<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">No you have to give the other members of the specs council time to vote.<div class=""><br class=""></div><div class="">However I also vote to approve the creation of the working group with the charter.</div><div class=""><br class=""></div><div class="">That makes 3 yes and no opposed at this point.</div><div class=""><br class=""></div><div class="">After approval people sign the IPR to join the WG.</div><div class="">Then there is a WG founding meeting where the members vote to adopt the charter.</div><div class=""><br class=""></div><div class="">After that you are a full WG.</div><div class=""><br class=""></div><div class="">John B.</div><div class=""><br class=""></div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Mar 2, 2015, at 8:15 AM, Adam Dawes <<a href="mailto:adawes@google.com" class="">adawes@google.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">Does this mean that we're an official working group now?</div><div class="gmail_extra"><br class=""><div class="gmail_quote">On Sun, Mar 1, 2015 at 4:59 PM, Nat Sakimura <span dir="ltr" class=""><<a href="mailto:sakimura@gmail.com" target="_blank" class="">sakimura@gmail.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto" class=""><div class="">+1<br class=""><br class="">=nat via iPhone</div><div class=""><br class="">2015/03/02 2:33、Ashish Jain <<a href="mailto:ashishjain@vmware.com" target="_blank" class="">ashishjain@vmware.com</a>> のメッセージ:<br class=""><br class=""></div><blockquote type="cite" class=""><div class="">




<div class="">+1</div>
<div class=""><br class="">
</div>
<span class="">
<div style="font-family: Calibri; font-size: 11pt; text-align: left; border-width: 1pt medium medium; border-style: solid none none; padding: 3pt 0in 0in; border-top-color: rgb(181, 196, 223);" class="">
<span style="font-weight:bold" class="">From: </span>Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank" class="">Michael.Jones@microsoft.com</a>><br class="">
<span style="font-weight:bold" class="">Date: </span>Friday, February 27, 2015 at 4:54 PM<br class="">
<span style="font-weight:bold" class="">To: </span>Adam Dawes <<a href="mailto:adawes@google.com" target="_blank" class="">adawes@google.com</a>>, John Bradley <<a href="mailto:ve7jtb@ve7jtb.com" target="_blank" class="">ve7jtb@ve7jtb.com</a>><br class="">
<span style="font-weight:bold" class="">Cc: </span>Chuck Mortimore <<a href="mailto:cmortimore@salesforce.com" target="_blank" class="">cmortimore@salesforce.com</a>>, John Ehrig <<a href="mailto:jehrig@inventures.com" target="_blank" class="">jehrig@inventures.com</a>>, Andrew Nash <<a href="mailto:andrew@confyrm.com" target="_blank" class="">andrew@confyrm.com</a>>,
 "<a href="mailto:openid-specs-council@lists.openid.net" target="_blank" class="">openid-specs-council@lists.openid.net</a>" <<a href="mailto:openid-specs-council@lists.openid.net" target="_blank" class="">openid-specs-council@lists.openid.net</a>>, Ashish Jain <<a href="mailto:ashishjain@vmware.com" target="_blank" class="">ashishjain@vmware.com</a>>,
 Nat Sakimura <<a href="mailto:sakimura@gmail.com" target="_blank" class="">sakimura@gmail.com</a>>, "<a href="mailto:aatoc@googlegroups.com" target="_blank" class="">aatoc@googlegroups.com</a>" <<a href="mailto:aatoc@googlegroups.com" target="_blank" class="">aatoc@googlegroups.com</a>><br class="">
<span style="font-weight:bold" class="">Subject: </span>RE: [OIDFSC] AATOC Working Group Charter<br class="">
</div>
<div class=""><br class="">
</div>
<div class="">
<div class="">
<div class="">
<div style="font-family:Calibri,sans-serif;font-size:11pt" class="">I approve of the creation of this working group with this charter.</div>
</div>
<div dir="ltr" class="">
<hr class="">
<span style="font-family:Calibri,sans-serif;font-size:11pt;font-weight:bold" class="">From:
</span><span style="font-family:Calibri,sans-serif;font-size:11pt" class=""><a href="mailto:adawes@google.com" target="_blank" class="">Adam Dawes</a></span><br class="">
<span style="font-family:Calibri,sans-serif;font-size:11pt;font-weight:bold" class="">Sent:
</span><span style="font-family:Calibri,sans-serif;font-size:11pt" class="">‎2/‎27/‎2015 11:22 AM</span><br class="">
<span style="font-family:Calibri,sans-serif;font-size:11pt;font-weight:bold" class="">To:
</span><span style="font-family:Calibri,sans-serif;font-size:11pt" class=""><a href="mailto:ve7jtb@ve7jtb.com" target="_blank" class="">John Bradley</a></span><br class="">
<span style="font-family:Calibri,sans-serif;font-size:11pt;font-weight:bold" class="">Cc:
</span><span style="font-family:Calibri,sans-serif;font-size:11pt" class=""><a href="mailto:cmortimore@salesforce.com" target="_blank" class="">Chuck Mortimore</a>;
<a href="mailto:Michael.Jones@microsoft.com" target="_blank" class="">Mike Jones</a>; <a href="mailto:jehrig@inventures.com" target="_blank" class="">
John Ehrig</a>; <a href="mailto:andrew@confyrm.com" target="_blank" class="">Andrew Nash</a>; <a href="mailto:openid-specs-council@lists.openid.net" target="_blank" class="">
openid-specs-council@lists.openid.net</a>; <a href="mailto:ashishjain@vmware.com" target="_blank" class="">
Ashish Jain</a>; <a href="mailto:sakimura@gmail.com" target="_blank" class="">Nat Sakimura</a>; <a href="mailto:aatoc@googlegroups.com" target="_blank" class="">
aatoc@googlegroups.com</a></span><br class="">
<span style="font-family:Calibri,sans-serif;font-size:11pt;font-weight:bold" class="">Subject:
