<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
h3
{mso-style-priority:9;
mso-style-link:"Heading 3 Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;
font-weight:normal;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma",sans-serif;
mso-fareast-language:EN-US;}
span.Heading3Char
{mso-style-name:"Heading 3 Char";
mso-style-priority:9;
mso-style-link:"Heading 3";
font-family:"Times New Roman",serif;
mso-fareast-language:DE;
font-weight:bold;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri",sans-serif;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Segoe UI",sans-serif;
mso-fareast-language:EN-US;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.Titre3, li.Titre3, div.Titre3
{mso-style-name:"Titre 3";
mso-style-link:"Titre 3 Car";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
span.Titre3Car
{mso-style-name:"Titre 3 Car";
mso-style-priority:9;
mso-style-link:"Titre 3";
font-family:"Cambria",serif;
color:#4F81BD;
mso-fareast-language:EN-US;
font-weight:bold;}
p.Textebrut, li.Textebrut, div.Textebrut
{mso-style-name:"Texte brut";
mso-style-link:"Texte brut Car";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
span.TextebrutCar
{mso-style-name:"Texte brut Car";
mso-style-priority:99;
mso-style-link:"Texte brut";
font-family:Consolas;
mso-fareast-language:EN-US;}
span.EmailStyle27
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle28
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
p.Textedebulles, li.Textedebulles, div.Textedebulles
{mso-style-name:"Texte de bulles";
mso-style-link:"Texte de bulles Car";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
span.TextedebullesCar
{mso-style-name:"Texte de bulles Car";
mso-style-priority:99;
mso-style-link:"Texte de bulles";
font-family:"Tahoma",sans-serif;
mso-fareast-language:EN-US;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
mso-fareast-language:EN-US;}
span.EmailStyle33
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-AU" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">That pseudo-code is dangerous. We definitely do NOT want to hash the raw client.jwks_uri or client.notification_uri. We need to hash the domain name from these URIs. That allows the app owner to later specify
a sector_identifier_uri (in the same domain) if they are deploying a related app (on a different domain) that needs to recognize the same users.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">CIBA cannot say “Sector Identifier Validation at registration time is out-of-scope”, as in section 4 “Pairwise identifiers” of the “24 Mai” version. It must be in-scope because CIBA is adding new rules that jwks_uri
and/or notification_uri needs to be listed in the content at sector_identifier_uri.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Mandating that CIBA clients have registered a sector_identifier_uri is reasonable.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">We should also mandate (or at least very strongly recommend) that sector_identifier_uri has a specific path, such as
<a href="https://%3csector_id%3e/.well-known/openid/apps.json">https://<sector_id>/.well-known/openid/apps.json</a>. Otherwise an attacker can pretend to have a given sector_id by finding/creating a resource (or redirect) anywhere on
<a href="https://%3csector_id%3e/">https://<sector_id>/</a> that returns a JSON array with the attacker’s URI.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">--<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">James Manger<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="mso-fareast-language:EN-AU">From:</span></b><span lang="EN-US" style="mso-fareast-language:EN-AU"> Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces@lists.openid.net]
<b>On Behalf Of </b>nicolas.aillery@orange.com<br>
<b>Sent:</b> Wednesday, 24 May 2017 7:41 PM<br>
<b>To:</b> Axel.Nennker@telekom.de<br>
<b>Cc:</b> openid-specs-mobile-profile@lists.openid.net<br>
<b>Subject:</b> Re: [Openid-specs-mobile-profile] Issue #52: CIBA Pairwise Identifiers Structuring Text (openid/mobile)<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="FR" style="color:#1F497D">Hello Axel,</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="FR" style="color:#1F497D"> </span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> I agree with mandatory sector_identifier_uri when using CIBA.</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> There is also a need to add security in the section “5. "sector_identifier_uri" Validation” of OpenID.Registration, if we want to prevent the spoofing of sector_identifier_uri by a malicious
Client,</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Regards,</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Nicolas</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><span lang="FR"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="FR" style="font-size:10.0pt;font-family:"Tahoma",sans-serif;mso-fareast-language:FR">De :</span></b><span lang="FR" style="font-size:10.0pt;font-family:"Tahoma",sans-serif;mso-fareast-language:FR"> Openid-specs-mobile-profile
[<a href="mailto:openid-specs-mobile-profile-bounces@lists.openid.net">mailto:openid-specs-mobile-profile-bounces@lists.openid.net</a>]
<b>De la part de</b> <a href="mailto:Axel.Nennker@telekom.de">Axel.Nennker@telekom.de</a><br>
<b>Envoyé :</b> mercredi 24 mai 2017 11:31<br>
<b>À :</b> <a href="mailto:openid-specs-mobile-profile@lists.openid.net">openid-specs-mobile-profile@lists.openid.net</a><br>
