<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">It is not required that they understand them. They are additional information beyond the amr. <div class=""><br class=""></div><div class="">I suspect they are only really useful to people running some sort of adaptive risk engine. </div><div class=""><br class=""></div><div class="">If a bank knows that the device the user authenticated on is using a class 0 SMS push of a URL to a device with click to confirm, they might treat that differently to a authentication using a class 2 sms directly to the SIM that is confirmed with a signed challenge based on a user clicking a prompt.</div><div class=""><br class=""></div><div class="">I suspect that you need a relatively sophisticated person to understand the risks of the first vs the second and add additional mitigations for the possibility of message interception in the first case.</div><div class="">(No criticism of people deploying the first case intended) It may be that a given handset is capable of the first but not the second however they are both the same <span style="color: rgb(51, 51, 51); font-family: Consolas, Menlo, 'Liberation Mono', Courier, monospace; line-height: 1.4; widows: 1; background-color: rgb(255, 255, 255);" class=""><a href="http://schemas.openid.net/policies/mod/phishing-resistant" class="">http://schemas.openid.net/policies/mod/phishing-resistant</a> acr value.</span></div><div class=""><div style="widows: 1;" class=""><font color="#333333" face="Consolas, Menlo, Liberation Mono, Courier, monospace" class=""><span style="line-height: 16px; background-color: rgb(255, 255, 255);" class=""><br class=""></span></font></div><div style="widows: 1;" class=""><font color="#333333" face="Consolas, Menlo, Liberation Mono, Courier, monospace" class=""><span style="background-color: rgb(255, 255, 255);" class=""><span style="line-height: 16px;" class="">Giving the client the ability to differentiate in the request is not useful because the SIM in the users device can’t be updated magically during the authentication.</span></span></font></div><div style="widows: 1;" class=""><font color="#333333" face="Consolas, Menlo, Liberation Mono, Courier, monospace" class=""><span style="background-color: rgb(255, 255, 255);" class=""><span style="line-height: 16px;" class="">However a sophisticated client/SP may want to know and give that info to a risk engine. </span></span></font></div><div style="widows: 1;" class=""><font color="#333333" face="Consolas, Menlo, Liberation Mono, Courier, monospace" class=""><span style="background-color: rgb(255, 255, 255);" class=""><span style="line-height: 16px;" class=""><br class=""></span></span></font></div><div style="widows: 1;" class=""><font color="#333333" face="Consolas, Menlo, Liberation Mono, Courier, monospace" class=""><span style="background-color: rgb(255, 255, 255);" class=""><span style="line-height: 16px;" class="">Now I grant you that intercepting the SMS and triggering it is not the work of a casual remote attacker, but I know people who have that ability if they wanted to target an individual, they would sit outside the persons house with a stingray and trigger a authentication to grab the confirmation URI and authorize themselves to get into an account. All with a legal court order no doubt:)</span></span></font></div><div style="widows: 1;" class=""><font color="#333333" face="Consolas, Menlo, Liberation Mono, Courier, monospace" class=""><span style="background-color: rgb(255, 255, 255);" class=""><span style="line-height: 16px;" class=""><br class=""></span></span></font></div><div style="widows: 1;" class=""><font color="#333333" face="Consolas, Menlo, Liberation Mono, Courier, monospace" class=""><span style="background-color: rgb(255, 255, 255);" class=""><span style="line-height: 16px;" class="">That is not a distinction that I would worry most clients/RP with, but some will care, and so they can look at the amr values.</span></span></font></div><div style="widows: 1;" class=""><font color="#333333" face="Consolas, Menlo, Liberation Mono, Courier, monospace" class=""><span style="background-color: rgb(255, 255, 255);" class=""><span style="line-height: 16px;" class=""><br class=""></span></span></font></div><div style="widows: 1;" class=""><font color="#333333" face="Consolas, Menlo, Liberation Mono, Courier, monospace" class=""><span style="background-color: rgb(255, 255, 255);" class=""><span style="line-height: 16px;" class="">I will fix the duplicated lines, that was just a cut and paste error.</span></span></font></div><div style="widows: 1;" class=""><font color="#333333" face="Consolas, Menlo, Liberation Mono, Courier, monospace" class=""><span style="background-color: rgb(255, 255, 255);" class=""><span style="line-height: 16px;" class=""><br class=""></span></span></font></div><div style="widows: 1;" class=""><font color="#333333" face="Consolas, Menlo, Liberation Mono, Courier, monospace" class=""><span style="background-color: rgb(255, 255, 255);" class=""><span style="line-height: 16px;" class="">Are there other examples that people want me to add, or comments on the existing ones?</span></span></font></div><div style="widows: 1;" class=""><font color="#333333" face="Consolas, Menlo, Liberation Mono, Courier, monospace" class=""><span style="background-color: rgb(255, 255, 255);" class=""><span style="line-height: 16px;" class=""><br class=""></span></span></font></div><div style="widows: 1;" class=""><font color="#333333" face="Consolas, Menlo, Liberation Mono, Courier, monospace" class=""><span style="background-color: rgb(255, 255, 255);" class=""><span style="line-height: 16px;" class="">Trying to group these in a sensible way is something I am mostly making up, so feel free to comment.