[Openid-specs-mobile-profile] Issue #129: CIBA: Typos in 2018-Dev-12 draft (openid/mobile)

Takahiko Kawasaki issues-reply at bitbucket.org
Wed Dec 12 12:19:07 UTC 2018 

New issue 129: CIBA: Typos in 2018-Dev-12 draft
https://bitbucket.org/openid/mobile/issues/129/ciba-typos-in-2018-dev-12-draft

Takahiko Kawasaki:

**1. Introduction, the last paragraph**

```
out-band mechanisms ->
out-of-band mechanisms
```

**3. Overview, the 1st paragraph**

```
out-band mechanisms ->
out-of-band mechanisms
```

**3. Overview, 3.**

```
Ping or Push modes, this choice MUST ->
Ping or Push modes. This choice MUST
```

**4. Registration and Discovery Metadata, OpenID Provider Metadata, backchannel_token_delivery_modes_supported**

```
a JSON array ->
JSON array
```

```
the following values "poll", "ping" and "push" ->
the following values: "poll", "ping" and "push"
(unless the omission of ':' or other delimiter is intentional)
```

**4. Registration and Discovery Metadata, Client Metadata, backchannel_token_delivery_mode**

```
the following values "poll", "ping" and "push" ->
the following values: "poll", "ping" and "push"
(unless the omission of ':' or other delimiter is intentional)
```

**5. Poll, Ping and Push Modes, Poll Mode Diagram**

Remove a space after "(2) User interactions".
(other arrows don't have a space after strings)

**5. Poll, Ping and Push Modes, Ping Mode Diagram**

Replace the underscore after "(2) User interactions" with a hyphen.

**5. Poll, Ping and Push Modes, Push Mode Diagram**

Remove a space after "(2) User interactions" and "(3) CIBA Push Callback".
(other arrows in other diagrams don't have a space after strings)

**6. Examples of Use Cases**

```
A user wants to user ->
A user wants to use
```

```
smartphone to authorise ->
smartphone to authorize
```

**7.1. Authentication Request, the 1st paragraph**

```
MODRNA Client Initiated Backchannel Authentication ->
Client Initiated Backchannel Authentication
(unless MODRNA is placed there intentionally.)
```

**7.1. Authentication Request, scope**

```
Consitent with ->
Consistent with
```

**7.1. Authentication Request, example of an authentication request**

`&` should be added after `binding_message=W4SCT`.

**7.1.1. Signed Authentication Request, the paragraph after `jti`**

```
MUST NOT be be outside ->
MUST NOT be outside
```

**7.1.2. User Code, the 3rd paragraph**

```
where caller id is ->
where a caller ID is
```

**7.2 Authentication Request Validation, 1.**

```
It is RECOMMENDED that Clients do not send ->
It is RECOMMENDED that Clients not send
```

```
rather that public key cryptography is used ->
rather that public key cryptography be used
```

**7.3. Successful Authentication Request Acknowledgement**

```
example from an authentication response ->
example of an authentication response:
("of" and a semi-colon at the end)
```

**7.4. Authentication Request Acknowledgment Validation, the 2nd paragraph**

```
to use when polling the token endpoint in Poll mode ->
to use when making a token request in Poll and Ping modes
```

**9. Client Notification Endpoint, the 4th paragraph**

```
did not grant authorisation ->
did not grant authorization
```

**10.1. Token Request Using Backchannel Request Grant Type, the 5th paragraph**

```
as if it was registered to use the Poll mode ->
as if it had been registered to use the Poll mode
```

**10.1. Token Request Using Backchannel Request Grant Type, the 6th paragraph**

```
makes a "POST" request ->
makes an "HTTP POST" request
```

Some `HTTP POST` are enclosed with double quotation marks (like `"HTTP POST" request`) and the others are not (e.g. the 1st paragraph of 10.2.). It would be better to align to either of them.

**10.2. Ping Callback**

```
with HTTP 200 OK, any body ->
with HTTP 200 OK and any body
```

**10.3.1. Successful Token Delivery, the paragraph after the first example**

```
If the bearer token is not valid the Client ->
If the bearer token is not valid, the Client
```

**11. Token Error Response, the 1st paragraph**

```
constructs the error response ->
constructs an error response
```

**11. Token Error Response, access_denied**

```
The end user denied ->
The end-user denied
```

**12. Push Error Payload**

`error_uri` is not mentioned.

**12. Push Error Payload, access_denied**

```
The end user denied ->
The end-user denied
```

**13. Authentication Error Response, missing_user_code**

```
missing from request ->
missing from the request
```

**13. Authentication Error Response, access_denied**

```
The mechanism for such a decision to be made in outside the scope of ->
The mechanism for such a decision to be made is outside the scope of
```

**14. Pairwise Identifiers, the 3rd paragraph**

> Pre-arranged configurations between SP and OpenID Provider are always possible.

What is "SP"? It would be better to write the definition of "SP" somewhere.

**15. Security Considerations, the 1st paragraph**

```
The login hint token SHOULD ->
The login_hint_token SHOULD
```

**15. Security Considerations, the 1st paragraph**

> The signature allows the OP to authenticate and authorize the sender of the hint and prevent collecting of phone numbers by rogue Clients.

I'm not sure _"prevent collecting of phone numbers"_ is appropriate in the context of CIBA **Core** specification.

**16. Privacy Considerations, ID Token containing a pairwise identifier**

```
a CIBA flow can be initialised ->
a CIBA flow can be initialized
```

**17.1. OAuth Authorization Server Metadata Registration**

`backchannel_user_code_parameter_supported` is missing.

**17.2. OAuth Dynamic Client Registration Metadata Registration**

`backchannel_user_code_parameter` is missing.

**17.4. JSON Web Token Claims**

```
encoded as claims of a the request JWT ->
encoded as claims of the request JWT
```

**Appendix B. Notices**

> Copyright (c) 2015 The OpenID Foundation.

The year of the copyright should be updated properly.

More information about the Openid-specs-mobile-profile mailing list