<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi Gonzalo,<br>
<br>
yes we need to raise awareness on GSMA side. John made some good
points why even SPs most likely don't want to see the consequences
of such a strict approach.<br>
<br>
I assume the point will be discussed as soon as we are delivering
our spec to the GSMA.<br>
<br>
best regards,<br>
Torsten.<br>
<br>
<div class="moz-cite-prefix">Am 06.02.2016 um 11:58 schrieb GONZALO
FERNANDEZ RODRIGUEZ:<br>
</div>
<blockquote
cite="mid:D2DB8BA1.3E986%25gonzalo.fernandezrodriguez@telefonica.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div><br>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt;
text-align:left; color:black; BORDER-BOTTOM: medium none;
BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT:
0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid;
BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">De: </span><Lodderstedt>,
Torsten <<a moz-do-not-send="true"
href="mailto:t.lodderstedt@telekom.de">t.lodderstedt@telekom.de</a>><br>
<span style="font-weight:bold">Fecha: </span>viernes, 5 de
febrero de 2016, 17:09<br>
<span style="font-weight:bold">Para: </span>Gonzalo Fernandez
Rodriguez <<a moz-do-not-send="true"
href="mailto:gonzalo.fernandezrodriguez@telefonica.com">gonzalo.fernandezrodriguez@telefonica.com</a>>,
"<a moz-do-not-send="true"
href="mailto:openid-specs-mobile-profile@lists.openid.net">openid-specs-mobile-profile@lists.openid.net</a>"
<<a moz-do-not-send="true"
href="mailto:openid-specs-mobile-profile@lists.openid.net">openid-specs-mobile-profile@lists.openid.net</a>><br>
<span style="font-weight:bold">Asunto: </span>AW:
[Openid-specs-mobile-profile] Preliminary Minutes WG Call
27.1.2016<br>
</div>
<div><br>
</div>
<div>
<meta name="Generator" content="Microsoft Word 12 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Sprechblasentext Zchn";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.E-MailFormatvorlage17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.E-MailFormatvorlage18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.SprechblasentextZchn
{mso-style-name:"Sprechblasentext Zchn";
mso-style-priority:99;
mso-style-link:Sprechblasentext;
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div link="blue" vlink="purple" lang="DE">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Hi
Gonzalo,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">please see my comments inline.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">best
regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Torsten.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size: 10pt;
font-family: Tahoma, sans-serif;">Von:</span></b><span
style="font-size: 10pt; font-family: Tahoma,
sans-serif;"> GONZALO FERNANDEZ RODRIGUEZ [<a
moz-do-not-send="true"
href="mailto:gonzalo.fernandezrodriguez@telefonica.com"><a class="moz-txt-link-freetext" href="mailto:gonzalo.fernandezrodriguez@telefonica.com">mailto:gonzalo.fernandezrodriguez@telefonica.com</a></a>]
<br>
<b>Gesendet:</b> Freitag, 29. Januar 2016 14:22<br>
<b>An:</b> Lodderstedt, Torsten; <a
moz-do-not-send="true"
href="mailto:openid-specs-mobile-profile@lists.openid.net">
<a class="moz-txt-link-abbreviated" href="mailto:openid-specs-mobile-profile@lists.openid.net">openid-specs-mobile-profile@lists.openid.net</a></a><br>
<b>Betreff:</b> Re: [Openid-specs-mobile-profile]
Preliminary Minutes WG Call 27.1.2016<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span
style="font-size:10.5pt;color:black">Hi guys,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.5pt;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.5pt;color:black">In our last
call we were talking about different use cases we
could come across the the MODRNA Profile spec.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.5pt;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.5pt;color:black">I have had some
meetings with product business from Telefónica, and
I would like to share with you some of these use
cases that can have impact in the MODRNA profile
spec.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.5pt;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><b><span
style="font-size:10.5pt;color:black">ABILITY TO
CHOOSE THE SPECIFIC AUTHENTICATOR</span></b><span
style="font-size:10.5pt;color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.5pt;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.5pt;color:black">As per the
conversations that I have had with Biz Product, they
want to have the ability to charge different prices
to the Service Providers dependant on the
authenticator used to authenticate the user, so it
iwould be necessary that the RP would have the
chance to choose it in the authentication request.
