[Openid-specs-mobile-profile] ACR values

Lodderstedt, Torsten t.lodderstedt at telekom.de
Mon Nov 23 17:27:39 UTC 2015


Hi Mike,

thanks for your proposal. I think we can drop the "credential" part. It makes sense if we try to used ISO levels in order to indicate we cover credential/authentication levels only, not identity validation.

I'm rather reluctant to start with generic OpenId ACR value names. I prefer to start with the definition of what is really needed for MODRNA/Mobile Connect. Reaching consensus in the group will be difficult enough. 

I would rather suggest to have a discussions on generic ACR values later on with HEART, iGov and the new FIDO WG.

best regards,
Torsten. 

-----Ursprüngliche Nachricht-----
Von: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] Im Auftrag von Mike Jones
Gesendet: Sonntag, 22. November 2015 20:50
An: Torsten Lodderstedt; openid-specs-mobile-profile at lists.openid.net
Betreff: Re: [Openid-specs-mobile-profile] ACR values

I'd suggest these names instead:
- urn:openid:acr:credential:password_less (meaning: possession or inherence is ok)
- urn:openid:acr:credential:2factor (any two factors, software-based solutions are ok)
- urn:openid:acr:credential:2factor_tamper_resistant (any two factors, hardware token required)

I think that the names should not be MODRNA-specific.  And URNs are normally spelled with all lowercase characters.  Like OpenID Connect claim names, when there are multiple words in a name, separate them with underscores.

Also, is there a reason to have the "credential:" part in the URNs?  I'd suggest dropping that part as well, for brevity.  The size of the ID Token still matters (especially in mobile!).

				-- Mike

-----Original Message-----
From: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] On Behalf Of Torsten Lodderstedt
Sent: Sunday, November 22, 2015 11:42 AM
To: openid-specs-mobile-profile at lists.openid.net
Subject: [Openid-specs-mobile-profile] ACR values

Hi all,

based on the discussions in the last WG call, I think we are running circles again when it comes to ACR values.

What I got:
- usage of LOA values from ISO 29115 seems to confuse people (because they seem to be not as specfic as we thought and cover identification as
well)
- new EU regulations use other terms and the number of authentication levels differ

What do you think about the following proposal:

In the end, we want to give the RP a way to request authentication levels, which are specific to Mobile Connect/MODRNA. Why don't we define ACR value names, which exactly correspond to what we intend to use? From my perspective, Mobile Connect requires the following levels:
- urn:openid:modrna:acr:credential:PasswordLess (meaning: posession or inherence is ok)
- urn:openid:modrna:acr:credential:TwoFactor (any two factors, software-based solutions are ok)
- urn:openid:modrna:acr:credential:TwoFactorTamperResistant (any two factors, hardware token required)

Those values are intentionally MODRNA specific and could be mapped (if
needed) to any other model.

What do you think?

best regards,
Torsten.
_______________________________________________
Openid-specs-mobile-profile mailing list Openid-specs-mobile-profile at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile
_______________________________________________
Openid-specs-mobile-profile mailing list Openid-specs-mobile-profile at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile


More information about the Openid-specs-mobile-profile mailing list