</span><span style="font-family:Calibri,sans-serif;font-size:11pt" class="">Re: [OIDFSC] AATOC Working Group Charter</span><br class="">
<br class="">
</div>
<div class="">
<div dir="ltr" class="">We had our weekly meeting today and everyone was okay with the Trust Framework addition. We also made an update to the language around privacy considerations. Here is the updated text:
<div class=""><br class="">
</div>
<div class=""><span class="">
<h2 dir="ltr" style="line-height:1.2;margin-top:10pt;margin-bottom:8pt" class=""><span style="font-size: 17px; font-family: 'Trebuchet MS'; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">1) Working Group name:
</span></h2><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:8pt" class=""><span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Abuse and Account Take-Over Coordination Working
 Group</span></p>
<h2 dir="ltr" style="line-height:1.2;margin-top:10pt;margin-bottom:8pt" class=""><span style="font-size: 17px; font-family: 'Trebuchet MS'; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">2) Purpose</span></h2><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">The goal of AATOC is to provide data sharing
 schemas, privacy recommendations and protocols to:</span></div>
<br class="">
<ul style="margin-top:0pt;margin-bottom:0pt" class="">
<li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Share information about important security events in order to thwart attackers from leveraging
 compromised accounts from one Service Provider to gain access to accounts on other Service Providers (mobile or web application developers and owners).
</span></div>
</li><li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Enable users and providers to coordinate in order to securely restore accounts following a compromise.</span></div>
</li></ul>
<br class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Internet accounts that use email addresses
 or phone numbers as the primary identifier for the account will be the initial focus.
</span></div>
<h2 dir="ltr" style="line-height:1.2;margin-top:10pt;margin-bottom:8pt" class=""><span style="font-size: 17px; font-family: 'Trebuchet MS'; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">3) Scope</span></h2><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">The group will define:</span></div>
<ul style="margin-top:0pt;margin-bottom:0pt" class="">
<li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-weight:bold;vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Security events</span><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class=""><br class="">
</span><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">These are events – whether directly authentication-related or occurring at another time in the user flow – that take place on one service that could also have security
 implications on other Service Providers. The group will develop a taxonomy of security events and a common set of semantics to express relevant information about a security event.</span><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class=""><br class="">
<br class="">
</span></div>
</li><li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-weight:bold;vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Privacy Implications</span><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class=""><br class="">
</span><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Sharing security information amongst providers has potential privacy implications for both end users and service providers. These privacy implications must be considered
 against both (a) applicable regulations, policies, and the principles of user notice, choice and consent, and (b) the recognized benefits of protecting users’ accounts and data from abuse. The group will consider ways to address such potential privacy implications
 when defining mechanisms to handle the various security events and recommend best practices for the industry.</span></div>
</li></ul>
<br class="">
<ul style="margin-top:0pt;margin-bottom:0pt" class="">
<li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-weight:bold;vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Communications mechanisms</span><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class=""><br class="">
</span><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Define bindings for the use of an existing transport protocol defined elsewhere.</span></div>
</li></ul>
<br class="">
<ul style="margin-top:0pt;margin-bottom:0pt" class="">
<li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-weight:bold;vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Event schema</span><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class=""><br class="">
</span><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Define a schema describing relevant events and relationships to allow for dissemination between interested and authorized parties.  </span><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class=""><br class="">
<br class="">
</span></div>
</li><li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-weight:bold;vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Trust Frameworks</span><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class=""><br class="">
</span><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Define at least one model for the conditions under which information would be shared.
