<p dir="ltr">If it is a policy decision, do we need to specify some way for the client to discover the OP's respective policy?</p>
<p dir="ltr">Regarding integrity protection: wouldn't that require a shared secret between discovery service and op? Not as easy to manage as an issuer url.</p>
<div class="gmail_quote">Am 29.11.2015 19:38 schrieb John Bradley <ve7jtb@ve7jtb.com>:<br type='attribution'><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">For login_hint_token,  The main reason to sign it is so that RP don’t start prompting users for phone numbers and creating there own tokens.  <div>I can’t think of any security reason. </div><div><br /></div><div>For an example of a signed and encrypted JWT see : <a href="https://tools.ietf.org/html/rfc7519#page-26">https://tools.ietf.org/html/rfc7519#page-26</a>  A.2.</div><div><br /></div><div>It is more of a policy decision than a technical one to require signing. </div><div><br /></div><div>We could require integrity protection instead. </div><div><br /></div><div>That would let the discovery service sign and then encrypt.   The IdP could use a symmetric key to encrypt , and get sender verification in one operation.  </div><div><br /></div><div>John B.<br /><div><blockquote><div>On Nov 29, 2015, at 3:19 PM, Torsten Lodderstedt <<a href="mailto:torsten@lodderstedt.net">torsten@lodderstedt.net</a>> wrote:</div><br /><div><span style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 );float:none;display:inline">Hi Jörg,</span><br style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 )" /><br style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 )" /><span style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 );float:none;display:inline">thanks for producing a new revision, which covers context and login_token_hint (@all: it's published at </span><a href="https://bitbucket.org/openid/mobile/raw/default/draft-mobile-authentication-01.txt" style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 )">https://bitbucket.org/openid/mobile/raw/default/draft-mobile-authentication-01.txt</a><span style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 );float:none;display:inline">).</span><br style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 )" /><br style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 )" /><span style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 );float:none;display:inline">Please find attached my comments as well as proposed text for security/privacy considerations sections and other aspects. </span><br style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 )" /><br style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 )" /><span style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 );float:none;display:inline">I would like to bring one question to the group's attention: Do we want to require the login_token_hint to be signed? What is the main reason? Issuer authenticity?</span><br style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 )" /><br style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 )" /><span style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 );float:none;display:inline">best regards,</span><br style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 )" /><span style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 );float:none;display:inline">Torsten.</span><br style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 )" /><draft-mobile-authentication-01_tlt.docx><span style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 );float:none;display:inline">_______________________________________________</span><br style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 )" /><span style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 );float:none;display:inline">Openid-specs-mobile-profile mailing list</span><br style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 )" /><a href="mailto:Openid-specs-mobile-profile@lists.openid.net" style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 )">Openid-specs-mobile-profile@lists.openid.net</a><br style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 )" /><a href="http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile" style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 )">http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile</a><br style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 )" /></div></blockquote></div><br /></div></div></blockquote></div>