<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"Préformaté HTML Car";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Texte de bulles Car";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.PrformatHTMLCar
{mso-style-name:"Préformaté HTML Car";
mso-style-priority:99;
mso-style-link:"Préformaté HTML";
font-family:Consolas;}
p.emailquote, li.emailquote, div.emailquote
{mso-style-name:emailquote;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:1.0pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Arial","sans-serif";
color:#1F497D;
font-weight:normal;
font-style:normal;}
p.HTMLPreformatted, li.HTMLPreformatted, div.HTMLPreformatted
{mso-style-name:"HTML Preformatted";
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle24
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.TextedebullesCar
{mso-style-name:"Texte de bulles Car";
mso-style-priority:99;
mso-style-link:"Texte de bulles";
font-family:"Tahoma","sans-serif";}
span.EmailStyle27
{mso-style-type:personal-reply;
font-family:"Arial","sans-serif";
color:#1F497D;
font-weight:normal;
font-style:normal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="FR" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">Hi James,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">Thanks for your prompt feedback. I see the points. My concern was mainly to avoid additional interactions of the user with the MNO to explain the
migration, and maybe we could consider that the double authentication is necessary for privacy and authorizations from the user, and that it is made only one time.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">For your last question, Torsten should have the possibility to insert your docs into the
<a href="https://bitbucket.org/openid/mobile/src">https://bitbucket.org/openid/mobile/src</a> section of MODRNA<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">Philippe<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">De :</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Manger, James [mailto:James.H.Manger@team.telstra.com]
<br>
<b>Envoyé :</b> mardi 23 août 2016 14:59<br>
<b>À :</b> CLEMENT Philippe IMT TECHNO; openid-specs-mobile-profile@lists.openid.net<br>
<b>Cc :</b> philippe.clement.ft@gmail.com<br>
<b>Objet :</b> RE: [Openid-specs-mobile-profile] Preliminary minutes of MODRNA WG Call on August 10th 2016<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US">Hi Philippe,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US">My alternative porting proposal is quite different from the flow you list. See my
<a href="http://lists.openid.net/pipermail/openid-specs-mobile-profile/Week-of-Mon-20160815/000512.html">
16 Aug email</a> and <a href="http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20160816/17846b84/attachment-0003.html">
attached draft spec</a>. It involves OP2 getting per-RP porting info from OP1, including it when the user next logs into the RP (this time via OP2), and the RP confirming the port with an API call to OP1.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US">A useful feature of your flow below is that it considers the cached info an RP has about a user’s old OP (OP1) and how
this interacts with the porting process. Neither draft-account-porting-00 (mine) nor draft-account-migration-02 (Torsten’s) consider that; they silently assume that authentication with OP2 occurs after any error from being “mistakenly” redirected to OP1 after
the port.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US">I don’t think the flow below works.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US">At step 8 OP1 hasn’t authenticated the user so it cannot send the RP “all the necessary subject values”.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US">Even if OP1 does authenticate the user at step 8, this flow isn’t great as it requires the user to login to OP1 (at
step 8) and login to OP2 (at step 11) for every RP. The main value of a porting process was to leverage a single dual-login event to be able to inform every RP; not to have to repeat a dual-login for every RP.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US">The flow doesn’t seem to work when the RP no longer has a cached secure hint for a user (eg cleared cookies or new device).
The RP starts with discovery (step 9) so it never learns about OP1.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US">P.S. Can I (or someone else) upload draft-account-porting-00 to the group’s bitbucket so it can be viewed properly,
instead of seeing the raw HTML that the email archive delivers?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US">--<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US">James Manger<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri","sans-serif"">
<a href="mailto:philippe.clement@orange.com">philippe.clement@orange.com</a> [<a href="mailto:philippe.clement@orange.com">mailto:philippe.clement@orange.com</a>]
<br>
<b>Sent:</b> Tuesday, 23 August 2016 7:21 PM<br>
<b>To:</b> <a href="mailto:openid-specs-mobile-profile@lists.openid.net">openid-specs-mobile-profile@lists.openid.net</a>; Manger, James <<a href="mailto:James.H.Manger@team.telstra.com">James.H.Manger@team.telstra.com</a>><br>
<b>Cc:</b> <a href="mailto:Torsten.Lodderstedt@telekom.de">Torsten.Lodderstedt@telekom.de</a>;
<a href="mailto:philippe.clement.ft@gmail.com">philippe.clement.ft@gmail.com</a><br>
<b>Subject:</b> RE: [Openid-specs-mobile-profile] Preliminary minutes of MODRNA WG Call on August 10th 2016<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-AU"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">Dear all,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">Back from vacations today …<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">James: regarding the alternative on Account Migration, it seems to me that this has something to do with the proposal of an alternative flow that
I presented on July 26<sup>th</sup> on the list (copy below). Could you confirm ?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">Best regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">Philippe<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-bottom:solid windowtext 1.5pt;padding:0cm 0cm 1.0pt 0cm">
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
</div>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">Prerequisite:
<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">1-</span><span lang="EN-US" style="font-size:7.0pt;color:#1F497D">
