lang="EN-US"> </span></span><span lang="EN-US">Torsten Lodderstedt <<a href="mailto:torsten@lodderstedt.net">torsten@lodderstedt.net</a>><br>

</span><b><span lang="EN-GB" style="font-family:"MS PGothic",sans-serif">送信日時</span></b><b><span lang="EN-US">:</span></b><span class="apple-converted-space"><span lang="EN-US"> </span></span><span lang="EN-US">2021</span><span lang="EN-GB" style="font-family:"MS PGothic",sans-serif">年</span><span lang="EN-US">6</span><span lang="EN-GB" style="font-family:"MS PGothic",sans-serif">月</span><span lang="EN-US">14</span><span lang="EN-GB" style="font-family:"MS PGothic",sans-serif">日</span><span class="apple-converted-space"><span lang="EN-US"> </span></span><span lang="EN-US">1:43<br>

</span><b><span lang="EN-GB" style="font-family:"MS PGothic",sans-serif">宛先</span></b><b><span lang="EN-US">:</span></b><span class="apple-converted-space"><span lang="EN-US"> </span></span><span lang="EN-US">Artifact Binding/Connect Working Group <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>><br>

<b>CC:</b><span class="apple-converted-space"> </span>Kristina Yasuda <<a href="mailto:Kristina.Yasuda@microsoft.com">Kristina.Yasuda@microsoft.com</a>><br>

</span><b><span lang="EN-GB" style="font-family:"MS PGothic",sans-serif">件名</span></b><b><span lang="EN-US">:</span></b><span class="apple-converted-space"><span lang="EN-US"> </span></span><span lang="EN-US">Re: [Openid-specs-ab] DHS mDL RFI response from

 OpenID Foundation</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"> </span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

</div>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif">Hi, <span class="apple-converted-space"> </span></span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"> </span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif">thanks for sharing the draft response. </span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"> </span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif">Here are my comments:</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"> </span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif">- the example on p7 uses

</span><span lang="EN-GB" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif">„</span><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif">verified_claims</span><span lang="EN-GB" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif">“</span><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif">

 syntax, so it might be worthwhile mentioning OpenID Connect 4 Identity Assurance in the document</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif">- section 7.1.3.4.4: how is the request sent from the reader to the SIOP? I</span><span lang="EN-GB" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif">’</span><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif">m

 asking since I thought those parties would live on different devices</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif">- Generally: would it be possible to share more context with the WG? It seems like a lot of knowledge about ISO/IEC 18013-5 is required to understand the proposal</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif">- typo on p2 2nd paragraph: "OpenII Connect</span><span lang="EN-GB" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif">“</span><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif">

 -> OpenID Connect </span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"> </span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif">best regards,</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif">Torsten. </span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<div>

<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p> </o:p></span></p>

</div>

<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif">Am 14.06.2021 um 09:32 schrieb Kristina Yasuda via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>>:</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"> </span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

<div>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt">Dear All,</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt"> </span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt">As discussed during the last Connect WG call, circulating the draft response from OpenID Foundation to<span class="xapple-converted-space"> </span><span style="color:black;background:white">DHS

 RFI on mDL (mobile Driving License)</span>.</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt">We wrote it with Tony and Tom Jones, and it has been reviewed by Gail, Mike and Nat.</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt">If you have any comments please send them<span class="xapple-converted-space"> </span><b><u>by June 16th</u></b><span class="xapple-converted-space"> </span>to the ML, so that we have time to

