<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style>
<!--
@font-face
{font-family:"Cambria Math"}
@font-face
{font-family:Calibri}
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline}
p
{margin-right:0cm;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif}
pre
{margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New"}
span.HTMLPreformattedChar
{font-family:"Courier New"}
p.msonormal0, li.msonormal0, div.msonormal0
{margin-right:0cm;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif}
span.m2097250357939078632st
{}
span.EmailStyle22
{font-family:"Calibri",sans-serif;
color:#1F497D}
span.EmailStyle23
{font-family:"Calibri",sans-serif;
color:#1F497D}
span.EmailStyle24
{font-family:"Calibri",sans-serif;
color:#1F497D}
span.EmailStyle25
{font-family:"Calibri",sans-serif;
color:#1F497D}
.MsoChpDefault
{font-size:10.0pt}
@page WordSection1
{margin:70.85pt 70.85pt 2.0cm 70.85pt}
div.WordSection1
{}
-->
</style>
</head>
<body lang="DE" link="blue" vlink="purple">
<div dir="auto" style="direction:ltr; margin:0; padding:0; font-family:sans-serif; font-size:11pt; color:black; background-color:white">
What is missing is the rationale for OPs not following redirects. There shouldn't be any security issue, as long as redirects are to HTTPS.<br>
<br>
</div>
<div dir="auto" style="direction:ltr; margin:0; padding:0; font-family:sans-serif; font-size:11pt; color:black; background-color:white">
If there is a real risk, then explain it and say OPs MUST NOT follow redirects.<br>
<br>
</div>
<div dir="auto" style="direction:ltr; margin:0; padding:0; font-family:sans-serif; font-size:11pt; color:black; background-color:white">
If it is a reasonable policy by some OPs to minimise what they support to minimise attack surface, say Clients SHOULD NOT return redirects.<br>
<br>
</div>
<div dir="auto" style="direction:ltr; margin:0; padding:0; font-family:sans-serif; font-size:11pt; color:black; background-color:white">
If it is OPs trying to avoid some effort then drop the whole line. Expect OPs to support normal HTTP that includes supporting redirects.<br>
<br>
</div>
<div dir="auto" style="direction:ltr; margin:0; padding:0; font-family:sans-serif; font-size:11pt; color:black; background-color:white">
<div dir="auto" style="direction:ltr; margin:0; padding:0; font-family:sans-serif; font-size:11pt; color:black; background-color:white">
--<br>
</div>
<div dir="auto" style="direction:ltr; margin:0; padding:0; font-family:sans-serif; font-size:11pt; color:black; background-color:white">
James Manger</div>
<br>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Axel.Nennker@telekom.de <Axel.Nennker@telekom.de><br>
<b>Sent:</b> Wednesday, June 7, 2017 6:23:55 PM<br>
<b>To:</b> Manger, James; openid-specs-mobile-profile@lists.openid.net<br>
<b>Subject:</b> RE: [Openid-specs-mobile-profile] CIBA New text regarding HTTP status code during Client Notification.</font>
<div> </div>
</div>
<div>
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri",sans-serif; color:#1F497D">How about:</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri",sans-serif; color:#1F497D"><a href="https://bitbucket.org/openid/mobile/commits/6f5c9035ca46d657ce75be1cf87f64a8ef7dc112">https://bitbucket.org/openid/mobile/commits/6f5c9035ca46d657ce75be1cf87f64a8ef7dc112</a></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri",sans-serif; color:#1F497D"> </span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New""> <t></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New""> The Client Notification Endpoint SHOULD response with a HTTP 204 No Content.</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New"">- The OP SHOULD accept HTTP 200 OK and any body in the response SHOULD be ignored.</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New"">+ The OP SHOULD also accept HTTP 200 OK and any body in the response SHOULD be ignored.</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New""> </t></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New""> <t></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New"">- The SHOULD HTTP 3xx .</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New"">- .</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New"">+ The Client SHOULD NOT return an HTTP 3xx code. The OP SHOULD NOT follow redirects.</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New"">
</span><span style="font-size:10.0pt; font-family:"Courier New""></t></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri",sans-serif; color:#1F497D"> </span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri",sans-serif; color:#1F497D">//Axel</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri",sans-serif; color:#1F497D"> </span></p>
<div>
<div style="border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri",sans-serif">From:</span></b><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri",sans-serif"> Manger, James [mailto:James.H.Manger@team.telstra.com]
<br>
<b>Sent:</b> Mittwoch, 7. Juni 2017 09:58<br>
<b>To:</b> Nennker, Axel <Axel.Nennker@telekom.de>; openid-specs-mobile-profile@lists.openid.net<br>