</span></div>
</li></ul>
<br class="">
<ul style="margin-top:0pt;margin-bottom:0pt" class="">
<li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; font-weight: bold; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Account recovery mechanisms</span></div>
</li></ul><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt; margin-left: 36pt;" class="">
<span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Standardized mechanism(s) to allow providers to signal that a user has regained control of an account, or allow a
 user to explicitly restore control of a previously compromised account, with or without direct user involvement.</span></div>
<h2 dir="ltr" style="line-height:1.15714285714286;margin-top:10pt;margin-bottom:8pt" class="">
<span style="font-size: 17px; font-family: 'Trebuchet MS'; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Out of scope:</span></h2><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Determining the account quality/reputation
 of a user on a particular service and communicating that to others.</span></div>
<br class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Definition of APIs and underlying mechanisms
 for connecting to, interacting with and operating centralized databases or intelligence clearinghouses when these are used to communicate security events between account providers.</span></div>
<br class="">
<h2 dir="ltr" style="line-height:1.2;margin-top:10pt;margin-bottom:8pt" class=""><span style="font-size: 17px; font-family: 'Trebuchet MS'; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">4) Proposed Deliverables</span></h2><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">The group proposes the following
</span><span style="font-size: 15px; font-family: Arial; font-weight: bold; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Non-Specification</span><span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">
 deliverables:</span></div>
<br class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt; margin-left: 36pt;" class="">
<span style="font-size: 15px; font-family: Arial; font-weight: bold; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Security Event and Account Lifecycle Schema</span></div>
<ul style="margin-top:0pt;margin-bottom:0pt" class="">
<li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; margin-left: 48px; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">A taxonomy of security events and a common set of semantics to express relevant information about
 a security event and its relationships to other relevant data, events or indicators.
</span></div>
</li></ul>
<br class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt; margin-left: 36pt;" class="">
<span style="font-size: 15px; font-family: Arial; font-weight: bold; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Security Event Privacy Guidelines</span></div><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt; margin-left: 36pt;" class="">
<span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">A set of recommendations on how to minimize the privacy impact on users and service providers while improving security,
 and how to provide appropriate privacy disclosures, labeling and access control guidelines around information in the Security Event Schema.
</span></div>
<br class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt; margin-left: 36pt;" class="">
<span style="font-size: 15px; font-family: Arial; font-weight: bold; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Trust Framework</span></div><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt; margin-left: 36pt;" class="">
<span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">A trust framework defining roles and responsibilities of parties sharing user security event information</span></div>
<br class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">The group proposes the following
</span><span style="font-size: 15px; font-family: Arial; font-weight: bold; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Specification
</span><span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">deliverables:</span></div>
<br class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt; margin-left: 36pt;" class="">
<span style="font-size: 15px; font-family: Arial; font-weight: bold; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Communications Mechanisms</span></div><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt; margin-left: 36pt;" class="">
<span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Define bindings for the event messages to an already existing transport protocol to promote interoperability of sending
 event information to another Service Provider. This will allow a Service Provider to implement a single piece of infrastructure that would be able to send or receive event information to any other service provider.
