[Openid-specs-ab] Issue #2159: Consider recommendations from Cyber Safety Review Board report (openid/connect)

[josephheenan]

New issue 2159: Consider recommendations from Cyber Safety Review Board report
https://bitbucket.org/openid/connect/issues/2159/consider-recommendations-from-cyber-safety

Joseph Heenan:

I don’t think the working group has discussed this report yet:

[https://www.cisa.gov/resources-tools/resources/cyber-safety-review-board-releases-report-microsoft-online-exchange-incident-summer-2023](https://www.cisa.gov/resources-tools/resources/cyber-safety-review-board-releases-report-microsoft-online-exchange-incident-summer-2023)

In particular it seems worth drawing the groups attention to recommendation 13 that explicitly names both OIDF and OpenID Connect:  

> CSPs and relevant standards bodies, such as OpenID Foundation \(OIDF\), Organization for the Advancement of Structured Information Standards \(OASIS\), and The Internet Engineering Task Force \(IETF\), should develop or update profiles for core digital identity standards such as OIDC and Security Assertion Markup Language \(SAML\) to include requirements and/or security considerations around key rotation, stateful credentials, credential linking, and key scope.

‌

But these two are also fairly relevant:

> RECOMMENDATION 11: CSPs should implement emerging standards such as Open Authorization \(OAuth\) 2 Demonstrating Proof-of-Possession \(DPoP\) \(bound tokens\) and OpenID Shared Signals and Events \(SSE\) \(sharing session risk\) that better secure cloud services against credential related attacks.
>
> RECOMMENDATION 12: Relevant standards bodies should refine and update these standards to account for a threat model of advanced nation-state attackers targeting core CSP identity systems.

\(Thanks to Tom Sato for sharing this on the SSE WG mailing list\)