<b>Subject:</b> RE: [Openid-specs-mobile-profile] CIBA New text regarding HTTP status code during Client Notification.</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt; font-family:"Calibri",sans-serif; color:#1F497D">Suggest tweaks:</span></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt; font-family:"Calibri",sans-serif; color:#1F497D"> </span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New"">+ <t></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New"">+ The Client Notification Endpoint SHOULD respon<span style="color:red">d</span> with HTTP 204 No Content.</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New"">+ The OP SHOULD
<span style="color:red">also </span>accept HTTP 200 OK, ignoring any response body.</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New"">+ </t></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New"">+ <t></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New"">+ The
<span style="color:red">Client SHOULD NOT return an HTTP 3xx code as </span>the OP
<span style="color:red">might not </span>follow redirects.</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New"">+ </t></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New"">+ <t></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New"">+ How the OP handles HTTP error codes in the ranges of 4xx and 5xx is out-of-range of this specification.</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New"">+ Administrative action is like to be needed in these cases.</span></p>
<p class="MsoNormal"><span style="font-size:10.0pt; font-family:"Courier New"">+ </t></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt; font-family:"Calibri",sans-serif; color:#1F497D"> </span></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt; font-family:"Calibri",sans-serif; color:#1F497D">--</span></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt; font-family:"Calibri",sans-serif; color:#1F497D">James Manger</span></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt; font-family:"Calibri",sans-serif; color:#1F497D"> </span></p>
<div>
<div style="border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri",sans-serif">From:</span></b><span lang="EN-US" style="font-size:11.0pt; font-family:"Calibri",sans-serif"> Openid-specs-mobile-profile [<a href="mailto:openid-specs-mobile-profile-bounces@lists.openid.net">mailto:openid-specs-mobile-profile-bounces@lists.openid.net</a>]
<b>On Behalf Of </b><a href="mailto:Axel.Nennker@telekom.de">Axel.Nennker@telekom.de</a><br>
<b>Sent:</b> Wednesday, 7 June 2017 5:45 PM<br>
<b>To:</b> <a href="mailto:openid-specs-mobile-profile@lists.openid.net">openid-specs-mobile-profile@lists.openid.net</a><br>
<b>Subject:</b> [Openid-specs-mobile-profile] CIBA New text regarding HTTP status code during Client Notification.</span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-AU"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri",sans-serif; color:#1F497D">Hi all,</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri",sans-serif; color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri",sans-serif; color:#1F497D">please see:
</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri",sans-serif; color:#1F497D"><a href="https://bitbucket.org/openid/mobile/commits/b33dba96dc99eeee001c8b6bf424dc193886229f?at=default">https://bitbucket.org/openid/mobile/commits/b33dba96dc99eeee001c8b6bf424dc193886229f?at=default</a></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri",sans-serif; color:#1F497D"> </span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New"">+ <t></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New"">+ The Client Notification Endpoint SHOULD response with a HTTP 204 No Content.</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New"">+ The OP SHOULD accept HTTP 200 OK and any body in the response SHOULD be ignored.</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New"">+ </t></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New"">+ <t></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New"">+ The OP SHOULD not follow redirects. HTTP 3xx codes SHOULD be ignored.</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New"">+ Administrative action is like to be needed.</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New"">+ </t></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New"">+ <t></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New"">+ How the OP handles HTTP error codes in the ranges of 4xx and 5xx is out-of-range of this specification.</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt; font-family:"Courier New"">+ Administrative action is like to be needed in these cases.</span></p>
<p class="MsoNormal"><span style="font-size:10.0pt; font-family:"Courier New"">+ </t></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri",sans-serif; color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri",sans-serif; color:#1F497D">Cheers</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri",sans-serif; color:#1F497D">Axel</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri",sans-serif; color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri",sans-serif; color:#1F497D"><a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default#issuing_successful_token">https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default#issuing_successful_token</a></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri",sans-serif; color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri",sans-serif; color:#1F497D"> </span></p>
</div>
</div>
</body>
</html>