<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
p.htmlvorformatiert, li.htmlvorformatiert, div.htmlvorformatiert
{mso-style-name:htmlvorformatiert;
mso-style-priority:99;
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
p.msochpdefault, li.msochpdefault, div.msochpdefault
{mso-style-name:msochpdefault;
mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
p.PrformatHTML, li.PrformatHTML, div.PrformatHTML
{mso-style-name:"Préformaté HTML";
mso-style-link:"Préformaté HTML Car";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.PrformatHTMLCar
{mso-style-name:"Préformaté HTML Car";
mso-style-priority:99;
mso-style-link:"Préformaté HTML";
font-family:Consolas;}
p.Textedebulles, li.Textedebulles, div.Textedebulles
{mso-style-name:"Texte de bulles";
mso-style-link:"Texte de bulles Car";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.TextedebullesCar
{mso-style-name:"Texte de bulles Car";
mso-style-priority:99;
mso-style-link:"Texte de bulles";
font-family:"Tahoma","sans-serif";}
span.prformathtmlcar0
{mso-style-name:prformathtmlcar;
font-family:Consolas;}
span.emailstyle19
{mso-style-name:emailstyle19;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.htmlvorformatiertzchn
{mso-style-name:htmlvorformatiertzchn;
font-family:Consolas;}
span.emailstyle22
{mso-style-name:emailstyle22;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.emailstyle24
{mso-style-name:emailstyle24;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.textedebullescar0
{mso-style-name:textedebullescar;
font-family:"Tahoma","sans-serif";}
span.EmailStyle35
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle36
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.TableTextChar
{mso-style-name:"Table Text Char";
mso-style-link:"Table Text";
font-family:"Arial","sans-serif";
mso-fareast-language:DE;}
p.TableText, li.TableText, div.TableText
{mso-style-name:"Table Text";
mso-style-link:"Table Text Char";
margin-top:2.0pt;
margin-right:0cm;
margin-bottom:2.0pt;
margin-left:0cm;
line-height:115%;
font-size:10.0pt;
font-family:"Arial","sans-serif";
mso-fareast-language:DE;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:354578422;
mso-list-type:hybrid;
mso-list-template-ids:-1320790854 134807553 134807555 134807557 134807553 134807555 134807557 134807553 134807555 134807557;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:846015731;
mso-list-type:hybrid;
mso-list-template-ids:134778302 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l2
{mso-list-id:2111006191;
mso-list-type:hybrid;
mso-list-template-ids:-1868037294 1963234146 67895299 67895301 67895297 67895299 67895301 67895297 67895299 67895301;}
@list l2:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Hi,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">The question was raised outside of MODRNA whether the user consent must always be collected by the OP associated with the resource server.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">The consent could be collected by a trusted service provider.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">It is evident that the resource server must be able to validate the access token and that it should not care how it was created.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">The RS does not care about how the consent was collected.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">We have several options how to achieve this.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:18.0pt"><span style="color:#1F497D">1a) The TSP operates its own OP and collects the user consent and creates an access token<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:18.0pt;text-indent:18.0pt"><span style="color:#1F497D">2a) The resource, operated by the MNO, receives this access token, validates it and returns a response containing the results of whatever the resource server
does (e.g. KYC)<o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:36.0pt"><span style="color:#1F497D">2b) The TSP presents the access token to the MNO OP and trades it in for a new access token valid at the resource endpoint.<br>
The TSP presents the new access token at the resource and gets a response.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:18.0pt"><span style="color:#1F497D">1b)<o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:36.0pt"><span style="color:#1F497D">I) The TSP requests an access token from the MNO OP using CIBA (clientid and clientsecret) and adds the “evidence of consent” parameter to that request so that the OP refrains
from contacting the user. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">The TSP generated access token should be a JWT utilizing
<a href="https://tools.ietf.org/html/rfc7523">https://tools.ietf.org/html/rfc7523</a>
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">“JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants”<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Did I capture the discussion and alternatives or did I miss something?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">This email is intended to move the discussion to MODRNA.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Cheers<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Axel<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="TableText" style="margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo3">
<![if !supportLists]><span style="font-family:"Courier New""><span style="mso-list:Ignore">o<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>The significance of eoc for TSPs providing an evidence for the consent capture was discussed<b><o:p></o:p></b></p>
<p class="TableText" style="margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo3">
<![if !supportLists]><span style="font-family:"Courier New""><span style="mso-list:Ignore">o<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>The eoc is an optional protocol element<b><o:p></o:p></b></p>
<p class="TableText" style="margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo3">
<![if !supportLists]><span style="font-family:"Courier New""><span style="mso-list:Ignore">o<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>The eoc is a signed JWT – signed by the TSP and format is to be discussed<b><o:p></o:p></b></p>
