[Openid-specs-risc] RISC F2F Oct 28

Adam Dawes adawes at google.com
Fri Sep 30 19:34:57 UTC 2016 

Hi all,

I haven't seen any registrations
<https://www.eventbrite.com/e/oidf-risc-wg-f2f-tickets-28032589229> yet for
the RISC F2F on October 28. If you plan to come, please register to make
planning easier.

As far as timing goes, I was planning on having this from 12-5 (lunch
provided). We can switch to something like 9:30 - 1:30 if that is better
for folks since I know some people are traveling. Please reply to me if you
have a strong preference for morning or afternoon and if you don't care,
please register now.

Agenda topics:

   - Initial RISC event definitions
      - Hijacking
      - Session revocation/Change password
      - Token revocation (flavors)
   - RP registration
      - API
      - Email header
   - Signal sending transport (API)
   - SET proposal alignment
   - SET RISC format
   - Mutual milestones (RISC spec, SET spec, provider implementations)

thanks,
AD

On Thu, Sep 22, 2016 at 11:38 PM, Adam Dawes <adawes at google.com> wrote:

> Notes on today's call:
>
> Sept 22
>
> Attendees
>
> Adam Dawes, Marius Scurtescu, Jeroen Kemperman, Phil Hunt, Brian Campbell,
> George Fletcher, Dick Hardt, Henrik Biering
>
>
>    -
>
>    October 28 F2F at Google on Friday after IIW [please register
>    <https://www.eventbrite.com/edit?eid=28032589229&published=0>]
>    -
>
>    SET working group charter:
>    Who will be a reviewer? (Dick agrees)
>    -
>
>    Contract is signed between Microsoft and Google
>    Google will get a clean contract and share with Amazon, Facebook,
>    Confyrm. Let me know if you have interest in joining as well.
>    -
>
>    Reviewed Microsoft-Google F2F (below). Went through first 2 use cases.
>    Discussed email header registration process.
>    Feedback:
>    -
>
>       Header idea is interesting but not sure what it adds
>       -
>
>       The recipient still needs to trust that content of the message
>       aligns with the header definition - otherwise can just send promo emails to
>       the user to receive RISC signals. Nothing empirically more trustworthy
>       about the mail.
>       -
>
>       Seems to add a lot more complexity than just using the pub/sub
>       mechanism. Free to have any 2 parties to use this mechanism if they desire
>       but doesn’t sound like a great fit for the standard.
>       -
>
>       Header might be useful for enterprise customers - actually not so
>       hard to look MX and then do the registration if the mail is hosted.
>       -
>
>    Marius and Phil have been collaborating on the transport spec.
>
>
>
> NOTES FROM MICROSOFT MEETING 9/21
>
> Assumptions:
>
>    -
>
>    Relying Parties (RPs) start sending a special email header on all
>    password reset and account registration messages. RPs keep track of when
>    they request an account recovery from IDP.
>    -
>
>    Mail providers (IDPs) need to keep track of the email reset messages
>    received by looking for this header. This will qualify as the registration
>    for later events.
>
>
> Mail types
>
>    -
>
>    Password Reset
>    -
>
>    Email OTP challenge
>    -
>
>    Email verification for new accounts
>    -
>
>    Change email address
>    -
>
>    Account closed
>    -
>
>    Password change successful
>
>
> Cases
>
>    1.
>
>    Relying Party (RP) tells Mail Provider (IDP) of possible compromise
>    RP will tell IDP when compromise of RP account started when RP
>    received a password reset or OTP to IDP account.
>
>    RP sends PubSub message to IDP after local detection determines of
>    compromise and links it to the account recovery via the IDP.
>
>    2. Proof at risk: IDP tells RP they are at risk
>
> IDP will tell RP when IDP received an OTP or PWR from RP account during a
> time IDP account was compromised.
>
> IDP keeps track of incoming PWRs, sends pubsub to RPs that have sent
> recent PWRs
>
>
> On Thu, Sep 22, 2016 at 9:24 AM, Adam Dawes <adawes at google.com> wrote:
>
>> Hi all,
>>
>> For today's call, I think we'll have a bit to talk about. Google and
>> Microsoft spent all day yesterday talking about our collaboration together
>> for RISC and today Google, Microsoft and Amazon are talking.
>>
>> Additionally, if we have time, we can continue our discussion about SET
>> and transport.
>>
>> Hope to see you there.
>>
>> 1.  Please join my meeting.
>> https://global.gotomeeting.com/join/576653581
>>
>> 2.  Use your microphone and speakers (VoIP) - a headset is recommended.
>> Or, call in using your telephone.
>>
>> United States: +1 (312) 757-3119
>> Australia: +61 2 9091 7603
>> Austria: +43 (0) 7 2088 0716
>> Belgium: +32 (0) 28 08 4372
>> Canada: +1 (647) 497-9380
>> Denmark: +45 (0) 69 91 84 58
>> Finland: +358 (0) 931 58 1773
>> France: +33 (0) 170 950 590
>> Germany: +49 (0) 692 5736 7300
>> Ireland: +353 (0) 15 133 006
>> Italy: +39 0 699 26 68 65
>> Netherlands: +31 (0) 208 080 759
>> New Zealand: +64 9 974 9579
>> Norway: +47 21 04 30 59
>> Spain: +34 931 76 1534
>> Sweden: +46 (0) 852 500 691
>> Switzerland: +41 (0) 435 0026 89
>> United Kingdom: +44 (0) 20 3713 5011
>>
>> Access Code: 576-653-581
>> Audio PIN: Shown after joining the meeting
>>
>> Meeting ID: 576-653-581
>>
>> --
>> Adam Dawes | Sr. Product Manager | adawes at google.com | +1 650-214-2410
>>
>>
>
>
> --
> Adam Dawes | Sr. Product Manager | adawes at google.com | +1 650-214-2410
>
>


-- 
Adam Dawes | Sr. Product Manager | adawes at google.com | +1 650-214-2410
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20160930/3033b55b/attachment-0001.html>

More information about the Openid-specs-risc mailing list