[Openid-specs-mobile-profile] Mobile Profile WG Call on Sept 6th 2017 preliminary minutes

philippe.clement at orange.com philippe.clement at orange.com
Thu Sep 7 09:59:42 UTC 2017


Dear all,
Please find below the preliminary notes of our MODRNA WG call on Sept 6th 2017. Let me know in case of any error or misunderstanding.

Participants : John, Charles, Petteri, Nicolas, James, Philippe, Shahram

Agenda
1.      Roll Call and Adoption of the Agenda [Bjorn/John]
2.      Liaisons Updates
3.      GSMA
4.      Mechanism for Age Verification
5.      FAPI WG Update [Bjorn/John]
6.      Issue Tracker [All] - We'll go though as many as possible.
1.      CIBA
i.      Propose close #45<https://bitbucket.org/openid/mobile/issues/45/server-initiated-authentication>
ii.     #54<https://bitbucket.org/openid/mobile/issues/54/ciba-client-notification-endpoint>
iii.    #55<https://bitbucket.org/openid/mobile/issues/55/ciba-signed-result-objects>
iv.     #56<https://bitbucket.org/openid/mobile/issues/56/signed-request-object-authentication>
v.      #57<https://bitbucket.org/openid/mobile/issues/57/client-initiated-backend-authentication>
2.      Authentication Profile
i.      Propose close #1<https://bitbucket.org/openid/mobile/issues/1/context-service-provider-wants-to> and #31<https://bitbucket.org/openid/mobile/issues/31/how-to-react-if-login_hint-and>
ii.     #22<https://bitbucket.org/openid/mobile/issues/22/service-provider-wants-to-get>
iii.    #33<https://bitbucket.org/openid/mobile/issues/33/modrna-as-an-individual-claim-request>
iv.     #38<https://bitbucket.org/openid/mobile/issues/38/how-to-introduce-authentication-strength>
v.      #39<https://bitbucket.org/openid/mobile/issues/39/error-non-error-handling-in-case-op-cannot>
vi.     #40<https://bitbucket.org/openid/mobile/issues/40/loa4-authentication>
vii.    #41<https://bitbucket.org/openid/mobile/issues/41/split-functionality-of-binding-message-and>
viii.   #42<https://bitbucket.org/openid/mobile/issues/42/pcr-as-login-hint>
ix.     #43<https://bitbucket.org/openid/mobile/issues/43/additional-security-considerations>
3.      Discovery Profile
i.      #24<https://bitbucket.org/openid/mobile/issues/24/account-chooser>
ii.     #25<https://bitbucket.org/openid/mobile/issues/25/add-operator-list-in-case-mno-cannot-be>
iii.    #36<https://bitbucket.org/openid/mobile/issues/36/modrna-wg-to-review-sdk-spec-for-mobile>
4.      Registration Profile
i.      #32<https://bitbucket.org/openid/mobile/issues/32/mobile-registration-napps-application-type>
ii.     #34<https://bitbucket.org/openid/mobile/issues/34/add-lifecycle-considerations>
iii.    #35<https://bitbucket.org/openid/mobile/issues/35/software-statement-revocation>
iv.     #37<https://bitbucket.org/openid/mobile/issues/37/setup-liasion-with-api-exchange-team>
v.      #58<https://bitbucket.org/openid/mobile/issues/58/33-client-registration-response-should>
5.      General
i.      #29<https://bitbucket.org/openid/mobile/issues/29/modrna-authentication-amr-values>
ii.     #44<https://bitbucket.org/openid/mobile/issues/44/transaction-authorization>
iii.    #46<https://bitbucket.org/openid/mobile/issues/46/provide-feedback-review-specification-of>
iv.     #47<https://bitbucket.org/openid/mobile/issues/47/urls-use-openid-or-gsma-in-modrna-specs>
6.      AOB
1.      Discussion
1.      Roll Call and Adoption of the Agenda [Bjorn/John]

