<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>Well…from that line of thinking do you want to Abuse it and then do Account takeover :-).</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Nat Sakimura <<a href="mailto:sakimura@gmail.com">sakimura@gmail.com</a>><br>
<span style="font-weight:bold">Date: </span>Tuesday, February 24, 2015 at 6:40 PM<br>
<span style="font-weight:bold">To: </span>Ashish Jain <<a href="mailto:ashishjain@vmware.com">ashishjain@vmware.com</a>><br>
<span style="font-weight:bold">Cc: </span>Adam Dawes <<a href="mailto:adawes@google.com">adawes@google.com</a>>, "<a href="mailto:openid-specs-council@lists.openid.net">openid-specs-council@lists.openid.net</a>" <<a href="mailto:openid-specs-council@lists.openid.net">openid-specs-council@lists.openid.net</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [OIDFSC] AATOC Working Group Charter<br>
</div>
<div><br>
</div>
<div>
<div>
<div dir="ltr">Simplicity wins, but does not it sound like the WG is creating a protocol to take over accounts ;-) ? </div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2015-02-25 11:25 GMT+09:00 Ashish Jain <span dir="ltr"><<a href="mailto:ashishjain@vmware.com" target="_blank">ashishjain@vmware.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:Calibri,sans-serif">
<div>I’m not objecting…merely suggesting that referring it as Account Takeover WG is simpler </div>
<div><br>
</div>
<span>
<div style="font-family:Calibri;font-size:11pt;text-align:left;color:black;BORDER-BOTTOM:medium none;BORDER-LEFT:medium none;PADDING-BOTTOM:0in;PADDING-LEFT:0in;PADDING-RIGHT:0in;BORDER-TOP:#b5c4df 1pt solid;BORDER-RIGHT:medium none;PADDING-TOP:3pt">
<span style="font-weight:bold">From: </span>Nat Sakimura <<a href="mailto:sakimura@gmail.com" target="_blank">sakimura@gmail.com</a>><br>
<span style="font-weight:bold">Date: </span>Tuesday, February 24, 2015 at 6:09 PM<br>
<span style="font-weight:bold">To: </span>Ashish Jain <<a href="mailto:ashishjain@vmware.com" target="_blank">ashishjain@vmware.com</a>><br>
<span style="font-weight:bold">Cc: </span>Adam Dawes <<a href="mailto:adawes@google.com" target="_blank">adawes@google.com</a>>, "<a href="mailto:openid-specs-council@lists.openid.net" target="_blank">openid-specs-council@lists.openid.net</a>" <<a href="mailto:openid-specs-council@lists.openid.net" target="_blank">openid-specs-council@lists.openid.net</a>>
<div>
<div class="h5"><br>
<span style="font-weight:bold">Subject: </span>Re: [OIDFSC] AATOC Working Group Charter<br>
</div>
</div>
</div>
<div>
<div class="h5">
<div><br>
</div>
<div>
<div>
<div dir="ltr">I am fine with ATO WG as well. My objection was that the name had the Group in it, which is not a defined word in OpenID Process, so the WG name would become AATOC Group WG, which is repeating "Group" and awkward. It is just an editorial stuff. 
