[Openid-specs-mobile-profile] ACR values

Nat Sakimura sakimura at gmail.com
Mon Nov 23 18:36:25 UTC 2015 

I do not like these. They go exactly backwards of what ISO/IEC/ITU-T arrived at starting from SP800-63. Those characteristics of credentials do not represent the degree of risk mitigation. A lot of people argued for something concrete like that but in the end, Mr Nadalin's argument concurred. 

Only the aspect of the concrete-ness left in 29115 | X.1254 was the multi-factored-ness. 

=nat via iPhone

> On Nov 23, 2015, at 4:50 AM, Mike Jones <Michael.Jones at microsoft.com> wrote:
> 
> I'd suggest these names instead:
> - urn:openid:acr:credential:password_less (meaning: possession or inherence is ok)
> - urn:openid:acr:credential:2factor (any two factors, software-based solutions are ok)
> - urn:openid:acr:credential:2factor_tamper_resistant (any two factors, hardware token required)
> 
> I think that the names should not be MODRNA-specific.  And URNs are normally spelled with all lowercase characters.  Like OpenID Connect claim names, when there are multiple words in a name, separate them with underscores.
> 
> Also, is there a reason to have the "credential:" part in the URNs?  I'd suggest dropping that part as well, for brevity.  The size of the ID Token still matters (especially in mobile!).
> 
>                -- Mike
> 
> -----Original Message-----
> From: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] On Behalf Of Torsten Lodderstedt
> Sent: Sunday, November 22, 2015 11:42 AM
> To: openid-specs-mobile-profile at lists.openid.net
> Subject: [Openid-specs-mobile-profile] ACR values
> 
> Hi all,
> 
> based on the discussions in the last WG call, I think we are running circles again when it comes to ACR values.
> 
> What I got:
> - usage of LOA values from ISO 29115 seems to confuse people (because they seem to be not as specfic as we thought and cover identification as
> well)
> - new EU regulations use other terms and the number of authentication levels differ
> 
> What do you think about the following proposal:
> 
> In the end, we want to give the RP a way to request authentication levels, which are specific to Mobile Connect/MODRNA. Why don't we define ACR value names, which exactly correspond to what we intend to use? From my perspective, Mobile Connect requires the following levels:
> - urn:openid:modrna:acr:credential:PasswordLess (meaning: posession or inherence is ok)
> - urn:openid:modrna:acr:credential:TwoFactor (any two factors, software-based solutions are ok)
> - urn:openid:modrna:acr:credential:TwoFactorTamperResistant (any two factors, hardware token required)
> 
> Those values are intentionally MODRNA specific and could be mapped (if
> needed) to any other model.
> 
> What do you think?
> 
> best regards,
> Torsten.
> _______________________________________________
> Openid-specs-mobile-profile mailing list Openid-specs-mobile-profile at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile
> _______________________________________________
> Openid-specs-mobile-profile mailing list
> Openid-specs-mobile-profile at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile

More information about the Openid-specs-mobile-profile mailing list