 reflect them before the submission deadline on June 18th.</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt">Apologies for circulating last minute. We can also discuss the questions and comments at tomorrow's Pacific Connect WG call.</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt"> </span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt">Below are links to the original RFI from DHS:</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt">- <a href="https://www.google.com/url?q=https://www.google.com/url?q%3Dhttps://www.google.com/url?q%253Dhttps://nam06.safelinks.protection.outlook.com/?url%25253Dhttps%2525253A%2525252F%2525252Fwww.google.com%2525252Furl%2525253Fq%2525253Dhttps%2525253A%2525252F%2525252Fwww.govinfo.gov%2525252Fcontent%2525252Fpkg%2525252FFR-2021-04-19%2525252Fpdf%2525252F2021-07957.pdf%25252526source%2525253Dgmail-imap%25252526ust%2525253D1624260775000000%25252526usg%2525253DAOvVaw1aQ3sHxbIfB3aUEbHijNiu%252526data%25253D04%2525257C01%2525257CKristina.Yasuda%25252540microsoft.com%2525257Ce30e241796ab495de8d708d92f10778b%2525257C72f988bf86f141af91ab2d7cd011db47%2525257C1%2525257C0%2525257C637592570519543639%2525257CUnknown%2525257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%2525253D%2525257C1000%252526sdata%25253D1m5%2525252BWMnsfw2%2525252FthhyDTIMmjQ1kcFMESE1HYl2AYyzNG4%2525253D%252526reserved%25253D0%2526source%253Dgmail-imap%2526ust%253D1625279576000000%2526usg%253DAOvVaw25ODNKS8bcom3UuBgSzHm_%26source%3Dgmail-imap%26ust%3D1625590112000000%26usg%3DAOvVaw1YlLh-3clOQc3phpnjy2vF&source=gmail-imap&ust=1626737315000000&usg=AOvVaw149VsKtzNujdrligOBHLLD">https://www.govinfo.gov/content/pkg/FR-2021-04-19/pdf/2021-07957.pdf</a></span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:Helvetica">- <a href="https://www.google.com/url?q=https://www.google.com/url?q%3Dhttps://www.google.com/url?q%253Dhttps://nam06.safelinks.protection.outlook.com/?url%25253Dhttps%2525253A%2525252F%2525252Fwww.google.com%2525252Furl%2525253Fq%2525253Dhttps%2525253A%2525252F%2525252Fwww.aamva.org%2525252F21_4_19-Legislative-Alert-DHS-Requests-Information-for-REAL-ID-Mobile-Drivers-License-Rulemaking%2525252F%25252526source%2525253Dgmail-imap%25252526ust%2525253D1624260775000000%25252526usg%2525253DAOvVaw2bNG6F2m2_TGCHTp7Q4ykE%252526data%25253D04%2525257C01%2525257CKristina.Yasuda%25252540microsoft.com%2525257Ce30e241796ab495de8d708d92f10778b%2525257C72f988bf86f141af91ab2d7cd011db47%2525257C1%2525257C0%2525257C637592570519553602%2525257CUnknown%2525257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%2525253D%2525257C1000%252526sdata%25253DvvUYqsUJGAqbo1dfdTphxDzcc65B%2525252BxJwUFiZdbQIJ3c%2525253D%252526reserved%25253D0%2526source%253Dgmail-imap%2526ust%253D1625279576000000%2526usg%253DAOvVaw3tYuhjE_rs-z1J6wxOAJt8%26source%3Dgmail-imap%26ust%3D1625590112000000%26usg%3DAOvVaw0Qat_vFb0I0UHzHlT9Z_Ge&source=gmail-imap&ust=1626737315000000&usg=AOvVaw0Dkb69nvkhPO6X_heCv56z"><span style="font-size:12.0pt;font-family:"Calibri",sans-serif">https://www.aamva.org/21_4_19-Legislative-Alert-DHS-Requests-Information-for-REAL-ID-Mobile-Drivers-License-Rulemaking/</span></a></span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:9.0pt;font-family:Helvetica"> </span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt">Kindest Regards,</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt">Kristina</span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt"> </span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt"> </span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><Draft DHS RFI Response - mDL_v01.pdf></span><span lang="EN-US" style="font-size:9.0pt;font-family:Helvetica">_______________________________________________<br>

Openid-specs-ab mailing list<br>

</span><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><a href="mailto:Openid-specs-ab@lists.openid.net"><span style="font-size:9.0pt;font-family:Helvetica">Openid-specs-ab@lists.openid.net</span></a></span><span lang="EN-US" style="font-size:9.0pt;font-family:Helvetica"><br>

</span><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><a href="https://www.google.com/url?q=https://www.google.com/url?q%3Dhttps://www.google.com/url?q%253Dhttps://nam06.safelinks.protection.outlook.com/?url%25253Dhttps%2525253A%2525252F%2525252Fwww.google.com%2525252Furl%2525253Fq%2525253Dhttp%2525253A%2525252F%2525252Flists.openid.net%2525252Fmailman%2525252Flistinfo%2525252Fopenid-specs-ab%25252526source%2525253Dgmail-imap%25252526ust%2525253D1624260775000000%25252526usg%2525253DAOvVaw2b8TMjt7LljoUVyGDrXZOz%252526data%25253D04%2525257C01%2525257CKristina.Yasuda%25252540microsoft.com%2525257Ce30e241796ab495de8d708d92f10778b%2525257C72f988bf86f141af91ab2d7cd011db47%2525257C1%2525257C0%2525257C637592570519563554%2525257CUnknown%2525257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%2525253D%2525257C1000%252526sdata%25253D83eU9%2525252FL%2525252FtJznWQyuB0uyK3Thh%2525252FrNJoB5Ef0Lr7buzI8%2525253D%252526reserved%25253D0%2526source%253Dgmail-imap%2526ust%253D1625279576000000%2526usg%253DAOvVaw1SJcRdEpSQPS2MOiNBmSol%26source%3Dgmail-imap%26ust%3D1625590112000000%26usg%3DAOvVaw1blbDFPs71NhRC1z4Le5UZ&source=gmail-imap&ust=1626737315000000&usg=AOvVaw3x9N_LSWIwYYitMvsDBvVl"><span style="font-size:9.0pt;font-family:Helvetica">https://www.google.com/url?q=http://lists.openid.net/mailman/listinfo/openid-specs-ab&source=gmail-imap&ust=1624260775000000&usg=AOvVaw2b8TMjt7LljoUVyGDrXZOz</span></a></span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

</blockquote>

</div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"> </span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

</div>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><Draft DHS RFI Response - mDL_v02.docx></span><span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>

</div>

</div>

</div>

</blockquote>

</div>

</div>

</blockquote>

</div>

</blockquote>

</div>

</div>

</blockquote>

</div>

<p class="MsoNormal"><o:p> </o:p></p>

</div>

</body>

</html>