<div><br>
</div>
<div>Are you objecting to the first A and the last C of AATOC? <br>
<div>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2015-02-25 10:59 GMT+09:00 Ashish Jain <span dir="ltr"><<a href="mailto:ashishjain@vmware.com" target="_blank">ashishjain@vmware.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:Calibri,sans-serif">
<div>I understand the need to be precise but ATO WG can probably convey the same message.</div>
<div><br>
</div>
<span>
<div style="font-family:Calibri;font-size:11pt;text-align:left;color:black;BORDER-BOTTOM:medium none;BORDER-LEFT:medium none;PADDING-BOTTOM:0in;PADDING-LEFT:0in;PADDING-RIGHT:0in;BORDER-TOP:#b5c4df 1pt solid;BORDER-RIGHT:medium none;PADDING-TOP:3pt">
<span style="font-weight:bold">From: </span>Nat Sakimura <<a href="mailto:sakimura@gmail.com" target="_blank">sakimura@gmail.com</a>><br>
<span style="font-weight:bold">Date: </span>Tuesday, February 24, 2015 at 4:56 PM<br>
<span style="font-weight:bold">To: </span>Adam Dawes <<a href="mailto:adawes@google.com" target="_blank">adawes@google.com</a>><br>
<span style="font-weight:bold">Cc: </span>"<a href="mailto:openid-specs-council@lists.openid.net" target="_blank">openid-specs-council@lists.openid.net</a>" <<a href="mailto:openid-specs-council@lists.openid.net" target="_blank">openid-specs-council@lists.openid.net</a>><span><br>
<span style="font-weight:bold">Subject: </span>Re: [OIDFSC] AATOC Working Group Charter<br>
</span></div>
<div>
<div>
<div><br>
</div>
<div>
<div>
<div dir="ltr">Dear Specs Council members, <br>
<br>
It looks generally fine, with one friendly amendment: <br>
<br>
Change the title of the working group from: <br>
Abuse and Account Takeover Coordination Group<br>
<br>
to:<br>
Abuse and Account Takeover Coordination Working Group<br>
<br>
as "Abuse and Account Takeover Coordination Group Working Group" is a bit awkward. 
<div>I am fine with putting it as just "Abuse and Account Takeover Coordination" as well, since there is a precedence for it. <br>
<br>
Could any specs council member respond early in this thread if you have any objection or friendly amendment. We have been a bit slack lately that we have been relying on two weeks limit to execute a charter, but we should be able to act more quickly.<br>
<br>
Cheers, 
<div><br>
Nat<br>
<div><br>
</div>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2015-02-24 19:02 GMT+09:00 Adam Dawes <span dir="ltr"><<a href="mailto:adawes@google.com" target="_blank">adawes@google.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div style="font-size:12.8000001907349px">I would like to form a new work group, AATOC. Here is our proposed charter:</div>
<div style="font-size:12.8000001907349px"><br>
</div>
<div style="font-size:12.8000001907349px">
<h2 dir="ltr" style="line-height:1.2;margin-top:10pt;margin-bottom:8pt;text-align:center">
<span style="font-size: 17px; font-family: 'Trebuchet MS'; color: rgb(0, 0, 0); vertical-align: baseline; white-space: pre-wrap; background-color: transparent;">AATOC Charter</span></h2>
<br>
<h2 dir="ltr" style="line-height:1.2;margin-top:10pt;margin-bottom:8pt"><span style="font-size: 17px; font-family: 'Trebuchet MS'; color: rgb(0, 0, 0); vertical-align: baseline; white-space: pre-wrap; background-color: transparent;">1) Working Group name:
</span></h2>
<p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:8pt"><span style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Abuse and Account Takeover Coordination Group (AATOC)</span></p>
<br>
<h2 dir="ltr" style="line-height:1.2;margin-top:10pt;margin-bottom:8pt"><span style="font-size: 17px; font-family: 'Trebuchet MS'; color: rgb(0, 0, 0); vertical-align: baseline; white-space: pre-wrap; background-color: transparent;">2) Purpose</span></h2>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">The goal of AATOC is to provide data sharing schemas,
 privacy recommendations and protocols to:</span></p>
<br>
<ul style="margin-top:0pt;margin-bottom:0pt">
<li dir="ltr" style="margin-left:15px;list-style-type:disc;font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;background-color:transparent">
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Share information about important security events in order to thwart attackers from leveraging compromised
 accounts from one Service Provider to gain access to accounts on other Service Providers (mobile or web application developers and owners).
