<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">No by policy I was referring to the GSMA privacy policy requiring the use of a discovery service rather than clients just asking for the users phone number directly.<div class=""><br class=""></div><div class="">I was thinking asymmetric from the discovery service to the IdP. </div><div class="">But give the IdP the flexibility on how they protect the tokens they put in account chooser for themselves.  Those could be symmetric.</div><div class=""><br class=""></div><div class="">So saying they must be signed and encrypted is probably the correct thing for the discovery service but not all tokens come from the discovery service.</div><div class=""><br class=""></div><div class="">John B.</div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Nov 29, 2015, at 4:52 PM, Torsten Lodderstedt <<a href="mailto:torsten@lodderstedt.net" class="">torsten@lodderstedt.net</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><p dir="ltr" class="">If it is a policy decision, do we need to specify some way for the client to discover the OP's respective policy?</p><p dir="ltr" class="">Regarding integrity protection: wouldn't that require a shared secret between discovery service and op? Not as easy to manage as an issuer url.</p>
<div class="gmail_quote">Am 29.11.2015 19:38 schrieb John Bradley <<a href="mailto:ve7jtb@ve7jtb.com" class="">ve7jtb@ve7jtb.com</a>>:<br type="attribution" class=""><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word" class="">For login_hint_token,  The main reason to sign it is so that RP don’t start prompting users for phone numbers and creating there own tokens.  <div class="">I can’t think of any security reason. </div><div class=""><br class=""></div><div class="">For an example of a signed and encrypted JWT see : <a href="https://tools.ietf.org/html/rfc7519#page-26" class="">https://tools.ietf.org/html/rfc7519#page-26</a>  A.2.</div><div class=""><br class=""></div><div class="">It is more of a policy decision than a technical one to require signing. </div><div class=""><br class=""></div><div class="">We could require integrity protection instead. </div><div class=""><br class=""></div><div class="">That would let the discovery service sign and then encrypt.   The IdP could use a symmetric key to encrypt , and get sender verification in one operation.  </div><div class=""><br class=""></div><div class="">John B.<br class=""><div class=""><blockquote class=""><div class="">On Nov 29, 2015, at 3:19 PM, Torsten Lodderstedt <<a href="mailto:torsten@lodderstedt.net" class="">torsten@lodderstedt.net</a>> wrote:</div><br class=""><div class=""><span style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 );float:none;display:inline" class="">Hi Jörg,</span><br style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 )" class=""><br style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 )" class=""><span style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 );float:none;display:inline" class="">thanks for producing a new revision, which covers context and login_token_hint (@all: it's published at </span><a href="https://bitbucket.org/openid/mobile/raw/default/draft-mobile-authentication-01.txt" style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 )" class="">https://bitbucket.org/openid/mobile/raw/default/draft-mobile-authentication-01.txt</a><span style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 );float:none;display:inline" class="">).</span><br style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 )" class=""><br style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 )" class=""><span style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 );float:none;display:inline" class="">Please find attached my comments as well as proposed text for security/privacy considerations sections and other aspects. </span><br style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 )" class=""><br style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 )" class=""><span style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 );float:none;display:inline" class="">I would like to bring one question to the group's attention: Do we want to require the login_token_hint to be signed? What is the main reason? Issuer authenticity?</span><br style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 )" class=""><br style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 )" class=""><span style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 );float:none;display:inline" class="">best regards,</span><br style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 )" class=""><span style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 );float:none;display:inline" class="">Torsten.</span><br style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 )" class=""><draft-mobile-authentication-01_tlt.docx><span style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 );float:none;display:inline" class="">_______________________________________________</span><br style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 )" class=""><span style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 );float:none;display:inline" class="">Openid-specs-mobile-profile mailing list</span><br style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 )" class=""><a href="mailto:Openid-specs-mobile-profile@lists.openid.net" style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 )" class="">Openid-specs-mobile-profile@lists.openid.net</a><br style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 )" class=""><a href="http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile" style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 )" class="">http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile</a><br style="font-family:'helvetica';font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb( 255 , 255 , 255 )" class=""></div></blockquote></div><br class=""></div></div></blockquote></div></div></blockquote></div><br class=""></div></body></html>