<b>Objet :</b> Re: [Openid-specs-mobile-profile] Issue #52: CIBA Pairwise Identifiers Structuring Text (openid/mobile)</span><span lang="FR"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="FR"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">A CIBA spec mandating sector_identifier_uri if the OP uses Pairwise Identifiers is here:</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"><a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default#rfc.section.3.5.1.1">https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default#rfc.section.3.5.1.1</a></span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">WDYT?</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">//Axel</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><span lang="FR"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="mso-fareast-language:DE">From:</span></b><span lang="EN-US" style="mso-fareast-language:DE"> Openid-specs-mobile-profile [<a href="mailto:openid-specs-mobile-profile-bounces@lists.openid.net">mailto:openid-specs-mobile-profile-bounces@lists.openid.net</a>]
<b>On Behalf Of </b>Nennker, Axel<br>
<b>Sent:</b> Mittwoch, 24. Mai 2017 10:06<br>
<b>To:</b> <a href="mailto:openid-specs-mobile-profile@lists.openid.net">openid-specs-mobile-profile@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-mobile-profile] Issue #52: CIBA Pairwise Identifiers Structuring Text (openid/mobile)</span><span lang="FR"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="DE"> </span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="DE">Hi all,</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="DE"> </span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">I created <a href="https://bitbucket.org/openid/mobile/issues/52/ciba-pairwise-identifiers-structuring-text">
https://bitbucket.org/openid/mobile/issues/52/ciba-pairwise-identifiers-structuring-text</a> to keep track of this.</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"> </span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">In pseudo code the calculation of sub could look like this:</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-family:"Courier New"">// Client is authenticated at this point</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-family:"Courier New"">If (client.sector_identifier) then
</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-family:"Courier New""> // if we have a registered client identifier then use it</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-family:"Courier New""> sub = SHA-256 ( client.sector_identifier || local_account_id || salt );</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-family:"Courier New"">else
</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-family:"Courier New""> //need to determine sector_identifier to use as non is registered for this Client</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-family:"Courier New""> If (request_object && client.jwks_uri) then</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-family:"Courier New""> // request object signature is valid and key from client.jwks_uri was used to sign it</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-family:"Courier New""> sub = SHA-256 ( client.jwks_uri || local_account_id || salt );</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-family:"Courier New""> else
</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-family:"Courier New""> // no registered sector_identifier, no request_object</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-family:"Courier New""> if (client.notification_uri) then</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-family:"Courier New""> // not polling but notification mode</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-family:"Courier New""> sub = SHA-256 ( client.notification_uri || local_account_id || salt );</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-family:"Courier New""> else</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-family:"Courier New""> // polling mode but not sector_identifier registered
</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-family:"Courier New""> response.setError(“invalid_request”);</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-family:"Courier New""> logError(“invalid_request”, “no sector identifier for %s”, client.id);</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-family:"Courier New""> return;</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-family:"Courier New""> endif</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-family:"Courier New""> endif</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-family:"Courier New"">endif</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-family:"Courier New"">// have sub that is a pairwise identifier here</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"> </span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><b><span lang="EN-US">Having said all that I currently tend to change the spec to say:</span></b><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><b><span lang="EN-US">“In CIBA the Client MUST specify the sector_identifier_uri at registration time if the OP uses Pairwise Identifiers which is strongly recommended”.</span></b><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"> </span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">Should we make sector_identifier_uri mandatory for CIBA and cull all other Pairwise Identifier text?</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"> </span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">Cheers</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">Axel</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"> </span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span lang="EN-US" style="font-size:13.5pt;font-family:"Times New Roman",serif;mso-fareast-language:DE">Pairwise Identifier Algorithm</span></b><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><a href="https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg">https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg</a></span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"> </span><span lang="FR"><o:p></o:p></span></p>