</span></p>
</li><li dir="ltr" style="margin-left:15px;list-style-type:disc;font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;background-color:transparent">
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Enable users and providers to coordinate in order to securely restore accounts following a compromise.</span></p>
</li></ul>
<br>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Internet accounts that use email addresses or phone
 numbers as the primary identifier for the account will be the initial focus. </span>
</p>
<h2 dir="ltr" style="line-height:1.2;margin-top:10pt;margin-bottom:8pt"><span style="font-size: 17px; font-family: 'Trebuchet MS'; color: rgb(0, 0, 0); vertical-align: baseline; white-space: pre-wrap; background-color: transparent;">2) Scope</span></h2>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">The group will define:</span></p>
<ul style="margin-top:0pt;margin-bottom:0pt">
<li dir="ltr" style="margin-left:15px;list-style-type:disc;font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;background-color:transparent">
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-weight:bold;vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Security events</span><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent"><br>
</span><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent">These are events – whether directly authentication-related or occurring at another time in the user flow – that take place on one service that could also have security
 implications on other Service Providers. The group will develop a taxonomy of security events and a common set of semantics to express relevant information about a security event.</span><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent"><br>
<br>
</span></p>
</li><li dir="ltr" style="margin-left:15px;list-style-type:disc;font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;background-color:transparent">
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-weight:bold;vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Privacy Implications</span><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent"><br>
</span><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Sharing security information amongst providers has potential privacy implications for both end users and service providers. These privacy implications must be balanced
 against the recognized benefits of protecting users’ accounts and data from abuse.  The group will consider ways to optimize this balance when defining mechanisms to handle the various security events and recommend best practices for the industry.</span></p>
</li></ul>
<br>
<ul style="margin-top:0pt;margin-bottom:0pt">
<li dir="ltr" style="margin-left:15px;list-style-type:disc;font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;background-color:transparent">
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-weight:bold;vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Communications mechanisms</span><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent"><br>
</span><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Define bindings for the use of an existing transport protocol defined elsewhere.</span></p>
</li></ul>
<br>
<ul style="margin-top:0pt;margin-bottom:0pt">
<li dir="ltr" style="margin-left:15px;list-style-type:disc;font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;background-color:transparent">
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-weight:bold;vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Event schema</span><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent"><br>
</span><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Define a schema describing relevant events and relationships to allow for dissemination between interested and authorized parties.  </span></p>
</li></ul>
<br>
<ul style="margin-top:0pt;margin-bottom:0pt">
<li dir="ltr" style="margin-left:15px;list-style-type:disc;font-size:15px;font-family:Arial;color:rgb(0,0,0);font-weight:bold;vertical-align:baseline;background-color:transparent">
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Account recovery mechanisms</span></p>
</li></ul>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;margin-left:36pt">
<span style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Standardized mechanism(s) to allow providers to signal that a user has regained control of an account, or allow a user
 to explicitly restore control of a previously compromised account, with or without direct user involvement.</span></p>
<h2 dir="ltr" style="line-height:1.15714285714286;margin-top:10pt;margin-bottom:8pt">
<span style="font-size: 17px; font-family: 'Trebuchet MS'; color: rgb(0, 0, 0); vertical-align: baseline; white-space: pre-wrap; background-color: transparent;">Out of scope:</span></h2>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Determining the account quality/reputation of a
 user on a particular service and communicating that to others.</span></p>
<br>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Definition of APIs and underlying mechanisms for
 connecting to, interacting with and operating centralized databases or intelligence clearinghouses when these are used to communicate security events between account providers.</span></p>
<br>
<h2 dir="ltr" style="line-height:1.2;margin-top:10pt;margin-bottom:8pt"><span style="font-size: 17px; font-family: 'Trebuchet MS'; color: rgb(0, 0, 0); vertical-align: baseline; white-space: pre-wrap; background-color: transparent;">4) Proposed Deliverables</span></h2>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">The group proposes the following
</span><span style="font-size:15px;font-family:Arial;color:rgb(0,0,0);font-weight:bold;vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Non-Specification</span><span style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">
 deliverables:</span></p>
<br>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:15px;font-family:Arial;color:rgb(0,0,0);font-weight:bold;vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Security Event and Account Lifecycle
 Schema</span></p>
<ul style="margin-top:0pt;margin-bottom:0pt">
<li dir="ltr" style="margin-left:15px;list-style-type:disc;font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;background-color:transparent">
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent">A taxonomy of security events and a common set of semantics to express relevant information about
 a security event and its relationships to other relevant data, events or indicators.
