[Openid-specs-ab] Credential revocation

John Bradley ve7jtb at ve7jtb.com
Wed Jan 11 19:34:09 UTC 2012


Breno, will google as a RP have this use case as well as a RP.

If you detect suspicious activity on an account will you want to ask for a password reset or raise some other signal to the IdP?

I agree that id_token revocation should be part of the session management spec.

John
On 2012-01-11, at 4:30 PM, George Fletcher wrote:

> I agree with Breno that "session" or "id_token" revocation is more important. 
> 
> The RP asking the user to perform a password reset at the IdP is interesting. However, is most of our experience this is really only needed with the user is marked for suspicious activity by the RP and the RP wants the user to go through some flow to "prove" that they own the account. As an RP, we do have this use case.
> 
> Thanks,
> George
> 
> On 1/11/12 2:07 PM, Breno de Medeiros wrote:
>> 
>> A more useful feature would be instant session revocation on password
>> resets. That could be implemented entirely on the IDP as an
>> added-feature if the RP supports near-instant detection of session
>> state changes (which I am hoping to document for the JS API).
>> 
>> On Wed, Jan 11, 2012 at 11:04, John Bradley <ve7jtb at ve7jtb.com> wrote:
>>> It was something that a number of RP brought up in the early discussions.
>>> 
>>> We are more IdP weighted at the moment.  I think it was Facebook that was most interested in this from the IdP.
>>> 
>>> It isn't a priority, but the NIST document reminded me it slipped from the feature list.
>>> 
>>> I agree the other things are higher priority.
>>> 
>>> Just interested in seeing if there is any real interest in the issue.
>>> 
>>> John B.
>>> On 2012-01-11, at 3:47 PM, Mike Jones wrote:
>>> 
>>>> I'd only add it to a list if we're seeing actual demand for it from deployers.
>>>> 
>>>> As it is, I think we should focus on addressing review comments received, completing session management, and completing JWE.  And when we finish those, adding self-issued IDs.  That's more than enough to keep us productively busy for the time being.
>>>> 
>>>>                               -- Mike
>>>> 
>>>> -----Original Message-----
>>>> From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of John Bradley
>>>> Sent: Wednesday, January 11, 2012 10:20 AM
>>>> To: openid-specs-ab at lists.openid.net
>>>> Subject: [Openid-specs-ab] Credential revocation
>>>> 
>>>> FYI a draft from NIST
>>>> http://csrc.nist.gov/publications/drafts/nistir-7817/Draft-NISTIR-7817.pdf
>>>> 
>>>> I don't think his conclusion is necessarily practical, however it is interesting to see what they are thinking.
>>>> 
>>>> We did talk about having a signalling mechanism from RP to IdP to request a password reset or provide other signalling.
>>>> 
>>>> That got dropped along the way.
>>>> 
>>>> Should this get added to a list of possible extensions?
>>>> 
>>>> John B.
>>>> 
>>> 
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>> 
>> 
>> 
> 
> -- 
> Chief Architect                   AIM:  gffletch
> Identity Services Engineering     Work: george.fletcher at teamaol.com
> AOL Inc.                          Home: gffletch at aol.com
> Mobile: +1-703-462-3494           Blog: http://practicalid.blogspot.com
> Office: +1-703-265-2544           Twitter: http://twitter.com/gffletch

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120111/a9e78f73/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120111/a9e78f73/attachment.p7s>


More information about the Openid-specs-ab mailing list