<h3 style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span lang="EN-US" style="font-size:13.5pt;font-family:"Times New Roman",serif;mso-fareast-language:EN-AU">"sector_identifier_uri" Validation</span></b><b><span lang="FR" style="font-size:13.5pt;font-family:"Times New Roman",serif;mso-fareast-language:EN-AU"><o:p></o:p></span></b></h3>
<p class="MsoPlainText"><span lang="EN-US"><a href="https://openid.net/specs/openid-connect-registration-1_0.html#SectorIdentifierValidation">https://openid.net/specs/openid-connect-registration-1_0.html#SectorIdentifierValidation</a>
</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"> </span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="mso-fareast-language:DE">-----Original Message-----<br>
From: Openid-specs-mobile-profile [<a href="mailto:openid-specs-mobile-profile-bounces@lists.openid.net">mailto:openid-specs-mobile-profile-bounces@lists.openid.net</a>] On Behalf Of Axel Nennker<br>
Sent: Dienstag, 23. Mai 2017 15:33<br>
To: <a href="mailto:openid-specs-mobile-profile@lists.openid.net">openid-specs-mobile-profile@lists.openid.net</a><br>
Subject: [Openid-specs-mobile-profile] Issue #52: CIBA Pairwise Identifiers Structuring Text (openid/mobile)</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"> </span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">New issue 52: CIBA Pairwise Identifiers Structuring Text
</span><span lang="DE"><a href="https://bitbucket.org/openid/mobile/issues/52/ciba-pairwise-identifiers-structuring-text"><span lang="EN-US" style="color:windowtext;text-decoration:none">https://bitbucket.org/openid/mobile/issues/52/ciba-pairwise-identifiers-structuring-text</span></a></span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"> </span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="DE">Axel Nennker:</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="DE"> </span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="DE">Should the text regarding Pairwise Identifiers be in its own section or should it stay in the sections on polling and notification?</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="DE"> </span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">Polling: </span><span lang="DE"><a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default#rfc.section.3.5.1.1"><span lang="EN-US" style="color:windowtext;text-decoration:none">https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default#rfc.section.3.5.1.1</span></a></span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">Notification: </span><span lang="DE"><a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default#rfc.section.3.5.3.3"><span lang="EN-US" style="color:windowtext;text-decoration:none">https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default#rfc.section.3.5.3.3</span></a></span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"> </span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="DE">References to other specs:</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">Core: </span><span lang="DE"><a href="https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg"><span lang="EN-US" style="color:windowtext;text-decoration:none">https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg</span></a></span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">Validation of sector_identifier: </span>
<span lang="DE"><a href="https://openid.net/specs/openid-connect-registration-1_0.html#SectorIdentifierValidation"><span lang="EN-US" style="color:windowtext;text-decoration:none">https://openid.net/specs/openid-connect-registration-1_0.html#SectorIdentifierValidation</span></a></span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"> </span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"> </span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="DE">Axel</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="DE"> </span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="DE">Responsible: ignisvulpis</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="DE">_______________________________________________</span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">Openid-specs-mobile-profile mailing list
</span><span lang="DE"><a href="mailto:Openid-specs-mobile-profile@lists.openid.net"><span lang="EN-US" style="color:windowtext;text-decoration:none">Openid-specs-mobile-profile@lists.openid.net</span></a></span><span lang="FR"><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="DE"><a href="http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile"><span lang="EN-US" style="color:windowtext;text-decoration:none">http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile</span></a></span><span lang="FR"><o:p></o:p></span></p>
<pre><span lang="FR">_________________________________________________________________________________________________________________________<o:p></o:p></span></pre>
<pre><span lang="FR"><o:p> </o:p></span></pre>
<pre><span lang="FR">Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc<o:p></o:p></span></pre>
<pre><span lang="FR">pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler<o:p></o:p></span></pre>
<pre><span lang="FR">a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,<o:p></o:p></span></pre>
<pre><span lang="FR">Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.<o:p></o:p></span></pre>
<pre><span lang="FR"><o:p> </o:p></span></pre>
<pre><span lang="FR">This message and its attachments may contain confidential or privileged information that may be protected by law;<o:p></o:p></span></pre>
<pre><span lang="FR">they should not be distributed, used or copied without authorisation.<o:p></o:p></span></pre>
<pre><span lang="FR">If you have received this email in error, please notify the sender and delete this message and its attachments.<o:p></o:p></span></pre>
<pre><span lang="FR">As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.<o:p></o:p></span></pre>
<pre><span lang="FR">Thank you.<o:p></o:p></span></pre>
</div>
</body>
</html>