[OpenID-specs-EAP] WGLC for OpenID Connect EAP ACR Values spec

Michael Jones michael_b_jones at hotmail.com
Mon Apr 7 17:51:10 UTC 2025 

I’ve created https://bitbucket.org/openid/eap/pull-requests/2, which adds Security Considerations on preventing downgrade attacks by using signed requests.

                                                                -- Mike

From: Openid-specs-eap <openid-specs-eap-bounces at lists.openid.net> On Behalf Of Michael Jones via Openid-specs-eap
Sent: Saturday, March 29, 2025 3:54 PM
To: Andrii Deinega <andrii.deinega at gmail.com>
Cc: Joni Brennan <jonibrennan at gmail.com>; leifj at sunet.se; openid-specs-eap at lists.openid.net
Subject: Re: [OpenID-specs-EAP] WGLC for OpenID Connect EAP ACR Values spec

We could add a reference to RFC 9191 in the Security Considerations, and in particular, cite the Downgrade Attack<https://www.rfc-editor.org/rfc/rfc9101.html#name-downgrade-attack> considerations.  What do others think?

                                                                -- Mike

From: Andrii Deinega <andrii.deinega at gmail.com<mailto:andrii.deinega at gmail.com>>
Sent: Thursday, March 27, 2025 3:13 PM
To: Michael Jones <michael_b_jones at hotmail.com<mailto:michael_b_jones at hotmail.com>>
Cc: Joni Brennan <jonibrennan at gmail.com<mailto:jonibrennan at gmail.com>>; leifj at sunet.se<mailto:leifj at sunet.se>; openid-specs-eap at lists.openid.net<mailto:openid-specs-eap at lists.openid.net>; Dean Saxe <dean.saxe at beyondidentity.com<mailto:dean.saxe at beyondidentity.com>>
Subject: Re: [OpenID-specs-EAP] WGLC for OpenID Connect EAP ACR Values spec

Mike, I’m curious whether the security considerations section in this spec should recommend passing request parameters (especially those that include acr_values) as JWT-Secured Authorization Requests (JAR)<https://www.rfc-editor.org/rfc/rfc9101.html>, or as Pushed Authorization Requests (PAR)<https://datatracker.ietf.org/doc/html/rfc9126>.

Otherwise, parameter acr_values could be removed without detection on an OP side.

PARs and encrypted JARs also allow to hide from others what's specifically requested from an RP to an OP.

All the best,
Andrii


On Thu, Mar 27, 2025 at 7:53 AM Dean Saxe via Openid-specs-eap <openid-specs-eap at lists.openid.net<mailto:openid-specs-eap at lists.openid.net>> wrote:
I support progressing this spec to final.

-dhs
--
Dean H. Saxe, CIDPRO<https://idpro.org/cidpro/> (he/him)
Principal Engineer
Office of the CTO
Beyond Identity
dean.saxe at beyondidentity.com<mailto:dean.saxe at beyondidentity.com>




On Mar 25, 2025 at 5:49:29 PM, Michael Jones via Openid-specs-eap <openid-specs-eap at lists.openid.net<mailto:openid-specs-eap at lists.openid.net>> wrote:
This message starts a 2-week Working Group Last Call for the OpenID Connect Extended Authentication Profile (EAP) ACR Values 1.0<https://openid.net/specs/openid-connect-eap-acr-values-1_0.html> specification, prior to submitting it to Foundation-wide review for Final status.  The Context Class values “phr” and “phrh” are now registered in the IANA “Level of Assurance (LoA) Profiles” registry at https://www.iana.org/assignments/loa-profiles/.

The WGLC ends on Tuesday, April 8th.  Please reply-all to this e-mail indicating whether you support progressing the specification to Final status.

After it becomes Final, we anticipate closing the EAP working group<https://openid.net/wg/eap/>.

                                                                Thanks,
                                                                -- Mike

From: Michael Jones
Sent: Sunday, March 23, 2025 11:07 PM
To: openid-specs-eap at lists.openid.net<mailto:openid-specs-eap at lists.openid.net>
Cc: leifj at sunet.se<mailto:leifj at sunet.se>; Joni Brennan <jonibrennan at gmail.com<mailto:jonibrennan at gmail.com>>; John Bradley <ve7jtb at ve7jtb.com<mailto:ve7jtb at ve7jtb.com>>
Subject: Context Class values added to OpenID EAP ACR Values spec

I’ve updated the OpenID Connect Extended Authentication Profile (EAP) ACR Values 1.0<https://openid.net/specs/openid-connect-eap-acr-values-1_0.html> specification to add the Context Class values needed to enable registration of the two ACR values indicating that phishing-resistant authentication or phishing-resistant-hardware-backed authentication is being requested or has been performed.  Thanks to Leif Johansson for explaining how to create the Context Class files.  They can both be found at https://bitbucket.org/openid/eap/src/master/.

The IANA registrations have been requested – with tracking number [IANA #1415585].

Once these registrations occur, unless working group members want other updates to the spec, we should be able to take the specification to Final status.

                                                                -- Mike

_______________________________________________
Openid-specs-eap mailing list
Openid-specs-eap at lists.openid.net<mailto:Openid-specs-eap at lists.openid.net>
https://lists.openid.net/mailman/listinfo/openid-specs-eap
_______________________________________________
Openid-specs-eap mailing list
Openid-specs-eap at lists.openid.net<mailto:Openid-specs-eap at lists.openid.net>
https://lists.openid.net/mailman/listinfo/openid-specs-eap
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-eap/attachments/20250407/3ec9071d/attachment-0001.htm>

More information about the Openid-specs-eap mailing list