[Openid-specs-risc] RISC F2F Oct 28

Phil Hunt (IDM) phil.hunt at oracle.com
Fri Sep 30 19:53:20 UTC 2016 

I plan to attend.  Morning is better so  i can catch late aft flight out of sfo. 

Phil

> On Sep 30, 2016, at 12:34 PM, Adam Dawes <adawes at google.com> wrote:
> 
> Hi all,
> 
> I haven't seen any registrations yet for the RISC F2F on October 28. If you plan to come, please register to make planning easier.
> 
> As far as timing goes, I was planning on having this from 12-5 (lunch provided). We can switch to something like 9:30 - 1:30 if that is better for folks since I know some people are traveling. Please reply to me if you have a strong preference for morning or afternoon and if you don't care, please register now.
> 
> Agenda topics:
> Initial RISC event definitions
> Hijacking
> Session revocation/Change password
> Token revocation (flavors)
> RP registration 
> API
> Email header
> Signal sending transport (API)
> SET proposal alignment
> SET RISC format
> Mutual milestones (RISC spec, SET spec, provider implementations)
> thanks,
> AD
> 
>> On Thu, Sep 22, 2016 at 11:38 PM, Adam Dawes <adawes at google.com> wrote:
>> Notes on today's call:
>> 
>> Sept 22
>> Attendees
>> Adam Dawes, Marius Scurtescu, Jeroen Kemperman, Phil Hunt, Brian Campbell, George Fletcher, Dick Hardt, Henrik Biering
>> 
>> October 28 F2F at Google on Friday after IIW [please register]
>> SET working group charter: 
>> Who will be a reviewer? (Dick agrees)
>> Contract is signed between Microsoft and Google
>> Google will get a clean contract and share with Amazon, Facebook, Confyrm. Let me know if you have interest in joining as well.
>> Reviewed Microsoft-Google F2F (below). Went through first 2 use cases. Discussed email header registration process.
>> Feedback:
>> Header idea is interesting but not sure what it adds
>> The recipient still needs to trust that content of the message aligns with the header definition - otherwise can just send promo emails to the user to receive RISC signals. Nothing empirically more trustworthy about the mail.
>> Seems to add a lot more complexity than just using the pub/sub mechanism. Free to have any 2 parties to use this mechanism if they desire but doesn’t sound like a great fit for the standard.
>> Header might be useful for enterprise customers - actually not so hard to look MX and then do the registration if the mail is hosted.
>> Marius and Phil have been collaborating on the transport spec. 
>> 
>> 
>> NOTES FROM MICROSOFT MEETING 9/21
>> 
>> Assumptions:
>> Relying Parties (RPs) start sending a special email header on all password reset and account registration messages. RPs keep track of when they request an account recovery from IDP.
>> Mail providers (IDPs) need to keep track of the email reset messages received by looking for this header. This will qualify as the registration for later events.
>> 
>> Mail types
>> Password Reset
>> Email OTP challenge
>> Email verification for new accounts
>> Change email address
>> Account closed
>> Password change successful
>> 
>> Cases 
>> Relying Party (RP) tells Mail Provider (IDP) of possible compromise
>> RP will tell IDP when compromise of RP account started when RP received a password reset or OTP to IDP account.
>> 
>> RP sends PubSub message to IDP after local detection determines of compromise and links it to the account recovery via the IDP.
>> 
>> Proof at risk: IDP tells RP they are at risk
>> IDP will tell RP when IDP received an OTP or PWR from RP account during a time IDP account was compromised.
>> 
>> IDP keeps track of incoming PWRs, sends pubsub to RPs that have sent recent PWRs
>> 
>>> On Thu, Sep 22, 2016 at 9:24 AM, Adam Dawes <adawes at google.com> wrote:
>>> Hi all,
>>> 
>>> For today's call, I think we'll have a bit to talk about. Google and Microsoft spent all day yesterday talking about our collaboration together for RISC and today Google, Microsoft and Amazon are talking.
>>> 
>>> Additionally, if we have time, we can continue our discussion about SET and transport.
>>> 
>>> Hope to see you there.
>>> 
>>> 1.  Please join my meeting.
>>> https://global.gotomeeting.com/join/576653581
>>> 
>>> 2.  Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.
>>> 
>>> United States: +1 (312) 757-3119
>>> Australia: +61 2 9091 7603
>>> Austria: +43 (0) 7 2088 0716
>>> Belgium: +32 (0) 28 08 4372
>>> Canada: +1 (647) 497-9380
>>> Denmark: +45 (0) 69 91 84 58
>>> Finland: +358 (0) 931 58 1773
>>> France: +33 (0) 170 950 590
>>> Germany: +49 (0) 692 5736 7300
>>> Ireland: +353 (0) 15 133 006
>>> Italy: +39 0 699 26 68 65
>>> Netherlands: +31 (0) 208 080 759
>>> New Zealand: +64 9 974 9579
>>> Norway: +47 21 04 30 59
>>> Spain: +34 931 76 1534
>>> Sweden: +46 (0) 852 500 691
>>> Switzerland: +41 (0) 435 0026 89
>>> United Kingdom: +44 (0) 20 3713 5011
>>> 
>>> Access Code: 576-653-581
>>> Audio PIN: Shown after joining the meeting
>>> 
>>> Meeting ID: 576-653-581
>>> 
>>> -- 
>>> Adam Dawes | Sr. Product Manager | adawes at google.com | +1 650-214-2410
>>> 
>> 
>> 
>> 
>> -- 
>> Adam Dawes | Sr. Product Manager | adawes at google.com | +1 650-214-2410
>> 
> 
> 
> 
> -- 
> Adam Dawes | Sr. Product Manager | adawes at google.com | +1 650-214-2410
> 
> _______________________________________________
> Openid-specs-risc mailing list
> Openid-specs-risc at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-risc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20160930/128cd968/attachment-0001.html>

More information about the Openid-specs-risc mailing list