<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.E-MailFormatvorlage17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=DE link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hi Tim,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I’ll try to explain some of our assumptions leading to the proposal <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>Von:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> openid-specs-mobile-profile-bounces@lists.openid.net [mailto:openid-specs-mobile-profile-bounces@lists.openid.net] <b>Im Auftrag von </b>Tim Bray<br><b>Gesendet:</b> Montag, 28. Juli 2014 03:41<br><b>An:</b> Torsten Lodderstedt<br><b>Cc:</b> openid-specs-mobile-profile@lists.openid.net<br><b>Betreff:</b> Re: [Openid-specs-mobile-profile] Initial Proposal<o:p></o:p></span></p></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>First of all, excellent start! Thnks to Torsten and his DG colleagues.<o:p></o:p></p></div><div><p class=MsoNormal>==========================<o:p></o:p></p></div><div><p class=MsoNormal>Section 3.2: “The RP shall register to a certain MNO or another entity MNOs delegated this task to once and obtain the right to access the desired MNOs’ ID services. To enable this autonomy of relying parties and OpenID Providers (the MNO‘s) dynamic client registration must be possible.”<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Why? I’m in favor of dynamic registration, but in the typical use case, suppose I’m an RP, I want to register an app with TMO and have it work on Orange, why is a traditional RP registration process with TMO not possible?<o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>JCO: Maybe the phrasing wasn’t to good here. What we are getting at is that the RP registers traditionally with TMO (probably signing some contract). The operator performing this initial registration is called the Developer Operator. After that the process of registering the RP with Orange and possibly dozens or even hundreds of other MNO’s which each facilitate their own OpenID Provider should be done automatically. Thus using dynamic client registration seems to be the way to register to the subsequent OIDP’s (called serving operator).<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p></div><div><p class=MsoNormal>==========================<o:p></o:p></p></div><div><p class=MsoNormal>A little worried about the software statement in a public client, where it can be easily stolen; not sure I understand what it accomplishes.<o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>JCO: The software statement can at least reflect the fact that the initial registration of the RP was done properly. Depending on the content of the software statement the OpenID Provider will be able to reject the RP based on a blacklist published by the Developer Operator.<o:p></o:p></span></p></div><div><p class=MsoNormal>==========================<o:p></o:p></p></div><div><p class=MsoNormal>It would be more readable if the references were by title not by name, e.g. “OIDC Discovery” rather than ”[3]”<o:p></o:p></p></div><div><p class=MsoNormal>==========================<o:p></o:p></p></div><div><p class=MsoNormal>Section 4: This is all about web apps, and I see that there’s value-add in defining an advanced discovery process that can return an OP to support a standard OIDC flow, where the OP is doesn’t depend on which telco the RP registered with… Do we have any ambition to support the native-app case? That’s where the real developer pain is.<o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>JCO: I certainly think the native app case should also be discussed. We wanted the example flow to stick as closely to the standard OIDC flows as possible.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p></div><div><p class=MsoNormal>===========================<o:p></o:p></p></div><div><p class=MsoNormal>Section 4. “In this example, the RP is a web application, which asked the user to enter his msisdn”. Ideally, it should be possible for the software to get the identifier from the phone hardware?<o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>JCO: The way the msisdn is obtained may vary depending on the user agent. Not all operating systems on mobile devices allow for the retrieval of the msisdn programmatically. Sometimes only MNC and MCC are possible. However one valid use case is that the user agent is a browser on a pc client. In this case the user has to enter his/her msisdn manually.<o:p></o:p></span></p></div><div><p class=MsoNormal>===========================<o:p></o:p></p></div><div><p class=MsoNormal>Generally, I was hoping there to be some back-channel magic that would be enabled by involvement of GSMA members. The SIM or equivalent already constitutes some sort of an identity assertion so I’d hope that could be used, for example simplify discovery. Any chances?<o:p></o:p></p></div></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US style='color:#1F497D'>JCO: There should be any number of different ‚resource‘ types for discovery. MCC/MNC or mobile ip-address come to mind. Those can be either retrieved by the client or extracted from the header information by the operator discovery service. In those cases no user interaction is required for discovery.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Regards<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Jörg<o:p></o:p></span></p><div><p class=MsoNormal><span lang=EN-US>On Sun, Jul 27, 2014 at 12:33 PM, Torsten Lodderstedt <</span><a href="mailto:torsten@lodderstedt.net" target="_blank"><span lang=EN-US>torsten@lodderstedt.net</span></a><span lang=EN-US>> wrote:<o:p></o:p></span></p><div><div><p class=MsoNormal>Hi Tim,<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>why don't you just post your comments here?<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>regards,<o:p></o:p></p></div><div><p class=MsoNormal>Torsten.<o:p></o:p></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><br>Am 27.07.2014 um 21:08 schrieb Tim Bray <<a href="mailto:tbray@textuality.com" target="_blank">tbray@textuality.com</a>>:<o:p></o:p></p></div><div><div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><div><div><p class=MsoNormal>Thanks! I started reading this and immediately had a couple of comments I wanted to make. Perhaps this could migrate into a comment-friendly form like a wiki or Google doc or something soon?<o:p></o:p></p></div></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p><div><p class=MsoNormal>On Sun, Jul 27, 2014 at 11:14 AM, Torsten Lodderstedt <<a href="mailto:torsten@lodderstedt.net" target="_blank">torsten@lodderstedt.net</a>> wrote:<o:p></o:p></p><p class=MsoNormal>Hi all,<br><br>Deutsche Telekom has prepared an initial proposal for this working group. Please find the document here: <a href="http://openid.bitbucket.org/Mobile_Profile_initial_draft_016.pdf" target="_blank">http://openid.bitbucket.org/Mobile_Profile_initial_draft_016.pdf</a><br><br>The main purpose of this document is to facilitate the discusion within the group about the challenges with have to cope with and the assumptions we base our work upon. It also sketches a potential solution (which is certainly open for discussions).<br><br>"See" you on Tuesday.<br><br>best regards,<br>Torsten.<br>_______________________________________________<br>Openid-specs-mobile-profile mailing list<br><a href="mailto:Openid-specs-mobile-profile@lists.openid.net" target="_blank">Openid-specs-mobile-profile@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile</a><o:p></o:p></p></div><p class=MsoNormal><br><br clear=all><o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>-- <o:p></o:p></p><div><div><p class=MsoNormal>- Tim Bray (If you’d like to send me a private message, see <a href="https://keybase.io/timbray" target="_blank">https://keybase.io/timbray</a>)<o:p></o:p></p></div></div></div></div></blockquote></div></div></div></div><p class=MsoNormal><br><br clear=all><o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>-- <o:p></o:p></p><div><div><p class=MsoNormal>- Tim Bray (If you’d like to send me a private message, see <a href="https://keybase.io/timbray" target="_blank">https://keybase.io/timbray</a>)<o:p></o:p></p></div></div></div></div></body></html>