New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature/is 96 qr codes #102
Conversation
Added the Added secure-authenticator-binding entity category.
Removed the previous BankID specific entity category and replaced with a URI that may be used be several IdP:s.
This profile defines the `http://id.swedenconnect.se/general-ec/1.0/secure-authenticator-binding` entity category to be declared by Service Providers in order to add a requirement on Identity Providers | ||
vulnerable of the attacks described above that they SHOULD use a secure authenticator binding (if this | ||
feature is supported by the Identity Provider). | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suggesting that both IdP and SP set this EC. If the EC is set by the IdP, the IdP must honor it if set by the SP. IdP who have not set this are not affected.
|
||
Therefore, this profile defines the `http://id.swedenconnect.se/general-ec/1.0/bankid/qr-code` entity category. It may be declared in a Service Provider's metadata as an indicator for a BankID Identity Provider that the Service Provider requires that the QR code functionality is used instead of prompting for the user personal identity number. | ||
A BankID Identity Provider compliant with this profile SHOULD check the presence of the `secure-authenticator-binding` entity category from the Service Provider metadata when processing a request, and SHOULD prompt the user to scan a QR code instead of asking for the personal identity number if the entity category is present in the Service Provider metadata. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same as above. IdP who have declared this EC MUST check it and act according to it.
|
||
Note that the presence of the QR code entity category in the Service Provider metadata has precedence over the presence of the `<psc:PrincipalSelection>` extension in the authentication request<sup>1</sup>. | ||
Note that the presence of the `secure-authenticator-binding` entity category in the Service Provider | ||
metadata has precedence over the presence of the `<psc:PrincipalSelection>` extension in the authentication request<sup>1</sup>. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No need to exclusivly apply only one of secure-authenticator-binding
and <psc:PrincipalSelection>
since it's possible to start BankdID client using QR code for a transaction bound to a personal identitynumber.
Perhaps change description to something like: Note that the presence of the QR code entity category in the Service Provider metadata will apply despite precense of any <psc:PrincipalSelection>
extension in the authentication request
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. You are correct. Will change the wording.
Issue #96 |
Made section 3.3 easier to read by moving recommendations into an own chapter. Added a note to describe the case where a SP requires QR codes but also send a principal selection extension.
No description provided.