<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.msonormal00, li.msonormal00, div.msonormal00
{mso-style-name:msonormal0;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.msochpdefault, li.msochpdefault, div.msochpdefault
{mso-style-name:msochpdefault;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:10.0pt;
font-family:"Times New Roman",serif;}
span.htmlpreformattedchar0
{mso-style-name:htmlpreformattedchar;
font-family:"Courier New";}
span.emailstyle22
{mso-style-name:emailstyle22;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.emailstyle23
{mso-style-name:emailstyle23;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.emailstyle24
{mso-style-name:emailstyle24;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.emailstyle25
{mso-style-name:emailstyle25;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle28
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="DE" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">I do not know whether there is a real risk… but it feels like the redirect url should be fixed at registration time.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><a href="https://bitbucket.org/openid/mobile/commits/309af4e910ddb6e3852b3a8dac525d93beb30593">https://bitbucket.org/openid/mobile/commits/309af4e910ddb6e3852b3a8dac525d93beb30593</a><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Feedback from others?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Axel<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Manger, James [mailto:James.H.Manger@team.telstra.com]
<br>
<b>Sent:</b> Mittwoch, 7. Juni 2017 10:55<br>
<b>To:</b> openid-specs-mobile-profile@lists.openid.net; Nennker, Axel <Axel.Nennker@telekom.de><br>
<b>Subject:</b> RE: [Openid-specs-mobile-profile] CIBA New text regarding HTTP status code during Client Notification.<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt;background:white"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:black">What is missing is the rationale for OPs not following redirects. There shouldn't be any security issue, as long as
redirects are to HTTPS.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt;background:white"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:black">If there is a real risk, then explain it and say OPs MUST NOT follow redirects.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt;background:white"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:black">If it is a reasonable policy by some OPs to minimise what they support to minimise attack surface, say Clients SHOULD
NOT return redirects.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt;background:white"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:black">If it is OPs trying to avoid some effort then drop the whole line. Expect OPs to support normal HTTP that includes supporting
redirects.<o:p></o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:black">--<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:black">James Manger<o:p></o:p></span></p>
</div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="98%" align="center">
</div>
<div id="divRplyFwdMsg">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">
</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"><a href="mailto:Axel.Nennker@telekom.de"><span lang="EN-US">Axel.Nennker@telekom.de</span></a></span><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">
<</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"><a href="mailto:Axel.Nennker@telekom.de"><span lang="EN-US">Axel.Nennker@telekom.de</span></a></span><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">><br>
<b>Sent:</b> Wednesday, June 7, 2017 6:23:55 PM<br>
<b>To:</b> Manger, James; </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"><a href="mailto:openid-specs-mobile-profile@lists.openid.net"><span lang="EN-US">openid-specs-mobile-profile@lists.openid.net</span></a></span><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"><br>
<b>Subject:</b> RE: [Openid-specs-mobile-profile] CIBA New text regarding HTTP status code during Client Notification.</span><span lang="EN-US">
<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">How about:</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><a href="https://bitbucket.org/openid/mobile/commits/6f5c9035ca46d657ce75be1cf87f64a8ef7dc112">https://bitbucket.org/openid/mobile/commits/6f5c9035ca46d657ce75be1cf87f64a8ef7dc112</a></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""> <t></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""> The Client Notification Endpoint SHOULD response with a HTTP 204 No Content.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">- The OP SHOULD accept HTTP 200 OK and any body in the response SHOULD be ignored.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">+ The OP SHOULD also accept HTTP 200 OK and any body in the response SHOULD be ignored.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""> </t></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""> <t></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">- The SHOULD HTTP 3xx .</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">- .</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">+ The Client SHOULD NOT return an HTTP 3xx code. The OP SHOULD NOT follow redirects.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">
</span><span style="font-size:10.0pt;font-family:"Courier New""></t></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">//Axel</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Manger, James [</span><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif"><a href="mailto:James.H.Manger@team.telstra.com"><span lang="DE">mailto:James.H.Manger@team.telstra.com</span></a></span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">]
<br>
<b>Sent:</b> Mittwoch, 7. </span><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif">Juni 2017 09:58<br>
<b>To:</b> Nennker, Axel <<a href="mailto:Axel.Nennker@telekom.de">Axel.Nennker@telekom.de</a>>;
<a href="mailto:openid-specs-mobile-profile@lists.openid.net">openid-specs-mobile-profile@lists.openid.net</a><br>
<b>Subject:</b> RE: [Openid-specs-mobile-profile] CIBA New text regarding HTTP status code during Client Notification.</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Suggest tweaks:</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">+ <t></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">+ The Client Notification Endpoint SHOULD respon<span style="color:red">d</span> with HTTP 204 No Content.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">+ The OP SHOULD
<span style="color:red">also </span>accept HTTP 200 OK, ignoring any response body.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">+ </t></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">+ <t></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">+ The
<span style="color:red">Client SHOULD NOT return an HTTP 3xx code as </span>the OP
<span style="color:red">might not </span>follow redirects.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">+ </t></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">+ <t></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">+ How the OP handles HTTP error codes in the ranges of 4xx and 5xx is out-of-range of this specification.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">+ Administrative action is like to be needed in these cases.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">+ </t></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">--</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">James Manger</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-AU" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Openid-specs-mobile-profile [<a href="mailto:openid-specs-mobile-profile-bounces@lists.openid.net">mailto:openid-specs-mobile-profile-bounces@lists.openid.net</a>]
<b>On Behalf Of </b><a href="mailto:Axel.Nennker@telekom.de">Axel.Nennker@telekom.de</a><br>
<b>Sent:</b> Wednesday, 7 June 2017 5:45 PM<br>
<b>To:</b> <a href="mailto:openid-specs-mobile-profile@lists.openid.net">openid-specs-mobile-profile@lists.openid.net</a><br>
<b>Subject:</b> [Openid-specs-mobile-profile] CIBA New text regarding HTTP status code during Client Notification.</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-AU"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Hi all,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">please see:
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><a href="https://bitbucket.org/openid/mobile/commits/b33dba96dc99eeee001c8b6bf424dc193886229f?at=default">https://bitbucket.org/openid/mobile/commits/b33dba96dc99eeee001c8b6bf424dc193886229f?at=default</a></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">+ <t></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">+ The Client Notification Endpoint SHOULD response with a HTTP 204 No Content.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">+ The OP SHOULD accept HTTP 200 OK and any body in the response SHOULD be ignored.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">+ </t></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">+ <t></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">+ The OP SHOULD not follow redirects. HTTP 3xx codes SHOULD be ignored.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">+ Administrative action is like to be needed.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">+ </t></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">+ <t></span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">+ How the OP handles HTTP error codes in the ranges of 4xx and 5xx is out-of-range of this specification.</span><o:p></o:p></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">+ Administrative action is like to be needed in these cases.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New"">+ </t></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Cheers</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Axel</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><a href="https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default#issuing_successful_token">https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default#issuing_successful_token</a></span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><o:p></o:p></p>
</div>
</div>
</div>
</body>
</html>