[Openid-specs-ab] Credential revocation

Breno de Medeiros breno at google.com
Wed Jan 11 20:12:44 UTC 2012


On Wed, Jan 11, 2012 at 11:39, George Fletcher <gffletch at aol.com> wrote:
> It could be some other signal. In many cases, the way a good user get's
> their account "back" is by going through a password reset flow. In this
> case, the only party capable of doing the "password reset flow" is the IdP.
> The key is to help the "good" user regain access to the services of the RP.
> In this case, the RP needs some assurance that the IdP has re-validated the
> user and is making a "claim" that this is a "good" user.

I think password reset is tricky because it's a very expensive
operation in terms of user experience impact. I expect that IDPs will
not want to honor RP requests for this in the absence of first-hand
knowledge of security practices established by the RP and how they
arrive at the conclusion that password reset is needed.

A more likely route for RPs to do is to implement account recovery
processes. For example, by collecting a phone number for SMS-based
account reset -- and requiring users to go through a flow where they
attest that they changed their IDP password and provide the requested
recovery information.

>
> Thanks,
> George
>
> On 1/11/12 2:34 PM, John Bradley wrote:
>
> Breno, will google as a RP have this use case as well as a RP.
>
> If you detect suspicious activity on an account will you want to ask for a
> password reset or raise some other signal to the IdP?
>
> I agree that id_token revocation should be part of the session management
> spec.
>
> John
> On 2012-01-11, at 4:30 PM, George Fletcher wrote:
>
> I agree with Breno that "session" or "id_token" revocation is more
> important.
>
> The RP asking the user to perform a password reset at the IdP is
> interesting. However, is most of our experience this is really only needed
> with the user is marked for suspicious activity by the RP and the RP wants
> the user to go through some flow to "prove" that they own the account. As an
> RP, we do have this use case.
>
> Thanks,
> George
>
> On 1/11/12 2:07 PM, Breno de Medeiros wrote:
>
> A more useful feature would be instant session revocation on password
> resets. That could be implemented entirely on the IDP as an
> added-feature if the RP supports near-instant detection of session
> state changes (which I am hoping to document for the JS API).
>
> On Wed, Jan 11, 2012 at 11:04, John Bradley <ve7jtb at ve7jtb.com> wrote:
>
> It was something that a number of RP brought up in the early discussions.
>
> We are more IdP weighted at the moment.  I think it was Facebook that was
> most interested in this from the IdP.
>
> It isn't a priority, but the NIST document reminded me it slipped from the
> feature list.
>
> I agree the other things are higher priority.
>
> Just interested in seeing if there is any real interest in the issue.
>
> John B.
> On 2012-01-11, at 3:47 PM, Mike Jones wrote:
>
> I'd only add it to a list if we're seeing actual demand for it from
> deployers.
>
> As it is, I think we should focus on addressing review comments received,
> completing session management, and completing JWE.  And when we finish
> those, adding self-issued IDs.  That's more than enough to keep us
> productively busy for the time being.
>
>                               -- Mike
>
> -----Original Message-----
> From: openid-specs-ab-bounces at lists.openid.net
> [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of John Bradley
> Sent: Wednesday, January 11, 2012 10:20 AM
> To: openid-specs-ab at lists.openid.net
> Subject: [Openid-specs-ab] Credential revocation
>
> FYI a draft from NIST
> http://csrc.nist.gov/publications/drafts/nistir-7817/Draft-NISTIR-7817.pdf
>
> I don't think his conclusion is necessarily practical, however it is
> interesting to see what they are thinking.
>
> We did talk about having a signalling mechanism from RP to IdP to request a
> password reset or provide other signalling.
>
> That got dropped along the way.
>
> Should this get added to a list of possible extensions?
>
> John B.
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
> --
> Chief Architect                   AIM:  gffletch
> Identity Services Engineering     Work: george.fletcher at teamaol.com
> AOL Inc.                          Home: gffletch at aol.com
> Mobile: +1-703-462-3494           Blog: http://practicalid.blogspot.com
> Office: +1-703-265-2544           Twitter: http://twitter.com/gffletch
>
>
>
> --
> Chief Architect                   AIM:  gffletch
> Identity Services Engineering     Work: george.fletcher at teamaol.com
> AOL Inc.                          Home: gffletch at aol.com
> Mobile: +1-703-462-3494           Blog: http://practicalid.blogspot.com
> Office: +1-703-265-2544           Twitter: http://twitter.com/gffletch



-- 
--Breno


More information about the Openid-specs-ab mailing list