[Openid-specs-mobile-profile] Issue 52 CIBA Pairwise Identifiers Structuring Text

John Bradley ve7jtb at ve7jtb.com
Mon Jun 19 12:23:40 UTC 2017


PS there is another dimension to this in registration.

If the federation operator issues a software statement for registration how is the client identified.

We assumed that the redirect URI would need to be listed to make the software statement usable by only the client in question.

If we add CIBA post_back we need to also include the post_back URI in the software statement as well.

What do we include for clients using CIBA polling?

If we don’t have an answer to that then the software statement become a simple bearer token that could be used to register a client by anyone with the software statement.

Allowing a pure polling mode introduces security issues even if you are not using PPID.

John B.


> On Jun 19, 2017, at 7:05 AM, John Bradley <ve7jtb at ve7jtb.com> wrote:
> 
> It is not part of discovery.
> 
> It is part of registration.
> 
> The SIU must be validated in registration for clients that use PPID.
> 
> How it is validated depends on the way the client receives the response.
> 1. Redirect
> 2. Post back
> 3. Polling/ RO password
> 
> I don’t know that we have resolved the validation issue. 
> 
> CIBA is adding new responses.
> 
> We cant say nothing in CIBA and hope that registration is updated.
> 
> If the decision is to add validation rules for SIU that are specific to CIBA to registration then I am fine with it.
> 
> I think not everyone seem to be on the same page around understanding the need for validating the SIU.
> I don’t think we have agreement to not allow symmetric authentication for CIBA polling and more specifically to require the client authentication key to be published in the jwks_uri and published in the siu for validation.
> 
> So I think we still have an issue with CIBA polling.
> 
> John B.
>> On Jun 8, 2017, at 2:38 AM, Axel.Nennker at telekom.de <mailto:Axel.Nennker at telekom.de> wrote:
>> 
>> Hi all,
>>  
>> can this issue be closed?
>> https://bitbucket.org/openid/mobile/issues/52/ciba-pairwise-identifiers-structuring-text <https://bitbucket.org/openid/mobile/issues/52/ciba-pairwise-identifiers-structuring-text>
>>  
>> The sector_identifier_url is now mandatory to be specified at Client registration time.
>> Validation of the sector_identifier is out-of-scope for CIBA and should be in Discovery.
>>  
>> Please comment on the issue in bitbucket or here.
>>  
>> Kind regards
>> Axel
>>  
>>  
>>  
>>  
>>  
>> DEUTSCHE TELEKOM AG
>> T-Labs (Research & Innovation)
>> Axel Nennker
>> Winterfeldtstr. 21, 10781 Berlin
>> +491702275312 (Tel.)
>> E-Mail: axel.nennker at telekom.de <mailto:axel.nennker at telekom.de>
>>  
>>  
>>  
>> _______________________________________________
>> Openid-specs-mobile-profile mailing list
>> Openid-specs-mobile-profile at lists.openid.net <mailto:Openid-specs-mobile-profile at lists.openid.net>
>> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile <http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170619/1069d034/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4383 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170619/1069d034/attachment-0001.p7s>


More information about the Openid-specs-mobile-profile mailing list