<p class="TableText" style="margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo3">
<![if !supportLists]><span style="font-family:"Courier New""><span style="mso-list:Ignore">o<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>The claims structure of the eoc is suggested to include scopes as well, for which consent has been captured by the TSP<b><o:p></o:p></b></p>
<p class="MsoNormal">It was noted that whilst an SP may be Trusted and eoc may be provided, it is ultimately an MNO business decision as to whether to accept that consent or to override this and capture user consent itself independently or use a business process
to exchange the evidence of consent<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces@lists.openid.net]
<b>On Behalf Of </b>nicolas.aillery@orange.com<br>
<b>Sent:</b> Thursday, December 01, 2016 10:17 AM<br>
<b>To:</b> Lodderstedt, Torsten<br>
<b>Cc:</b> openid-specs-mobile-profile@lists.openid.net<br>
<b>Subject:</b> Re: [Openid-specs-mobile-profile] [UQ API] SMS OTP requirement<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Torsten,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> I see 2 advantages in supporting mechnanisms like SMS OTP in the UQ API:
<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l2 level1 lfo2"><![if !supportLists]><span style="color:#1F497D"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="color:#1F497D">Offering a unique API to Client<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l2 level1 lfo2"><![if !supportLists]><span style="color:#1F497D"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="color:#1F497D">Addressing any user (even those with a very basic phone)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Nicolas<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="FR" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">De :</span></b><span lang="FR" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a href="mailto:Torsten.Lodderstedt@telekom.de">Torsten.Lodderstedt@telekom.de</a> [<a href="mailto:Torsten.Lodderstedt@telekom.de">mailto:Torsten.Lodderstedt@telekom.de</a>]
<br>
<b>Envoyé :</b> jeudi 1 décembre 2016 09:43<br>
<b>À :</b> AILLERY Nicolas IMT/OLPS<br>
<b>Cc :</b> <a href="mailto:openid-specs-mobile-profile@lists.openid.net">openid-specs-mobile-profile@lists.openid.net</a>; MARAIS Charles IMT/OLPS; VASSELET Mickaël IMT/OLN; CLEMENT Philippe IMT TECHNO<br>
<b>Objet :</b> RE: [UQ API] SMS OTP requirement<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="FR"><o:p> </o:p></span></p>
<p><span lang="FR">Hi Nicolas,<o:p></o:p></span></p>
<p><span lang="FR">why do you want to reimplement SMS-OTP as it works today? The only difference to SMS-URL is the fact the user needs to transfer the code from the authentication device to the consumption device. Is this seen as security advantage? I see it
as a UX burden.<o:p></o:p></span></p>
<p><span lang="FR">best regards,<o:p></o:p></span></p>
<p><span lang="FR">Torsten. <o:p></o:p></span></p>
<p><span lang="FR">-------- Originale Nachricht --------<o:p></o:p></span></p>
<p><span lang="FR">Betreff: RE: [UQ API] SMS OTP requirement<o:p></o:p></span></p>
<p><span lang="FR">Von: <a href="mailto:nicolas.aillery@orange.com">nicolas.aillery@orange.com</a><o:p></o:p></span></p>
<p><span lang="FR">An: 1. Dez. 2016, 09:24<o:p></o:p></span></p>
<p><span lang="FR">CC: "Lodderstedt, Torsten" <<a href="mailto:Torsten.Lodderstedt@telekom.de">Torsten.Lodderstedt@telekom.de</a>><o:p></o:p></span></p>
<div>
<div>
<p class="MsoNormal"><span lang="FR" style="color:#1F497D">Hello Torsten,</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="FR" style="color:#1F497D"> </span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> It will work for sure (it’s implemented in Orange’s prototype) but it’s not a universal mechanim like SMS OTP.</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> As UQ API is a server-to-server API, if we use SMS OTP, the User has to enter the OTP on the Client side. But, in order to sign the UserStatementToken, the OP must check the code. So, there is a need to convey
the OTP from the Client to the OP.</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> In the Pulled-by-Client flow, the OTP could be conveyed in a polling request. It would be a minor modification.</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> In the Pushed-to-Client flow, there is no such simple way.</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> Therefore, allowing the Client to add an OTP in the polling request (new query param), could be a way to easily handle the SMS OTP use case,</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="FR" style="color:#1F497D">Regards,</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="FR" style="color:#1F497D"> </span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="FR" style="color:#1F497D">Nicolas</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="FR" style="color:#1F497D"> </span><span lang="FR"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="FR" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">De :</span></b><span lang="FR" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a href="mailto:Torsten.Lodderstedt@telekom.de">Torsten.Lodderstedt@telekom.de</a> [<a href="mailto:Torsten.Lodderstedt@telekom.de">mailto:Torsten.Lodderstedt@telekom.de</a>]
<br>
<b>Envoyé :</b> jeudi 1 décembre 2016 09:09<br>
<b>À :</b> AILLERY Nicolas IMT/OLPS; <a href="mailto:openid-specs-mobile-profile@lists.openid.net">
openid-specs-mobile-profile@lists.openid.net</a><br>
<b>Objet :</b> AW: [UQ API] SMS OTP requirement</span><span lang="FR"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="FR"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="DE" style="color:#1F497D">Hi Nicolas,</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="DE" style="color:#1F497D"> </span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">one question: I think one could implement SMS-based authorization without the need to extend the protocol by sending a SMS containing a URL instead of a TAN code. The user either accepts by clicking on the link
