[Openid-specs-mobile-profile] Issue #60: MODRNA Authentication Profile: Improving description in section 9 "Security Considerations" (openid/mobile)
issues-reply at bitbucket.org
Sun Sep 24 09:50:17 UTC 2017
New issue 60: MODRNA Authentication Profile: Improving description in section 9 "Security Considerations"
The second part of the first paragraph said: "The signature allows the OP to authenticate and authorize the sender of the hint and prevent collecting of phone numbers by rogue clients".
It is not the signature which prevents collecting of phone numbers but the fact that the login_hint_token is encrypted. So I think the right sentence would be "The login_hint_token allows the OP ......"
Do you agree?
More information about the Openid-specs-mobile-profile