The current draft of the spec only allows to specify
“mod-pr” and “mod-mf” to request phising-resistant
and multi-factor authentication respectivey, without
taking into account the final authenticator that
will be used.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US">What ist he expected behavior, if the
particular MNO does not support the specific
authenticator or if the particular user is not in
possession of the specific authenticator?</span></p>
</div>
</div>
</div>
</div>
</span>
<div><br>
</div>
<div>
<div>[Gonzalo] —> When I talk about to choose the specific
authenticator, I mean a list in preference order, in such way
that if the MNO or the user don’t have one authenticator, the
next one in the list will be choosen. Related to the MNO’s,
they (product) are thinking to specify what kind of
authenticators the MNO has and which of them they can use. </div>
<div><br>
</div>
<div>I think that this is an important point to talk to GSMA, we
need them to talk with the rest of operators, personally I
don’t see this point clear and I don’t know if other MNO's
product areas are thinking in something similar.</div>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div>
<div link="blue" vlink="purple" lang="DE">
<div class="WordSection1">
<div>
<p class="MsoNormal"><span style="color:#1F497D"
lang="EN-US"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.5pt;color:black" lang="EN-US"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><b><span
style="font-size:10.5pt;color:black">CONTROL OF
ALLOWED AUTHENTICATORS</span></b><span
style="font-size:10.5pt;color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.5pt;color:black"><o:p> </o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:10.5pt;color:black">Apart from
having different prices according with the used
authenticator, there is another feature that they
want to have, and it consist in having a control
of the authenticators that a Service Provider can
use. They see a need to agree the authenticators
to use during the Service Provider onboarding
process, in such way if a Service Provider doesn’t
hire an authenticator it must not be able to use
it. In such case we would need an scope or
something similar to do it otherwise we would need
to implement something “ad-hoc”in the specific MC
implementation that wants to offer this feature.<o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.5pt;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.5pt;color:#1F497D" lang="EN-US">From
what I understand, this could be part of the
SP-specific client policy. So the MNO knows upfront
which authenticators to use/offer for a certain SP.
Why do you see a need for a specific scope value?</span><span
style="font-size:10.5pt;color:black" lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</span>
<div><br>
</div>
<div>[Gonzalo] —>You are right, it is not necessary to do it,
however it has impact in the implementation because it is a
check that you have to do in the middle of the authentication
flow. I was thinking about using a new scope as a way to deal
with this use case in an standard way and be able to return an
standard error.</div>
<span id="OLK_SRC_BODY_SECTION">
<div>
<div link="blue" vlink="purple" lang="DE">
<div class="WordSection1">
<div>
<p class="MsoNormal"><span
style="font-size:10.5pt;color:black" lang="EN-US"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.5pt;color:black">Best,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.5pt;color:black">Gonza.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.5pt;color:black"><o:p> </o:p></span></p>
</div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="color:black">De: </span></b><span
style="color:black"><Lodderstedt>, Torsten
<<a moz-do-not-send="true"
href="mailto:t.lodderstedt@telekom.de">t.lodderstedt@telekom.de</a>><br>
<b>Fecha: </b>jueves, 28 de enero de 2016, 8:08<br>
<b>Para: </b>"<a moz-do-not-send="true"
href="mailto:openid-specs-mobile-profile@lists.openid.net">openid-specs-mobile-profile@lists.openid.net</a>"
<<a moz-do-not-send="true"
href="mailto:openid-specs-mobile-profile@lists.openid.net">openid-specs-mobile-profile@lists.openid.net</a>><br>
<b>Asunto: </b>[Openid-specs-mobile-profile]
Preliminary Minutes WG Call 27.1.2016<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.5pt;color:black"><o:p> </o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="color:black">Hi all,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">please find below the minutes of
today’s call.</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">best regards,</span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">Torsten.</span><span
style="color:black"><o:p></o:p></span></p>
<div style="border:none;border-bottom:solid windowtext
1.0pt;padding:0cm 0cm 1.0pt 0cm">
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> </span><span style="color:black"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">Participants:</span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">John Bradley</span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">Nat Sakimura</span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">Florian Walter</span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">Jörg Connotte</span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">Gonzalo Fernandéz</span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">Matthieu Verdier</span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">Bjorn Hjelm</span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">Torsten Lodderstedt</span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">Authentication spec</span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">- John guided us through the changes
he made in the last revision</span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">- The following topics were
discussed:</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">* ACR Values: examples for security
keys and difference between keys and pwd/pin shall
be added</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">* AMR values: add example for amr
values (e.g SIM Applet+PIN is represented by
“hpop” + “pin”)</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">* short and long form of ACRs: the
