CIBA Pairwise Identifiers Structuring Text
Should the text regarding Pairwise Identifiers be in its own section or should it stay in the sections on polling and notification?
Polling: https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default#rfc.section.3.5.1.1 Notification: https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default#rfc.section.3.5.3.3
References to other specs: Core: https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg Validation of sector_identifier: https://openid.net/specs/openid-connect-registration-1_0.html#SectorIdentifierValidation
Axel
Comments (10)
-
reporter -
I agree!
-
- changed status to resolved
I agree that sector_identifier_uri MUST be specified by the client when Pairwise identifiers is used.
-
This is not resolved unless there is some way to verify the sector identifier.
-
- changed status to open
Issue not resolved unless there is some way for the AS to verify the sector identifier. With post post back there is no verification as there is no redirect_uri used.
-
A proposal from John is to allow using Pairwise Pseudonymous Identifiers only in the case a jwks_uri is registered when the grant-type backchannel_request is registered. In that case the client could use PPIDs as long as it uses mutual TLS authentication to authenticate the token endpoint or the private_key_jwt defined in section 9 of the OpenID core spec. Additiionally it would be OPTIONAL to use signed request object in CIBA authentication requests.
-
Mutual TLS authentication to the token endpoint was added to the spec, so Clients that registers a jwks_uri when using the backchannel_request grant_type can use this uri as a verified sector identifier and so that they can use PPIDs.
-
- changed component to CIBA
-
-
- changed status to resolved
- Log in to comment
Hi all,
I created https://bitbucket.org/openid/mobile/issues/52/ciba-pairwise-identifiers-structuring-text to keep track of this.
In pseudo code the calculation of sub could look like this:
Having said all that I currently tend to change the spec to say: “In CIBA the Client MUST specify the sector_identifier_uri at registration time if the OP uses Pairwise Identifiers which is strongly recommended”.
Should we make sector_identifier_uri mandatory for CIBA and cull all other Pairwise Identifier text?
Cheers Axel