[Openid-specs-mobile-profile] Preliminary Minutes WG Call 27.1.2016

Lodderstedt, Torsten t.lodderstedt at telekom.de
Thu Jan 28 07:08:11 UTC 2016


Hi all,

please find below the minutes of today's call.

best regards,
Torsten.


Participants:
John Bradley
Nat Sakimura
Florian Walter
Jörg Connotte
Gonzalo Fernandéz
Matthieu Verdier
Bjorn Hjelm
Torsten Lodderstedt

Authentication spec
- John guided us through the changes he made in the last revision
- The following topics were discussed:
* ACR Values: examples for security keys and difference between keys and pwd/pin shall be added
* AMR values: add example for amr values (e.g SIM Applet+PIN is represented by "hpop" + "pin")
* short and long form of ACRs: the short shall be used by clients, long form will be used to register the ACR values in the IANA registry (by MODRNA WG)
* order of acrs gives RP a way to express its preferences regarding authentication, i.e. bring ARC values in their preferred order
* we stay with two acr values for now, we could add the third (or a forth) value at any time based on experiences/discussions
- how to handle TBDs
- 6.1. replace by reference to respective OpenID Connect Discovery
- 7 length of the binding message - replace by better explanation: message may be truncated
- Mitigations for new security vulnerabilities
- discussed different options
* copy text from oauth spec
* reference current oauth spec
* recommend to use "code id_token" instead of "code"
* general problem: discussions within OAuth WG are ongoing and outcome cannot really be predicted.
-> Conclusion: will pass spec to GSMA as is and discuss vulnerabilities and way forward with GSMA

MWC
- John, Torsten will attend
- Nat will probably attend as well (as he will be in Paris at that time)
- Gonzalo & Matthieu would attend if we setup a meeting regarding MODRNA
- Torsten will talk to GSMA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20160128/2f38df4e/attachment.html>


More information about the Openid-specs-mobile-profile mailing list