or the link opens a web page, where the question is presented to the user along with the different options to answer it.</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">What do you think?</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Best regards,</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Torsten.</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><span lang="FR"><o:p></o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="DE" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Von:</span></b><span lang="DE" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Openid-specs-mobile-profile [<a href="mailto:openid-specs-mobile-profile-bounces@lists.openid.net">mailto:openid-specs-mobile-profile-bounces@lists.openid.net</a>]
<b>Im Auftrag von </b><a href="mailto:nicolas.aillery@orange.com">nicolas.aillery@orange.com</a><br>
<b>Gesendet:</b> Mittwoch, 30. November 2016 18:15<br>
<b>An:</b> <a href="mailto:openid-specs-mobile-profile@lists.openid.net">openid-specs-mobile-profile@lists.openid.net</a><br>
<b>Betreff:</b> [Openid-specs-mobile-profile] [UQ API] SMS OTP requirement</span><span lang="FR"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="DE"> </span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="FR">Hello everybody,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="FR"> <o:p></o:p></span></p>
<p class="MsoNormal"> In User Questioning API draft 3, we removed the Terminated-by-Client flow that handled user interactions like SMS OTP.<span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"> In this flow, the User receives a code to enter on the Client GUI, the client then transmit the code to the OP and the OP check if the code is correct. Note that if the code is checked by the Client, the current draft handles it.<span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"> Within Orange, the requirement for a SMS OTP (verified by the OP) has been mentioned again.<span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"> Have other OIF contributors been challenged for such a requirement?<span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"> <span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="FR">Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="FR"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="FR">Nicolas<o:p></o:p></span></p>
<pre><span lang="FR">_________________________________________________________________________________________________________________________<o:p></o:p></span></pre>
<pre><span lang="FR"> <o:p></o:p></span></pre>
<pre><span lang="FR">Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc<o:p></o:p></span></pre>
<pre><span lang="FR">pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler<o:p></o:p></span></pre>
<pre><span lang="FR">a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,<o:p></o:p></span></pre>
<pre><span lang="FR">Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.<o:p></o:p></span></pre>
<pre><span lang="FR"> <o:p></o:p></span></pre>
<pre><span lang="FR">This message and its attachments may contain confidential or privileged information that may be protected by law;<o:p></o:p></span></pre>
<pre><span lang="FR">they should not be distributed, used or copied without authorisation.<o:p></o:p></span></pre>
<pre><span lang="FR">If you have received this email in error, please notify the sender and delete this message and its attachments.<o:p></o:p></span></pre>
<pre><span lang="FR">As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.<o:p></o:p></span></pre>
<pre><span lang="FR">Thank you.<o:p></o:p></span></pre>
</div>
</div>
<pre><span lang="FR">_________________________________________________________________________________________________________________________<o:p></o:p></span></pre>
<pre><span lang="FR"><o:p> </o:p></span></pre>
<pre><span lang="FR">Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc<o:p></o:p></span></pre>
<pre><span lang="FR">pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler<o:p></o:p></span></pre>
<pre><span lang="FR">a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,<o:p></o:p></span></pre>
<pre><span lang="FR">Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.<o:p></o:p></span></pre>
<pre><span lang="FR"><o:p> </o:p></span></pre>
<pre><span lang="FR">This message and its attachments may contain confidential or privileged information that may be protected by law;<o:p></o:p></span></pre>
<pre><span lang="FR">they should not be distributed, used or copied without authorisation.<o:p></o:p></span></pre>
<pre><span lang="FR">If you have received this email in error, please notify the sender and delete this message and its attachments.<o:p></o:p></span></pre>
<pre><span lang="FR">As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.<o:p></o:p></span></pre>
<pre><span lang="FR">Thank you.<o:p></o:p></span></pre>
</div>
<pre><span lang="FR">_________________________________________________________________________________________________________________________<o:p></o:p></span></pre>
<pre><span lang="FR"><o:p> </o:p></span></pre>
<pre><span lang="FR">Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc<o:p></o:p></span></pre>
<pre><span lang="FR">pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler<o:p></o:p></span></pre>
<pre><span lang="FR">a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,<o:p></o:p></span></pre>
<pre><span lang="FR">Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.<o:p></o:p></span></pre>
<pre><span lang="FR"><o:p> </o:p></span></pre>
<pre><span lang="FR">This message and its attachments may contain confidential or privileged information that may be protected by law;<o:p></o:p></span></pre>
<pre><span lang="FR">they should not be distributed, used or copied without authorisation.<o:p></o:p></span></pre>
<pre><span lang="FR">If you have received this email in error, please notify the sender and delete this message and its attachments.<o:p></o:p></span></pre>
<pre><span lang="FR">As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.<o:p></o:p></span></pre>
<pre><span lang="FR">Thank you.<o:p></o:p></span></pre>
</div>
</body>
</html>