<div dir="ltr"><div dir="ltr">Thanks for the feedback. I have some other minor updates to the spec so will be working on an update. I'll add these to my list of things to add.<input name="virtru-metadata" type="hidden" value="{"email-policy":{"disableCopyPaste":false,"disablePrint":false,"disableForwarding":false,"enableNoauth":false,"expandedWatermarking":false,"expires":false,"sms":false,"expirationNum":1,"expirationUnit":"days","isManaged":false,"persistentProtection":false},"attachments":{},"compose-id":"1","compose-window":{"secure":false}}"><div><br></div><div>George</div></div><br><div class="gmail_quote" style=""><div dir="ltr" class="gmail_attr">On Fri, Feb 9, 2024 at 4:47 AM Vladimir Dzhuvinov via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><u></u>
<div>
<p>Hi George,</p>
<p>It would be really helpful to have the clarification in pt 2 in
the spec. I have received questions of the "how does this native
SSO compare to web SSO" kind on multiple occasions in the past.
This will aid adoption because people will now have a clear
picture in their mind where the security properties of native SSO
stand in relation to web based SSO (which by now should be well
known and understood).<br>
</p>
<pre cols="72">Vladimir</pre>
<div>On 08/02/2024 17:20, George Fletcher
via Openid-specs-ab wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div dir="ltr">Comments inline...</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Feb 7, 2024 at
8:19 PM Nat Sakimura via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">Hi
<div><br>
</div>
<div>(Mainly to George) <br>
<div><br>
</div>
<div>While reading the Native SSO draft, I stumbled on
the following questions. If you could clarify them, it
would be helpful. </div>
<div><br>
</div>
<div>1) Device secret seems to be a token that is
returned from the token endpoint. Would it not be more
appropriate to be called device_token or something? </div>
</div>
</div>
</blockquote>
<div>The name device_secret came from an IIW session where I
asked about naming. Yes it is a token, issued by the
authorization server and it is intended to be "secret"
between that device instance and the Authorization server.
I'm not sure changing the name at this time would be good
given the number of deployed implementations. </div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div>
<div>2) Is there any provision that assures the user of
Native App 1 and Native App 2 is the same? </div>
</div>
</div>
</blockquote>
<div>Within the specification, there isn't any check. If we
think about SSO from a web perspective, there would not
likely be a check of user identity during the SSO flow. We
consider use of the same device instance as sufficient proof
that the user is the same. If Native App 2 requires an
"identity proof" it could do it's own say faceID challenge
before engaging the Native SSO spec. So I think this is
possible outside of the current spec. </div>
<div><br>
</div>
<div>I could probably add something to the security
considerations section if you think that would be useful. </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div>
<div><br>
</div>
<div>Best, </div>
<div><br>
</div>
<div>Nat Sakimura</div>
</div>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/openid-specs-ab__;!!FrPt2g6CO4Wadw!NK0VUtu5l6sa4r_L_46MditkoJboMNG7GdqxZBx38cDr9oPcoD1kpoWS9CWB5e6t7PqVgTNiyxGi9FiRQRtoJM19Boc430w31M32oKo$" rel="noreferrer" target="_blank">https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/openid-specs-ab__;!!FrPt2g6CO4Wadw!NK0VUtu5l6sa4r_L_46MditkoJboMNG7GdqxZBx38cDr9oPcoD1kpoWS9CWB5e6t7PqVgTNiyxGi9FiRQRtoJM19Boc430w31M32oKo$</a>
<br>
</blockquote>
</div>
</div>
<hr><br>
<br>
<font color="#404040">The information contained in this e-mail may
be confidential and/or proprietary to Capital One and/or its
affiliates and may only be used solely in performance of work or
services for Capital One. The information transmitted herewith
is intended only for use by the individual or entity to which it
is addressed. If the reader of this message is not the intended
recipient, you are hereby notified that any review,
retransmission, dissemination, distribution, copying or other
use of, or taking of any action in reliance upon this
information is strictly prohibited. If you have received this
communication in error, please contact the sender and delete the
material from your computer.</font><br>
<br>
<table width="100%" height="30" cellspacing="0" cellpadding="0" border="0">
<tbody>
<tr>
</tr>
</tbody>
</table>
<br>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Openid-specs-ab mailing list
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div></div>
<HR><table border="0" cellspacing="0" cellpadding="0" width="100%" height="30"><BR>
<tr><BR>
<font color="#404040">The information contained in this e-mail may be confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.</font></td><BR>
</tr><BR>
</table><BR>