</span></p>
</li></ul>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:15px;font-family:Arial;color:rgb(0,0,0);font-weight:bold;vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Security Event Privacy Guidelines</span></p>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">A set of recommendations on how to minimize the
 privacy impact on users and service providers while improving security, and how to provide appropriate privacy disclosures, labeling and access control guidelines around information in the Security Event Schema.
</span></p>
<br>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">The group proposes the following
</span><span style="font-size:15px;font-family:Arial;color:rgb(0,0,0);font-weight:bold;vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Specification
</span><span style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">deliverables:</span></p>
<br>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:15px;font-family:Arial;color:rgb(0,0,0);font-weight:bold;vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Communications Mechanisms</span></p>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Define bindings for the event messages to an already
 existing transport protocol to promote interoperability of sending event information to another Service Provider. This will allow a Service Provider to implement a single piece of infrastructure that would be able to send or receive event information to any
 other service provider. </span></p>
<br>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:15px;font-family:Arial;color:rgb(0,0,0);font-weight:bold;vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Order of Deliverables</span></p>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">The group will work to produce the Security Event
 and Account Lifecycle Schema before beginning work on the Communications Mechanism.</span></p>
<br>
<h2 dir="ltr" style="line-height:1.2;margin-top:10pt;margin-bottom:8pt"><span style="font-size: 17px; font-family: 'Trebuchet MS'; color: rgb(0, 0, 0); vertical-align: baseline; white-space: pre-wrap; background-color: transparent;">5) Anticipated audience
 or users</span></h2>
<ul style="margin-top:0pt;margin-bottom:0pt">
<li dir="ltr" style="margin-left:15px;list-style-type:disc;font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;background-color:transparent">
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Service Providers who manage their own account systems which require an email address or phone number
 for registration.</span></p>
</li><li dir="ltr" style="margin-left:15px;list-style-type:disc;font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;background-color:transparent">
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Account and email providers that understand key security events that happen to a user’s account.</span></p>
</li><li dir="ltr" style="margin-left:15px;list-style-type:disc;font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;background-color:transparent">
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Identity as a Service (IDaaS) vendors that manage account and authentication systems for their customers.</span></p>
</li><li dir="ltr" style="margin-left:15px;list-style-type:disc;font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;background-color:transparent">
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Users seeking to regain control of a compromised account.</span></p>
</li></ul>
<br>
<h2 dir="ltr" style="line-height:1.2;margin-top:10pt;margin-bottom:8pt"><span style="font-size: 17px; font-family: 'Trebuchet MS'; color: rgb(0, 0, 0); vertical-align: baseline; white-space: pre-wrap; background-color: transparent;">6) Language</span></h2>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">English</span></p>
<br>
<h2 dir="ltr" style="line-height:1.2;margin-top:10pt;margin-bottom:8pt"><span style="font-size: 17px; font-family: 'Trebuchet MS'; color: rgb(0, 0, 0); vertical-align: baseline; white-space: pre-wrap; background-color: transparent;">7) Method of work:</span></h2>
<p dir="ltr" style="line-height:1.63636363636364;margin-top:0pt;margin-bottom:8pt">
<span style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">E-mail discussions on the working group mailing list, working group conference calls, and face-to-face meetings from time
