[Openid-specs-risc] RISC Agenda for today

Brad Hill hillbrad at gmail.com
Fri May 1 23:36:22 UTC 2015

Regarding today's discussion on establishing trust relationships and
bootstrapping for already established accounts.  I would argue for a
two-tiered approach.

One tier would be companies that execute mutual legal agreements and are
able to opt-in users via their global ToS. This would likely require with
an opt-out mechanism as deemed appropriate by each organization's legal
counsel and appropriate to the markets they operate in, but this could be
transparent to the other side of the relationship.  So long as company X
and Y have a mutual agreement executed, all requests for account data would
be whitelisted.  If X said "I have an account for user at Y", you'd believe
them, and have contractual recourse if they were lying.

The second tier would require more explicit opt-in, like an OAuth flow, to
connect the accounts, and because it would have direct user approval would
not need any prearrangements between the entities holding the accounts on
the user's behalf.

I think trying to force all existing accounts to go through an explicit
consent flow is just too big of an obstacle to ever getting operational at
a meaningful scale.  Maybe some large organizations in some jurisdictions
would prefer or need to use the explicit opt-in flows exclusively, but
having a streamlined flow where some large fraction of the top 10 or 100
global account providers can establish mutual trust to bootstrap the first
10e8 connections without an enormous amount of explicit point-to-point
bookkeeping and user friction seems absolutely necessary for this to be
meaningful in protecting users on any reasonable time scale.

If there are tradeoffs to be made in terms of the scope or fidelity of the
sharing vs. the ability to automatically provision, I would urge we go as
far as we can towards low-fidelity low-friction (while still providing a
useful signal) for the same reason.


On Fri, May 1, 2015 at 7:14 AM 'Adam Dawes' via Abuse and ATO Coordination <
aatoc at googlegroups.com> wrote:

> Agenda
>    -
>    IPR update
>    -
>    OASIS group STIX/TAXII next steps
>    -
>    PR release
>    <https://docs.google.com/document/d/16QrQo5O1Afj4sZBZhJDHr9HxTtWERGHdle-0a4B6UT8/edit>
>    -
>    Weekly call times
>    -
>    Technical Discussion
>    - How do we operationalize trust relationships. Going forward, looking
>       backward
> Where: https://global.gotomeeting.com/join/764054389
> Use your microphone and speakers (VoIP) – a headset is recommended. Or,
> call in using your telephone.
> US phone number: +1 (312) 878-3080.
> International Numbers:
> Australia: +61 2 8355 1034
> Canada: +1 (647) 497-9376
> France: +33 (0) 170 950 586
> Germany: +49 (0) 811 8899 6931
> Spain: +34 932 20 0506
> United Kingdom: +44 (0) 330 221 0098
> Access Code: 736-042-757
> Audio PIN: Shown after joining the meeting
> Meeting ID: 764-054-389
> --
> You received this message because you are subscribed to the Google Groups
> "Abuse and ATO Coordination" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to aatoc+unsubscribe at googlegroups.com.
> To post to this group, send email to aatoc at googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/aatoc/CAOJhRMa9_G4gET-V0hNm7O%3Ddyq-4cwka_0fKwZKZqijwy91vMg%40mail.gmail.com
> <https://groups.google.com/d/msgid/aatoc/CAOJhRMa9_G4gET-V0hNm7O%3Ddyq-4cwka_0fKwZKZqijwy91vMg%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20150501/6512980e/attachment.html>

More information about the Openid-specs-risc mailing list