[Openid-specs-mobile-profile] ACR values
Mike Jones
Michael.Jones at microsoft.com
Sun Nov 22 19:50:01 UTC 2015
I'd suggest these names instead:
- urn:openid:acr:credential:password_less (meaning: possession or inherence is ok)
- urn:openid:acr:credential:2factor (any two factors, software-based solutions are ok)
- urn:openid:acr:credential:2factor_tamper_resistant (any two factors, hardware token required)
I think that the names should not be MODRNA-specific. And URNs are normally spelled with all lowercase characters. Like OpenID Connect claim names, when there are multiple words in a name, separate them with underscores.
Also, is there a reason to have the "credential:" part in the URNs? I'd suggest dropping that part as well, for brevity. The size of the ID Token still matters (especially in mobile!).
-- Mike
-----Original Message-----
From: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] On Behalf Of Torsten Lodderstedt
Sent: Sunday, November 22, 2015 11:42 AM
To: openid-specs-mobile-profile at lists.openid.net
Subject: [Openid-specs-mobile-profile] ACR values
Hi all,
based on the discussions in the last WG call, I think we are running circles again when it comes to ACR values.
What I got:
- usage of LOA values from ISO 29115 seems to confuse people (because they seem to be not as specfic as we thought and cover identification as
well)
- new EU regulations use other terms and the number of authentication levels differ
What do you think about the following proposal:
In the end, we want to give the RP a way to request authentication levels, which are specific to Mobile Connect/MODRNA. Why don't we define ACR value names, which exactly correspond to what we intend to use? From my perspective, Mobile Connect requires the following levels:
- urn:openid:modrna:acr:credential:PasswordLess (meaning: posession or inherence is ok)
- urn:openid:modrna:acr:credential:TwoFactor (any two factors, software-based solutions are ok)
- urn:openid:modrna:acr:credential:TwoFactorTamperResistant (any two factors, hardware token required)
Those values are intentionally MODRNA specific and could be mapped (if
needed) to any other model.
What do you think?
best regards,
Torsten.
_______________________________________________
Openid-specs-mobile-profile mailing list Openid-specs-mobile-profile at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile
More information about the Openid-specs-mobile-profile
mailing list