 to time.</span></p>
<br>
<h2 dir="ltr" style="line-height:1.63636363636364;margin-top:10pt;margin-bottom:8pt">
<span style="font-size: 17px; font-family: 'Trebuchet MS'; color: rgb(0, 0, 0); vertical-align: baseline; white-space: pre-wrap; background-color: transparent;">8) Basis for determining when the work is completed:</span></h2>
<p dir="ltr" style="line-height:1.63636363636364;margin-top:0pt;margin-bottom:8pt">
<span style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Rough consensus and running code. The work will be completed once it is apparent that maximal consensus on the draft has
 been achieved, consistent with the purpose and scope.</span></p>
<br>
<h2 dir="ltr" style="line-height:1.2;margin-top:10pt;margin-bottom:8pt"><span style="font-size: 17px; font-family: 'Trebuchet MS'; color: rgb(0, 0, 0); vertical-align: baseline; white-space: pre-wrap; background-color: transparent;">Background information</span></h2>
<br>
<h2 dir="ltr" style="line-height:1.2;margin-top:10pt;margin-bottom:8pt"><span style="font-size: 17px; font-family: 'Trebuchet MS'; color: rgb(0, 0, 0); vertical-align: baseline; white-space: pre-wrap; background-color: transparent;">Related work:</span></h2>
<ul style="margin-top:0pt;margin-bottom:0pt">
<li dir="ltr" style="margin-left:15px;list-style-type:disc;font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;background-color:transparent">
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent">RFC6545 Real-time Inter-network Defense (RID)</span></p>
</li><li dir="ltr" style="margin-left:15px;list-style-type:disc;font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;background-color:transparent">
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent">RFC6546 Transport of Real-time Inter-network Defense (RID) Messages over HTTP/TLS</span></p>
</li><li dir="ltr" style="margin-left:15px;list-style-type:disc;font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;background-color:transparent">
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent">RFC6684 Guidelines and Template for Defining Extensions to the Incident Object Description Exchange
 Format (IODEF)</span></p>
</li><li dir="ltr" style="margin-left:15px;list-style-type:disc;font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;background-color:transparent">
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent">draft-ietf-mile-rolie Resource-Oriented Lightweight Indicator Exchange
</span></p>
</li><li dir="ltr" style="margin-left:15px;list-style-type:disc;font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;background-color:transparent">
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent">ISO/IEC 27002:2013  Information technology — Security techniques — Code of practice for information
 security controls</span></p>
</li><li dir="ltr" style="margin-left:15px;list-style-type:disc;font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;background-color:transparent">
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent">ISO/IEC 27035:2011 Information technology — Security techniques — Information security incident management</span></p>
</li></ul>
<br>
<br>
<h2 dir="ltr" style="line-height:1.2;margin-top:10pt;margin-bottom:8pt"><span style="font-size: 17px; font-family: 'Trebuchet MS'; color: rgb(0, 0, 0); vertical-align: baseline; white-space: pre-wrap; background-color: transparent;">Proposers</span></h2>
<ul style="margin-top:0pt;margin-bottom:0pt">
<li dir="ltr" style="margin-left:15px;list-style-type:disc;font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;background-color:transparent">
<p dir="ltr" style="line-height:1.63636363636364;margin-top:0pt;margin-bottom:0pt">
<span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Adam Dawes, Google
</span></p>
</li><li dir="ltr" style="margin-left:15px;list-style-type:disc;font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;background-color:transparent">
<p dir="ltr" style="line-height:1.63636363636364;margin-top:0pt;margin-bottom:0pt">
<span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Mark Risher, Google</span></p>
</li><li dir="ltr" style="margin-left:15px;list-style-type:disc;font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;background-color:transparent">
<p dir="ltr" style="line-height:1.63636363636364;margin-top:0pt;margin-bottom:0pt">