short shall be used by clients, long form will be
used to register the ACR values in the IANA
registry (by MODRNA WG)</span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">* order of acrs gives RP a way to
express its preferences regarding authentication,
i.e. bring ARC values in their preferred order
</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">* we stay with two acr values for
now, we could add the third (or a forth) value at
any time based on experiences/discussions</span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">- how to handle TBDs</span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">- 6.1. replace by reference to
respective OpenID Connect Discovery</span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">- 7 length of the binding message –
replace by better explanation: message may be
truncated
</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">- Mitigations for new security
vulnerabilities</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">- discussed different options</span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">* copy text from oauth spec</span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">* reference current oauth spec</span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">* recommend to use “code id_token”
instead of “code”</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">* general problem: discussions within
OAuth WG are ongoing and outcome cannot really be
predicted.</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">-> Conclusion: will pass spec to
GSMA as is and discuss vulnerabilities and way
forward with GSMA</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">MWC</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">- John, Torsten will attend</span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">- Nat will probably attend as well
(as he will be in Paris at that time)</span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">- Gonzalo & Matthieu would attend
if we setup a meeting regarding MODRNA</span><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"
lang="EN-US">- Torsten will talk to GSMA</span><span
style="color:black"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span
style="font-size:10.5pt;color:black"><o:p> </o:p></span></p>
<div class="MsoNormal" style="text-align:center"
align="center"><span
style="font-size:10.5pt;color:black">
<hr size="2" width="100%" align="center">
</span></div>
<p class="MsoNormal"><span style="font-size: 7.5pt;
font-family: Arial, sans-serif; color: gray;"><br>
Este mensaje y sus adjuntos se dirigen exclusivamente
a su destinatario, puede contener información
privilegiada o confidencial y es para uso exclusivo de
la persona o entidad de destino. Si no es usted. el
destinatario indicado, queda notificado de que la
lectura, utilización, divulgación y/o copia sin
autorización puede estar prohibida en virtud de la
legislación vigente. Si ha recibido este mensaje por
error, le rogamos que nos lo comunique inmediatamente
por esta misma vía y proceda a su destrucción.<br>
<br>
The information contained in this transmission is
privileged and confidential information intended only
for the use of the individual or entity named above.
If the reader of this message is not the intended
recipient, you are hereby notified that any
dissemination, distribution or copying of this
communication is strictly prohibited. If you have
received this transmission in error, do not read it.
Please immediately reply to the sender that you have
received this communication in error and then delete
it.<br>
<br>
Esta mensagem e seus anexos se dirigem exclusivamente
ao seu destinatário, pode conter informação
privilegiada ou confidencial e é para uso exclusivo da
pessoa ou entidade de destino. Se não é vossa senhoria
o destinatário indicado, fica notificado de que a
leitura, utilização, divulgação e/ou cópia sem
autorização pode estar proibida em virtude da
legislação vigente. Se recebeu esta mensagem por erro,
rogamos-lhe que nos o comunique imediatamente por esta
mesma via e proceda a sua destruição</span><span
style="font-size:10.5pt;color:black"><o:p></o:p></span></p>
</div>
</div>
</div>
</span><br>
<hr>
<font size="1" color="Gray" face="Arial"><br>
Este mensaje y sus adjuntos se dirigen exclusivamente a su
destinatario, puede contener información privilegiada o
confidencial y es para uso exclusivo de la persona o entidad de
destino. Si no es usted. el destinatario indicado, queda
notificado de que la lectura, utilización, divulgación y/o copia
sin autorización puede estar prohibida en virtud de la
legislación vigente. Si ha recibido este mensaje por error, le
rogamos que nos lo comunique inmediatamente por esta misma vía y
proceda a su destrucción.<br>
<br>
The information contained in this transmission is privileged and
confidential information intended only for the use of the
individual or entity named above. If the reader of this message
is not the intended recipient, you are hereby notified that any
dissemination, distribution or copying of this communication is
strictly prohibited. If you have received this transmission in
error, do not read it. Please immediately reply to the sender
that you have received this communication in error and then
delete it.<br>
<br>
Esta mensagem e seus anexos se dirigem exclusivamente ao seu
destinatário, pode conter informação privilegiada ou
confidencial e é para uso exclusivo da pessoa ou entidade de
destino. Se não é vossa senhoria o destinatário indicado, fica
notificado de que a leitura, utilização, divulgação e/ou cópia
sem autorização pode estar proibida em virtude da legislação
vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos
o comunique imediatamente por esta mesma via e proceda a sua
destruição<br>
</font>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-mobile-profile mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-mobile-profile@lists.openid.net">Openid-specs-mobile-profile@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile">http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile</a>
</pre>
</blockquote>
<br>
</body>
</html>