</span></span></font></div><div style="widows: 1;" class=""><font color="#333333" face="Consolas, Menlo, Liberation Mono, Courier, monospace" class=""><span style="background-color: rgb(255, 255, 255);" class=""><span style="line-height: 16px;" class=""><br class=""></span></span></font></div><div style="widows: 1;" class=""><font color="#333333" face="Consolas, Menlo, Liberation Mono, Courier, monospace" class=""><span style="background-color: rgb(255, 255, 255);" class=""><span style="line-height: 16px;" class="">In some ways it may be best to have the ACR and AMR details in a separate document and just have the protocol information.</span></span></font></div><div style="widows: 1;" class=""><font color="#333333" face="Consolas, Menlo, Liberation Mono, Courier, monospace" class=""><span style="background-color: rgb(255, 255, 255);" class=""><span style="line-height: 16px;" class="">On the other hand this is likely the only doc developers will look at so I duplicated some of the amr text from the RFC draft.</span></span></font></div><div style="widows: 1;" class=""><font color="#333333" face="Consolas, Menlo, Liberation Mono, Courier, monospace" class=""><span style="background-color: rgb(255, 255, 255);" class=""><span style="line-height: 16px;" class=""><br class=""></span></span></font></div><div style="widows: 1;" class=""><font color="#333333" face="Consolas, Menlo, Liberation Mono, Courier, monospace" class=""><span style="background-color: rgb(255, 255, 255);" class=""><span style="line-height: 16px;" class="">John B.</span></span></font></div><div style="widows: 1;" class=""><font color="#333333" face="Consolas, Menlo, Liberation Mono, Courier, monospace" class=""><span style="background-color: rgb(255, 255, 255);" class=""><span style="line-height: 16px;" class=""><br class=""></span></span></font></div><div style="widows: 1;" class=""><font color="#333333" face="Consolas, Menlo, Liberation Mono, Courier, monospace" class=""><span style="background-color: rgb(255, 255, 255);" class=""><span style="line-height: 16px;" class=""><br class=""></span></span></font></div><div class=""><br class=""></div><div><blockquote type="cite" class=""><div class="">On Dec 10, 2015, at 11:07 AM, <<a href="mailto:philippe.clement@orange.com" class="">philippe.clement@orange.com</a>> <<a href="mailto:philippe.clement@orange.com" class="">philippe.clement@orange.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="WordSection1" style="page: WordSection1; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);" class="">Hi John,<o:p class=""></o:p></span></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);" class=""> </span></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);" class="">Thanks for the updates<o:p class=""></o:p></span></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);" class=""> </span></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);" class="">Just a minor remark: an overlap between lines 291-294 and lines 296-299<o:p class=""></o:p></span></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);" class=""> </span></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);" class="">Is it useful to insert a text mentionning the necessary understanding (by the RP) of amr values returned by the OP, or do we consider them as “fire and forget” elements ?<o:p class=""></o:p></span></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);" class=""> </span></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);" class="">Regards,<o:p class=""></o:p></span></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);" class="">Philippe<o:p class=""></o:p></span></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125);" class=""> </span></div><div class=""><div style="border-style: solid none none; border-top-color: rgb(181, 196, 223); border-top-width: 1pt; padding: 3pt 0cm 0cm;" class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><b class=""><span lang="FR" style="font-size: 10pt; font-family: Tahoma, sans-serif;" class="">De :</span></b><span lang="FR" style="font-size: 10pt; font-family: Tahoma, sans-serif;" class=""><span class="Apple-converted-space"> </span>Openid-specs-mobile-profile [<a href="mailto:openid-specs-mobile-profile-bounces@lists.openid.net" class="">mailto:openid-specs-mobile-profile-bounces@lists.openid.net</a>]<span class="Apple-converted-space"> </span><b class="">De la part de</b><span class="Apple-converted-space"> </span>John Bradley<br class=""><b class="">Envoyé :</b><span class="Apple-converted-space"> </span>jeudi 10 décembre 2015 01:50<br class=""><b class="">À :</b><span class="Apple-converted-space"> </span>Openid-specs-mobile-profile<br class=""><b class="">Objet :</b><span class="Apple-converted-space"> </span>[Openid-specs-mobile-profile] AMR values for authentication spec<o:p class=""></o:p></span></div></div></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">I have added a new section explaining AMR and showing some of the values from the registry.<o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><a href="https://bitbucket.org/openid/mobile/diff/draft-mobile-authentication-01.txt?diff2=2d1046613672&at=default" style="color: purple; text-decoration: underline;" class="">https://bitbucket.org/openid/mobile/diff/draft-mobile-authentication-01.txt?diff2=2d1046613672&at=default</a><o:p class=""></o:p></div><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">I am working with Mike Jones to align with the registry values.<o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><a href="https://tools.ietf.org/html/draft-jones-oauth-amr-values-02" style="color: purple; text-decoration: underline;" class="">https://tools.ietf.org/html/draft-jones-oauth-amr-values-02</a><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif;" class="">John B.<o:p class=""></o:p></div></div></div><pre style="font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">_________________________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.
</pre></div></blockquote></div><br class=""></div></body></html>