[Openid-specs-risc] RISC F2F Oct 28

Hardt, Dick dick at amazon.com
Fri Sep 30 20:18:40 UTC 2016

Is there a reason why we don’t meet in the morning?

On 9/30/16, 12:53 PM, someone claiming to be "Openid-specs-risc on behalf of Phil Hunt (IDM)" <openid-specs-risc-bounces at lists.openid.net<mailto:openid-specs-risc-bounces at lists.openid.net> on behalf of phil.hunt at oracle.com<mailto:phil.hunt at oracle.com>> wrote:

I plan to attend.  Morning is better so  i can catch late aft flight out of sfo.


On Sep 30, 2016, at 12:34 PM, Adam Dawes <adawes at google.com<mailto:adawes at google.com>> wrote:
Hi all,

I haven't seen any registrations<https://www.eventbrite.com/e/oidf-risc-wg-f2f-tickets-28032589229> yet for the RISC F2F on October 28. If you plan to come, please register to make planning easier.

As far as timing goes, I was planning on having this from 12-5 (lunch provided). We can switch to something like 9:30 - 1:30 if that is better for folks since I know some people are traveling. Please reply to me if you have a strong preference for morning or afternoon and if you don't care, please register now.

Agenda topics:

  *   Initial RISC event definitions

     *   Hijacking
     *   Session revocation/Change password
     *   Token revocation (flavors)

  *   RP registration

     *   API
     *   Email header

  *   Signal sending transport (API)
  *   SET proposal alignment
  *   SET RISC format
  *   Mutual milestones (RISC spec, SET spec, provider implementations)

On Thu, Sep 22, 2016 at 11:38 PM, Adam Dawes <adawes at google.com<mailto:adawes at google.com>> wrote:
Notes on today's call:

Sept 22


Adam Dawes, Marius Scurtescu, Jeroen Kemperman, Phil Hunt, Brian Campbell, George Fletcher, Dick Hardt, Henrik Biering

·         October 28 F2F at Google on Friday after IIW [please register<https://www.eventbrite.com/edit?eid=28032589229&published=0>]

·         SET working group charter:
Who will be a reviewer? (Dick agrees)

·         Contract is signed between Microsoft and Google
Google will get a clean contract and share with Amazon, Facebook, Confyrm. Let me know if you have interest in joining as well.

·         Reviewed Microsoft-Google F2F (below). Went through first 2 use cases. Discussed email header registration process.

o    Header idea is interesting but not sure what it adds

o    The recipient still needs to trust that content of the message aligns with the header definition - otherwise can just send promo emails to the user to receive RISC signals. Nothing empirically more trustworthy about the mail.

o    Seems to add a lot more complexity than just using the pub/sub mechanism. Free to have any 2 parties to use this mechanism if they desire but doesn’t sound like a great fit for the standard.

o    Header might be useful for enterprise customers - actually not so hard to look MX and then do the registration if the mail is hosted.

·         Marius and Phil have been collaborating on the transport spec.



·         Relying Parties (RPs) start sending a special email header on all password reset and account registration messages. RPs keep track of when they request an account recovery from IDP.

·         Mail providers (IDPs) need to keep track of the email reset messages received by looking for this header. This will qualify as the registration for later events.

Mail types

·         Password Reset

·         Email OTP challenge

·         Email verification for new accounts

·         Change email address

·         Account closed

·         Password change successful


1.    Relying Party (RP) tells Mail Provider (IDP) of possible compromise
RP will tell IDP when compromise of RP account started when RP received a password reset or OTP to IDP account.

RP sends PubSub message to IDP after local detection determines of compromise and links it to the account recovery via the IDP.

  1.  Proof at risk: IDP tells RP they are at risk
IDP will tell RP when IDP received an OTP or PWR from RP account during a time IDP account was compromised.

IDP keeps track of incoming PWRs, sends pubsub to RPs that have sent recent PWRs

On Thu, Sep 22, 2016 at 9:24 AM, Adam Dawes <adawes at google.com<mailto:adawes at google.com>> wrote:
Hi all,

For today's call, I think we'll have a bit to talk about. Google and Microsoft spent all day yesterday talking about our collaboration together for RISC and today Google, Microsoft and Amazon are talking.

Additionally, if we have time, we can continue our discussion about SET and transport.

Hope to see you there.

1.  Please join my meeting.

2.  Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.

United States: +1 (312) 757-3119<tel:%2B1%20%28312%29%20757-3119>
Australia: +61 2 9091 7603<tel:%2B61%202%209091%207603>
Austria: +43 (0) 7 2088 0716
Belgium: +32 (0) 28 08 4372
Canada: +1 (647) 497-9380<tel:%2B1%20%28647%29%20497-9380>
Denmark: +45 (0) 69 91 84 58
Finland: +358 (0) 931 58 1773
France: +33 (0) 170 950 590
Germany: +49 (0) 692 5736 7300<tel:%2B49%20%280%29%20692%205736%207300>
Ireland: +353 (0) 15 133 006
Italy: +39 0 699 26 68 65
Netherlands: +31 (0) 208 080 759
New Zealand: +64 9 974 9579<tel:%2B64%209%20974%209579>
Norway: +47 21 04 30 59<tel:%2B47%2021%2004%2030%2059>
Spain: +34 931 76 1534<tel:%2B34%20931%2076%201534>
Sweden: +46 (0) 852 500 691
Switzerland: +41 (0) 435 0026 89
United Kingdom: +44 (0) 20 3713 5011<tel:%2B44%20%280%29%2020%203713%205011>

Access Code: 576-653-581
Audio PIN: Shown after joining the meeting

Meeting ID: 576-653-581

Adam Dawes | Sr. Product Manager | adawes at google.com<mailto:adawes at google.com> | +1 650-214-2410<tel:%2B1%20650-214-2410>

Adam Dawes | Sr. Product Manager | adawes at google.com<mailto:adawes at google.com> | +1 650-214-2410<tel:%2B1%20650-214-2410>

Adam Dawes | Sr. Product Manager | adawes at google.com<mailto:adawes at google.com> | +1 650-214-2410

Openid-specs-risc mailing list
Openid-specs-risc at lists.openid.net<mailto:Openid-specs-risc at lists.openid.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20160930/62663277/attachment-0001.html>

More information about the Openid-specs-risc mailing list