[Openid-specs-mobile-profile] MODRNA WG call on October 16th 2018 preliminary minutes

philippe.clement at orange.com philippe.clement at orange.com
Fri Oct 19 09:54:17 UTC 2018 

Dear all,
Please find below the preliminary minutes of our call on Oct 16th 2018. Please let me know of any error or misunderstanding.

Roll Call (extract from Goto Meeting)
Dave Tonge (Moneyhub), John Bradley, Nat Sakimura, Philippe Clement (Orange), Bjorn Hjelm (Verizon), Brian Campbell (Ping), Geoffrey Graham, Gonza, Petteri (Ubisecure), Siva(GSMA)

Adoption of the Agenda [Bjorn/John]
agreed

External Organizations

GSMA [Siva]
Work around PKI is temporary on hold.
Discussion continues in CPAS around token binding, SP implementations, TLS handshake usage and possibilities for servers to support.

The discussion settles on implementation for browsers and OS: Microsoft, Chrome, Apache.

Brian mentions his work in open source modules on token binding extension made by using java, for java based applications like tomcat.
Siva mentions the difficulty if complex to implement to get adoption.
John mentions a necessary support on the server before the client supports it. Bearer tokens work too.
Information to be shared in the CPAS.

Polling mechanism to be implemented on MC side.

Working Group Updates

FAPI WG [Dave]
Nat mentions implementer's draft to vote on.

Spec. Status

CIBA  Core/MODRNA [Dave/Brian/Gonzalo/Axel]
Still issues on CIBA, and questions remaining on normative changes in MODRNA profile or not are discussed.
An Introductory text could avoid normative changes.
Discussion settles on launching separately OIDC and CIBA, and reusing parameters and names (claims, metadata) from one to the other. Error codes to be looked at too.

this next week will be dedicated to close up the issues, no normative change seems required for mobile profile.

==>     Brian   Pull request to start on the split.

Discovery [John/Torsten]
Not addressed

Issue Tracker

CIBA [Dave/Brian/Gonzalo/Axel]


New issue:
 #97: CIBA - Clarify privacy issues with login_hint_token and discovery service<https://bitbucket.org/openid/mobile/issues/97/ciba-clarify-privacy-issues-with>

Open issues:
#71: CIBA hint validation clarification<https://bitbucket.org/openid/mobile/issues/71/ciba-hint-validation-clarification>
Deep discussion around privacy and legitimacy of the client to know at a moment the phone number.
==>     Everyone to comment this issue.

Question about allowing the RP to crypt to be more secure.
Should we in CIBA have processing rules for login_hint_token or encryption ? likely in the modrna profile of CIBA it's ok.

Other open issues are addressed through pull requests:
#91: CIBA: Authentication request and context parameters<https://bitbucket.org/openid/mobile/issues/91/ciba-authentication-request-and-context>
#94: use invalid_grant rather than unknown_auth_req_id in CIBA<https://bitbucket.org/openid/mobile/issues/94/use-invalid_grant-rather-than>
#95: CIBA - Push Mode definition of succesful token delivery<https://bitbucket.org/openid/mobile/issues/95/ciba-push-mode-definition-of-succesful>

==>     Please all look at open issues


Discovery [John/Torsten]
Not addressed

AOB
Next call on next week will be a CIBA only call

Best regards,
Philippe


_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20181019/19ad725b/attachment-0001.html>

More information about the Openid-specs-mobile-profile mailing list