[Openid-specs-mobile-profile] ACR values

John Bradley ve7jtb at ve7jtb.com
Tue Nov 24 15:29:10 UTC 2015 

The problem is that what the specific ACR mean should be covered in a trust framework.   I think the initial idea was to point to ISO for that, but it is not specific enough on it’s own.

I am working on some text to say what the protocol strings are with a high level description, but pointing to some other policy document to say what the overall business processes are are and additional info on what the levels mean.  That document should eventually be a OIX or GSMA doc.  It is not a protocol document.

The core spec should say how to pass them and what the expected behaviour is if an exact match is not available.

We can’t include a entire trust framework in the core profile.

John B.
> On Nov 24, 2015, at 11:44 AM, philippe.clement at orange.com wrote:
> 
> Hi Torsten,
> 
> To be less elliptic, I'm just trying to find some simplistic way to get out of this discussion. In a nutshell, trying to see if we can get rid off speaking levels of assurance in our workgroup and Modrna auth doc. 
> From my point of view, what is mentioned in the OIDC core spec should be enough for the mobile profile. 
> 
> Kind regards,
> Philippe
> 
> -----Message d'origine-----
> De : Lodderstedt, Torsten [mailto:t.lodderstedt at telekom.de] 
> Envoyé : mardi 24 novembre 2015 14:04
> À : CLEMENT Philippe IMT TECHNO
> Cc : Mike Jones; openid-specs-mobile-profile at lists.openid.net
> Objet : AW: [Openid-specs-mobile-profile] ACR values
> 
> Hi Philippe,
> 
> what does it mean with respect to the topic at hand? As I said (at least I tried :-)), my focus is on getting something reasonable/suitable done.
> 
> best regards,
> Torsten.
> 
> -----Ursprüngliche Nachricht-----
> Von: philippe.clement at orange.com [mailto:philippe.clement at orange.com] 
> Gesendet: Dienstag, 24. November 2015 13:13
> An: openid-specs-mobile-profile at lists.openid.net; Mike Jones; Lodderstedt, Torsten
> Betreff: RE: [Openid-specs-mobile-profile] ACR values
> 
> sent again due to mail failure...
> 
> -----Message d'origine-----
> De : CLEMENT Philippe IMT TECHNO
> Envoyé : mardi 24 novembre 2015 10:40
> À : Lodderstedt, Torsten; Mike Jones; openid-specs-mobile-profile at lists.openid.net
> Objet : RE: [Openid-specs-mobile-profile] ACR values
> 
> Dear all,
> I went back to the charter to check the purpose of the workgroup:
> __________________
> 
> 2) Purpose:
> Developing a profile of OpenID Connect intended to be appropriate for use by mobile network operators (MNOs) providing identity services to RPs and for RPs in consuming those services as well as any other party wishing to be interoperable with this profile.
> __________________
> 
> I think that means that we work for a OIDC profile of OIDC adapted for MNOs, not exclusively for Mobile Connect that is one of different potential services MNO offer to partners. 
> 
> Hope this helps
> Philippe
> 
> -----Message d'origine-----
> De : Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] De la part de Lodderstedt, Torsten Envoyé : lundi 23 novembre 2015 18:28 À : Mike Jones; openid-specs-mobile-profile at lists.openid.net
> Objet : Re: [Openid-specs-mobile-profile] ACR values
> 
> Hi Mike,
> 
> thanks for your proposal. I think we can drop the "credential" part. It makes sense if we try to used ISO levels in order to indicate we cover credential/authentication levels only, not identity validation.
> 
> I'm rather reluctant to start with generic OpenId ACR value names. I prefer to start with the definition of what is really needed for MODRNA/Mobile Connect. Reaching consensus in the group will be difficult enough. 
> 
> I would rather suggest to have a discussions on generic ACR values later on with HEART, iGov and the new FIDO WG.
> 
> best regards,
> Torsten. 
> 
> -----Ursprüngliche Nachricht-----
> Von: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] Im Auftrag von Mike Jones
> Gesendet: Sonntag, 22. November 2015 20:50
> An: Torsten Lodderstedt; openid-specs-mobile-profile at lists.openid.net
> Betreff: Re: [Openid-specs-mobile-profile] ACR values
> 
> I'd suggest these names instead:
> - urn:openid:acr:credential:password_less (meaning: possession or inherence is ok)
> - urn:openid:acr:credential:2factor (any two factors, software-based solutions are ok)
> - urn:openid:acr:credential:2factor_tamper_resistant (any two factors, hardware token required)
> 
> I think that the names should not be MODRNA-specific.  And URNs are normally spelled with all lowercase characters.  Like OpenID Connect claim names, when there are multiple words in a name, separate them with underscores.
> 
> Also, is there a reason to have the "credential:" part in the URNs?  I'd suggest dropping that part as well, for brevity.  The size of the ID Token still matters (especially in mobile!).
> 
> 				-- Mike
> 
> -----Original Message-----
> From: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] On Behalf Of Torsten Lodderstedt
> Sent: Sunday, November 22, 2015 11:42 AM
> To: openid-specs-mobile-profile at lists.openid.net
> Subject: [Openid-specs-mobile-profile] ACR values
> 
> Hi all,
> 
> based on the discussions in the last WG call, I think we are running circles again when it comes to ACR values.
> 
> What I got:
> - usage of LOA values from ISO 29115 seems to confuse people (because they seem to be not as specfic as we thought and cover identification as
> well)
> - new EU regulations use other terms and the number of authentication levels differ
> 
> What do you think about the following proposal:
> 
> In the end, we want to give the RP a way to request authentication levels, which are specific to Mobile Connect/MODRNA. Why don't we define ACR value names, which exactly correspond to what we intend to use? From my perspective, Mobile Connect requires the following levels:
> - urn:openid:modrna:acr:credential:PasswordLess (meaning: posession or inherence is ok)
> - urn:openid:modrna:acr:credential:TwoFactor (any two factors, software-based solutions are ok)
> - urn:openid:modrna:acr:credential:TwoFactorTamperResistant (any two factors, hardware token required)
> 
> Those values are intentionally MODRNA specific and could be mapped (if
> needed) to any other model.
> 
> What do you think?
> 
> best regards,
> Torsten.
> _______________________________________________
> Openid-specs-mobile-profile mailing list Openid-specs-mobile-profile at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile
> _______________________________________________
> Openid-specs-mobile-profile mailing list Openid-specs-mobile-profile at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile
> _______________________________________________
> Openid-specs-mobile-profile mailing list Openid-specs-mobile-profile at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile
> 
> _________________________________________________________________________________________________________________________
> 
> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
> 
> This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender and delete this message and its attachments.
> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
> Thank you.
> 
> 
> _________________________________________________________________________________________________________________________
> 
> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
> 
> This message and its attachments may contain confidential or privileged information that may be protected by law;
> they should not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender and delete this message and its attachments.
> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
> Thank you.
> 
> _______________________________________________
> Openid-specs-mobile-profile mailing list
> Openid-specs-mobile-profile at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile

More information about the Openid-specs-mobile-profile mailing list