<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">If oauth is assumed required than implicit cases are  excluded since they do not have oauth in a significant number of cases. <div><br></div><div>If the intent is to require oauth then we need to agree on that because it excludes participants. <br><br><div id="AppleMailSignature">Phil</div><div><br>On Feb 26, 2018, at 12:04 PM, Hardt, Dick <<a href="mailto:dick@amazon.com">dick@amazon.com</a>> wrote:<br><br></div><blockquote type="cite"><div>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Consolas;
        panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
        {font-family:"Helvetica Neue";
        panose-1:2 0 5 3 0 0 0 2 0 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
pre
        {mso-style-priority:99;
        mso-style-link:"HTML Preformatted Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:10.0pt;
        font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
        {mso-style-priority:34;
        margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:.5in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
p.msonormal0, li.msonormal0, div.msonormal0
        {mso-style-name:msonormal;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
span.HTMLPreformattedChar
        {mso-style-name:"HTML Preformatted Char";
        mso-style-priority:99;
        mso-style-link:"HTML Preformatted";
        font-family:Consolas;}
span.apple-style-span
        {mso-style-name:apple-style-span;}
span.EmailStyle22
        {mso-style-type:personal;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
span.EmailStyle23
        {mso-style-type:personal-reply;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
/* List Definitions */
@list l0
        {mso-list-id:354042568;
        mso-list-type:hybrid;
        mso-list-template-ids:-1550142052 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
        {mso-level-text:"%1\)";
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l0:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l0:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l1
        {mso-list-id:724912526;
        mso-list-template-ids:1074853430;}
@list l2
        {mso-list-id:730159188;
        mso-list-template-ids:-1638769932;}
@list l3
        {mso-list-id:2027515436;
        mso-list-type:hybrid;
        mso-list-template-ids:108325580 1665676260 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l3:level1
        {mso-level-text:"\(%1\)";
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level2
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level3
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l3:level4
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level5
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level6
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
@list l3:level7
        {mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level8
        {mso-level-number-format:alpha-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l3:level9
        {mso-level-number-format:roman-lower;
        mso-level-tab-stop:none;
        mso-level-number-position:right;
        text-indent:-9.0pt;}
ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->


<div class="WordSection1">
<p class="MsoNormal">Implicit use cases would happen in SAML as well, would they not? The implicit use case would be an OIDC flow, not OAuth. There is shared user identifier in OAuth.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’m confused by <span style="background:yellow;mso-highlight:yellow">
this statement</span>. This RISC charter states:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Helvetica Neue";color:#5A5A5A;background:#FAFAFA">Internet accounts that use email addresses or phone numbers as the primary identifier for the account will be the initial focus.</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">What change in direction are you referring to?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal" style="margin-left:.5in">On 2/26/18, 11:55 AM, someone claiming to be "Phil Hunt" <<a href="mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a>> wrote:<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">My understanding was that implicit use cases exist because no oauth relationship exists. RISC is doing subject management because in the absence of oauth there is no explicit oauth consent. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><span style="background:yellow;mso-highlight:yellow">This exclusionary change in direction needs discussion and a consensus call.</span> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<div id="AppleMailSignature">
<p class="MsoNormal" style="margin-left:.5in">Phil<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in">
<br>
On Feb 26, 2018, at 11:32 AM, Hardt, Dick <<a href="mailto:dick@amazon.com">dick@amazon.com</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal" style="margin-left:1.0in"><a name="_MailOriginalBody"> <o:p></o:p></a></p>
<div>