done
2.      Liaisons Updates
3.      No feedback on CPAS call, no attendance from MODRNA
4.
3.      GSMA
*       - no update
4.      Mechanism for Age Verification
*       Discussions began in CPAS and also in OAuth WG for age verification.
*       MODRNA has to think about and make a proposal if any improvement to be addressed in our WG, to enter further discussions into other bodies.
*       First level of constraints mentioned rely on legal specificities in different regions/countries
*       Clients want an attribute saying wether the user is given or above a given age.
*       First proposal is to consider operators regarding numeric claims (equal, greater than...) that could be endorsed by subclaims.
*       Other proposal to consider metadata defining the conditions to enter the data (source of authority, verified by...), a conversation occurred with IGov WG about attributes and metadata specs.
*       Birth date is the claim in OIDC. It's a self-asserted claim.
*       John mentions a EU project implying barcley, HSBC and Orange to open up a bank account in different countries based on eIDAS identities, MODRNA Orange today participants not involved.
5.      FAPI WG Update [Bjorn/John]
3.      Having a F2F joint meeting with FAPI is at stake, 2 dates already proposed: oct 6 or nov 7, in London. Participants from this group should try to join.
4.
6.      Issue Tracker [All] - We'll go though as many as possible.
*       CIBA
*       Propose close #45<https://bitbucket.org/openid/mobile/issues/45/server-initiated-authentication>
*       --> closed
*       #54<https://bitbucket.org/openid/mobile/issues/54/ciba-client-notification-endpoint>
*       Different options still open, waiting for Axel input.
*       #55<https://bitbucket.org/openid/mobile/issues/55/ciba-signed-result-objects>
*       #56<https://bitbucket.org/openid/mobile/issues/56/signed-request-object-authentication>
*       Sort out the semantics seems necessary. Add additional claim to the signed request ? simple way using the JWT assertion.
*       --> waiting for Axel's direction
*       #57<https://bitbucket.org/openid/mobile/issues/57/client-initiated-backend-authentication>
*       Authentication Profile
*       Propose close #1<https://bitbucket.org/openid/mobile/issues/1/context-service-provider-wants-to> and #31<https://bitbucket.org/openid/mobile/issues/31/how-to-react-if-login_hint-and>
*
*       Could be part of UQ which is a different spec. Is it UQ API or Auth spec ? Binding message, injection attacks are at stake .
*       Nicolas suggests to recommend to the implementers to write correct code. Solutions: 1- to limit the code to letters and numbers. 2- implementers must put security in the first priority.
*       John: what is this binding message for ? a clear question should provide a clear answer.
*       --> Proposal is to close the issue
*

Not addressed :
{#22<https://bitbucket.org/openid/mobile/issues/22/service-provider-wants-to-get>
*       #33<https://bitbucket.org/openid/mobile/issues/33/modrna-as-an-individual-claim-request>
*       #38<https://bitbucket.org/openid/mobile/issues/38/how-to-introduce-authentication-strength>
*       #39<https://bitbucket.org/openid/mobile/issues/39/error-non-error-handling-in-case-op-cannot>
*       #40<https://bitbucket.org/openid/mobile/issues/40/loa4-authentication>
*       #41<https://bitbucket.org/openid/mobile/issues/41/split-functionality-of-binding-message-and>
*       #42<https://bitbucket.org/openid/mobile/issues/42/pcr-as-login-hint>
*       #43<https://bitbucket.org/openid/mobile/issues/43/additional-security-considerations>
*       Discovery Profile
*       #24<https://bitbucket.org/openid/mobile/issues/24/account-chooser>
*       #25<https://bitbucket.org/openid/mobile/issues/25/add-operator-list-in-case-mno-cannot-be>
*       #36<https://bitbucket.org/openid/mobile/issues/36/modrna-wg-to-review-sdk-spec-for-mobile>
*       Registration Profile
*       #32<https://bitbucket.org/openid/mobile/issues/32/mobile-registration-napps-application-type>
*       #34<https://bitbucket.org/openid/mobile/issues/34/add-lifecycle-considerations>
*       #35<https://bitbucket.org/openid/mobile/issues/35/software-statement-revocation>
*       #37<https://bitbucket.org/openid/mobile/issues/37/setup-liasion-with-api-exchange-team>
*       #58<https://bitbucket.org/openid/mobile/issues/58/33-client-registration-response-should>
*       General
*       #29<https://bitbucket.org/openid/mobile/issues/29/modrna-authentication-amr-values>
*       #44<https://bitbucket.org/openid/mobile/issues/44/transaction-authorization>
*       #46<https://bitbucket.org/openid/mobile/issues/46/provide-feedback-review-specification-of>
*       #47<https://bitbucket.org/openid/mobile/issues/47/urls-use-openid-or-gsma-in-modrna-specs>}
7.      Account porting spec (James)
*       Do we need an other implementers draft before moving to publication ? Push to final spec is proposed, James: ok.
8.      AOB: change the MODRNA WG timeslots due to conflicts: Tuesday and Friday are suggested, priority to Tuesday
5.      Best regards,

Philippe


_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170907/427ed821/attachment-0001.html>


More information about the Openid-specs-mobile-profile mailing list