</span><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">User had an account on a previous MNO (OP1)<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">2-</span><span lang="EN-US" style="font-size:7.0pt;color:#1F497D">
</span><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">User’s account on OP1 is closed<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">3-</span><span lang="EN-US" style="font-size:7.0pt;color:#1F497D">
</span><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">User has an account on a new MNO (OP2)<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">4-</span><span lang="EN-US" style="font-size:7.0pt;color:#1F497D">
</span><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">Eventually, OP1 knows that user has migrated to OP2<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">5-</span><span lang="EN-US" style="font-size:7.0pt;color:#1F497D">
</span><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">RP knows former MNO (OP1)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">Use Case:<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">6-</span><span lang="EN-US" style="font-size:7.0pt;color:#1F497D">
</span><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">User visits his usual RP and starts authentication to access the service<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">7-</span><span lang="EN-US" style="font-size:7.0pt;color:#1F497D">
</span><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">RP starts the OIDC flow with OP1 with usual secured hints regarding the user<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">8-</span><span lang="EN-US" style="font-size:7.0pt;color:#1F497D">
</span><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">OP1 answer’s with an error code “account migrated” and sends back to the RP all the necessary subject values. If OP1 knows what OP user has migrated to, it is
inserted in the answer<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">9-</span><span lang="EN-US" style="font-size:7.0pt;color:#1F497D">
</span><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">RP interacts with the user to get his new OP (discovery process), unless RP already knows what OP user has migrated to.<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">10-</span><span lang="EN-US" style="font-size:7.0pt;color:#1F497D">
</span><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">RP starts the authentication process with OP2<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">11-</span><span lang="EN-US" style="font-size:7.0pt;color:#1F497D">
</span><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">According to the success of authentication on OP2, RP migrates subject values for his RP’s account<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">This Use case would take place in one shot, at the moment where user needs to authenticate at RP to get the service, so it would be very efficient
in terms of migration<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">It minimizes the situation of cascading OPs
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">It avoids to install a dialog between OP1 and OP2 and privacy concerns regarding transfer of personal information from OP1 to OP2.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">Then it avoids some situations where user will not start the migration process by accessing a specific service to be developped on OP2.<o:p></o:p></span></p>
<div style="border:none;border-bottom:solid windowtext 1.5pt;padding:0cm 0cm 1.0pt 0cm">
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D">It avoids limitations in Authorization Grant lifetime.<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">De :</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Openid-specs-mobile-profile [<a href="mailto:openid-specs-mobile-profile-bounces@lists.openid.net">mailto:openid-specs-mobile-profile-bounces@lists.openid.net</a>]
<b>De la part de</b> <a href="mailto:Torsten.Lodderstedt@telekom.de">Torsten.Lodderstedt@telekom.de</a><br>
<b>Envoyé :</b> jeudi 11 août 2016 12:16<br>
<b>À :</b> <a href="mailto:openid-specs-mobile-profile@lists.openid.net">openid-specs-mobile-profile@lists.openid.net</a><br>
<b>Objet :</b> [Openid-specs-mobile-profile] Preliminary minutes of MODRNA WG Call on August 10th 2016<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-indent:-18.0pt">
<span style="font-size:10.0pt;font-family:Symbol">·</span><span style="font-size:7.0pt">
</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">…</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-indent:-18.0pt">
<span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">2.</span><span style="font-size:7.0pt">
</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Account migration
<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-indent:-18.0pt">
<span style="font-size:10.0pt;font-family:Symbol">·</span><span style="font-size:7.0pt">
</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">James Manger explained an alternative proposal for handling of migration data. The basic idea is to instead of transferring it via a signed JWT, the old OP exposes an endpoint where the
RP can directly call and determine whether and where a particular account has been migrated to<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-indent:-18.0pt">
<span style="font-size:10.0pt;font-family:Symbol">·</span><span style="font-size:7.0pt">
</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">The RP should be able to authenticate with the old OP since it is a RP of this OP as well (since it uses the old OP for logins)<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-indent:-18.0pt">
<span style="font-size:10.0pt;font-family:Symbol">·</span><span style="font-size:7.0pt">
</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">pro: no issue regarding signing key expiration<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;text-indent:-18.0pt">
<span style="font-size:10.0pt;font-family:Symbol">·</span><span style="font-size:7.0pt">
</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">James will post a more detailed description on the list so we can have a discussion of which way to go<o:p></o:p></span></p>
<pre><o:p> </o:p></pre>
</div>
<PRE>_________________________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.
</PRE></body>
</html>