<p class="MsoNormal" style="margin-left:1.0in"><span style="mso-bookmark:_MailOriginalBody">My feeling is that any RISC Profile should only deal in issues or opportunities unique to RISC.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="mso-bookmark:_MailOriginalBody">I agree. If an aspect is clearly specified somewhere else, and meets RISC’s requirements, we should use it.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="mso-bookmark:_MailOriginalBody">It has not been clear what those RISC specific scoping issue are. Hence, I do not see the purpose for the current RISC Profile draft. For my part, I was expecting a
 draft that actually defined RISC Events.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:1.0in"><span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:1.0in"><span style="mso-bookmark:_MailOriginalBody">Dick commented on Feb 5 that:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:1.0in"><span style="mso-bookmark:_MailOriginalBody"></span><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_pipermail_openid-2Dspecs-2Drisc_Week-2Dof-2DMon-2D20180205_000439.html&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=wj-hfBcSv3M7ndsxoK-cxJssgaJmDC7EagzTvgba_hc&s=Vd9UeCxGq9hZliDVJpZzz1m0VvKzPiquCradIos5QX0&e="><span style="mso-bookmark:_MailOriginalBody">http://lists.openid.net/pipermail/openid-specs-risc/Week-of-Mon-20180205/000439.html</span><span style="mso-bookmark:_MailOriginalBody"></span></a><span style="mso-bookmark:_MailOriginalBody"><o:p></o:p></span></p>
</div>
<div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<pre style="margin-left:1.0in;background:white;white-space:pre-wrap"><span style="mso-bookmark:_MailOriginalBody">I think “need” is too strong. A single management API is desired.<o:p></o:p></span></pre>
<pre style="margin-left:1.0in;background:white"><span style="mso-bookmark:_MailOriginalBody">Another aspect is that the management requirements of RISC, SCIM, OIDC etc. so far look quite different.<o:p></o:p></span></pre>
<pre style="margin-left:1.0in;background:white"><span style="mso-bookmark:_MailOriginalBody">RISC has specific needs, and with a concrete API, there can more easily be a discussion on commonalities, or lack thereof with other SecEvent profiles.<o:p></o:p></span></pre>
</blockquote>
<div>
<p class="MsoNormal" style="margin-left:1.0in"><span style="mso-bookmark:_MailOriginalBody">These statements don’t really play out. The RISC group has not really identified why RISC is unique. <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="mso-bookmark:_MailOriginalBody">Let me clarify then. As I see it, RISC has the following control plane requirements:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in;text-indent:-.25in;mso-list:l0 level1 lfo3">
<span style="mso-bookmark:_MailOriginalBody"><!--[if !supportLists]--><span style="mso-list:Ignore">1)<span style="font:7.0pt "Times New Roman"">     
</span></span><!--[endif]-->Add/remove subjects when the subject is not added implicitly
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in;text-indent:-.25in;mso-list:l0 level1 lfo3">
<span style="mso-bookmark:_MailOriginalBody"><!--[if !supportLists]--><span style="mso-list:Ignore">2)<span style="font:7.0pt "Times New Roman"">     
</span></span><!--[endif]-->Check operational status of the event stream<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in;text-indent:-.25in;mso-list:l3 level1 lfo6">
<span style="mso-bookmark:_MailOriginalBody"><!--[if !supportLists]--><span style="mso-list:Ignore">(1)<span style="font:7.0pt "Times New Roman"">   
</span></span><!--[endif]-->Is not required by either OIDC or SCIM as subjects are determined implicitly by the protocol. Using SCIM for subject management in RISC has been deemed heavy for everyone except those already using SCIM. There currently is no WG document
 in SecEvents for subject management.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in;text-indent:-.25in;mso-list:l3 level1 lfo6">
<span style="mso-bookmark:_MailOriginalBody"><!--[if !supportLists]--><span style="mso-list:Ignore">(2)<span style="font:7.0pt "Times New Roman"">   
</span></span><!--[endif]-->Is unique to SCIM. There currently is no WG document in SecEvents for subject management.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="mso-bookmark:_MailOriginalBody">If SecEvents WG sees (1) and/or (2) to have common usage across SecEvents, and the SecEvents WG adopted a WG document for them, then it would make sense to not do that
 work in RISC, but that is not the current state, and given the contention in SecEvents, I think it is important for the RISC WG to move forward and create specifications that meet its requirements.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="mso-bookmark:_MailOriginalBody">I agree that RISC should be agnostic on what protocol is being used for how 2 parties have a mutual subject, be that OIDC, SAML, shared email, or shared phone number.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="mso-bookmark:_MailOriginalBody"> <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="mso-bookmark:_MailOriginalBody">/Dick<o:p></o:p></span></p>
</div>
</div>
</div>
</blockquote>
</div>
</div>


</div></blockquote></div></body></html>