<span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Trent Adams, Paypal</span></p>
</li><li dir="ltr" style="margin-left:15px;list-style-type:disc;font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;background-color:transparent">
<p dir="ltr" style="line-height:1.63636363636364;margin-top:0pt;margin-bottom:0pt">
<span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent">George Fletcher, AOL</span></p>
</li><li dir="ltr" style="margin-left:15px;list-style-type:disc;font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;background-color:transparent">
<p dir="ltr" style="line-height:1.63636363636364;margin-top:0pt;margin-bottom:0pt">
<span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Andrew Nash, Confyrm</span></p>
</li><li dir="ltr" style="margin-left:15px;list-style-type:disc;font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;background-color:transparent">
<p dir="ltr" style="line-height:1.63636363636364;margin-top:0pt;margin-bottom:0pt">
<span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Nat Sakimura, Nomura Research Institute</span></p>
</li><li dir="ltr" style="margin-left:15px;list-style-type:disc;font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;background-color:transparent">
<p dir="ltr" style="line-height:1.63636363636364;margin-top:0pt;margin-bottom:0pt">
<span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent">John Bradley, Ping Identity</span></p>
</li><li dir="ltr" style="margin-left:15px;list-style-type:disc;font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;background-color:transparent">
<p dir="ltr" style="line-height:1.63636363636364;margin-top:0pt;margin-bottom:8pt">
<span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent">Henrik Biering, Peercraft</span></p>
</li></ul>
<h2 dir="ltr" style="line-height:1.2;margin-top:10pt;margin-bottom:8pt"><span style="font-size: 17px; font-family: 'Trebuchet MS'; color: rgb(0, 0, 0); vertical-align: baseline; white-space: pre-wrap; background-color: transparent;">Anticipated contributions:</span></h2>
<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">“Security event reporting between Service Providers
 1.0” under the </span><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__openid.net_intellectual-2Dproperty_&d=AwMFaQ&c=Sqcl0Ez6M0X8aeM67LKIiDJAXVeAw-YihVMNtXt-uEs&r=PDGu4NI-duocVzLKrMLVZV9ccYh2Q-1cXto7c2DRReM&m=his8oMG2sVamzBa3dQLPovSTmI9fUVGF3mbIZ4ZzISQ&s=yV7iQ-h1QNIAyTmfXm6S6vIszebI2q_snUSkFyjxlkg&e=" style="text-decoration:none" target="_blank"><span style="font-size:15px;font-family:Arial;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap;background-color:transparent">OpenID
 Foundation’s IPR Policy</span></a><span style="font-size:15px;font-family:Arial;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">.</span></p>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>Nat Sakimura (=nat)
<div>Chairman, OpenID Foundation<br>
<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__nat.sakimura.org_&d=AwMFaQ&c=Sqcl0Ez6M0X8aeM67LKIiDJAXVeAw-YihVMNtXt-uEs&r=PDGu4NI-duocVzLKrMLVZV9ccYh2Q-1cXto7c2DRReM&m=his8oMG2sVamzBa3dQLPovSTmI9fUVGF3mbIZ4ZzISQ&s=jmKQL3OD_c7eJXduzdJt5OJefY8ZjNiYCoAm8g-7oOA&e=" target="_blank">http://nat.sakimura.org/</a><br>
@_nat_en</div>
</div>
</div>
</div>
</div>
</div>
</div>
</span></div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>Nat Sakimura (=nat)
<div>Chairman, OpenID Foundation<br>
<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__nat.sakimura.org_&d=AwMFaQ&c=Sqcl0Ez6M0X8aeM67LKIiDJAXVeAw-YihVMNtXt-uEs&r=PDGu4NI-duocVzLKrMLVZV9ccYh2Q-1cXto7c2DRReM&m=dibzrL00q20lgLcDv94EYh8Ums_bAaYivHuqDQgNfSI&s=jq4oX-tF55oVVtUOW6sW0RsihIhuUzSlJVyRWCVyAhQ&e=" target="_blank">http://nat.sakimura.org/</a><br>
@_nat_en</div>
</div>
</div>
</div>
</div>
</div>
</div>
</span></div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature">Nat Sakimura (=nat)
<div>Chairman, OpenID Foundation<br>
<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__nat.sakimura.org_&d=AwMFaQ&c=Sqcl0Ez6M0X8aeM67LKIiDJAXVeAw-YihVMNtXt-uEs&r=PDGu4NI-duocVzLKrMLVZV9ccYh2Q-1cXto7c2DRReM&m=FTP1p4KW-gy6ieyONlVis7AekKQ2eopbbmXTk9XTg7k&s=w-VOFerD_4ujubMoL8LeaN7vtjDCzBjWkUD2nZvy4Dc&e=" target="_blank">http://nat.sakimura.org/</a><br>
@_nat_en</div>
</div>
</div>
</div>
</div>
</span>
</body>
</html>