</span></div>
<br class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size: 15px; font-family: Arial; font-weight: bold; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Order of Deliverables</span></div><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">The group will work to produce the Security
 Event and Account Lifecycle Schema before beginning work on the Communications Mechanism or Trust Framework.</span></div>
<br class="">
<h2 dir="ltr" style="line-height:1.2;margin-top:10pt;margin-bottom:8pt" class=""><span style="font-size: 17px; font-family: 'Trebuchet MS'; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">5) Anticipated audience
 or users</span></h2>
<ul style="margin-top:0pt;margin-bottom:0pt" class="">
<li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Service Providers who manage their own account systems which require an email address or phone
 number for registration.</span></div>
</li><li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Account and email providers that understand key security events that happen to a user’s account.</span></div>
</li><li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Identity as a Service (IDaaS) vendors that manage account and authentication systems for their
 customers.</span></div>
</li><li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Users seeking to regain control of a compromised account.</span></div>
</li></ul>
<br class="">
<h2 dir="ltr" style="line-height:1.2;margin-top:10pt;margin-bottom:8pt" class=""><span style="font-size: 17px; font-family: 'Trebuchet MS'; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">6) Language</span></h2><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">English</span></div>
<br class="">
<h2 dir="ltr" style="line-height:1.2;margin-top:10pt;margin-bottom:8pt" class=""><span style="font-size: 17px; font-family: 'Trebuchet MS'; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">7) Method of work:</span></h2><p dir="ltr" style="line-height:1.63636363636364;margin-top:0pt;margin-bottom:8pt" class="">
<span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">E-mail discussions on the working group mailing list, working group conference calls, and face-to-face meetings from
 time to time.</span></p>
<br class="">
<h2 dir="ltr" style="line-height:1.63636363636364;margin-top:10pt;margin-bottom:8pt" class="">
<span style="font-size: 17px; font-family: 'Trebuchet MS'; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">8) Basis for determining when the work is completed:</span></h2><p dir="ltr" style="line-height:1.63636363636364;margin-top:0pt;margin-bottom:8pt" class="">
<span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Rough consensus and running code. The work will be completed once it is apparent that maximal consensus on the draft
 has been achieved, consistent with the purpose and scope.</span></p>
<br class="">
<h2 dir="ltr" style="line-height:1.2;margin-top:10pt;margin-bottom:8pt" class=""><span style="font-size: 17px; font-family: 'Trebuchet MS'; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Background information</span></h2>
<br class="">
<h2 dir="ltr" style="line-height:1.2;margin-top:10pt;margin-bottom:8pt" class=""><span style="font-size: 17px; font-family: 'Trebuchet MS'; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Related work:</span></h2>
<ul style="margin-top:0pt;margin-bottom:0pt" class="">
<li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">RFC6545 Real-time Inter-network Defense (RID)</span></div>
</li><li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">RFC6546 Transport of Real-time Inter-network Defense (RID) Messages over HTTP/TLS</span></div>
</li><li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">RFC6684 Guidelines and Template for Defining Extensions to the Incident Object Description Exchange
 Format (IODEF)</span></div>
</li><li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">draft-ietf-mile-rolie Resource-Oriented Lightweight Indicator Exchange
</span></div>
</li><li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">ISO/IEC 27002:2013  Information technology — Security techniques — Code of practice for information
 security controls</span></div>
</li><li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">ISO/IEC 27035:2011 Information technology — Security techniques — Information security incident
 management</span></div>
</li></ul>
<br class="">
<br class="">
<h2 dir="ltr" style="line-height:1.2;margin-top:10pt;margin-bottom:8pt" class=""><span style="font-size: 17px; font-family: 'Trebuchet MS'; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Proposers</span></h2>
<ul style="margin-top:0pt;margin-bottom:0pt" class="">
<li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.63636363636364; margin-top: 0pt; margin-bottom: 0pt;" class="">
<span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Adam Dawes, Google
</span></div>
</li><li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.63636363636364; margin-top: 0pt; margin-bottom: 0pt;" class="">
<span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Mark Risher, Google</span></div>
</li><li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.63636363636364; margin-top: 0pt; margin-bottom: 0pt;" class="">
<span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Trent Adams, Paypal</span></div>
</li><li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.63636363636364; margin-top: 0pt; margin-bottom: 0pt;" class="">
<span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">George Fletcher, AOL</span></div>
</li><li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.63636363636364; margin-top: 0pt; margin-bottom: 0pt;" class="">
<span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Andrew Nash, Confyrm</span></div>
</li><li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.63636363636364; margin-top: 0pt; margin-bottom: 0pt;" class="">
<span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Nat Sakimura, Nomura Research Institute</span></div>
</li><li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.63636363636364; margin-top: 0pt; margin-bottom: 0pt;" class="">
<span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">John Bradley, Ping Identity</span></div>
</li><li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><p dir="ltr" style="line-height:1.63636363636364;margin-top:0pt;margin-bottom:8pt" class="">
<span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Henrik Biering, Peercraft</span></p>
</li></ul>
<h2 dir="ltr" style="line-height:1.2;margin-top:10pt;margin-bottom:8pt" class=""><span style="font-size: 17px; font-family: 'Trebuchet MS'; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Anticipated contributions:</span></h2>
<span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">“Security event reporting between Service Providers 1.0” under the
</span><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__openid.net_intellectual-2Dproperty_&d=AwMF_g&c=Sqcl0Ez6M0X8aeM67LKIiDJAXVeAw-YihVMNtXt-uEs&r=PDGu4NI-duocVzLKrMLVZV9ccYh2Q-1cXto7c2DRReM&m=IR5tru86Ihv2g1IjtatpVdYMQcw52SU4UWhhLzaHxts&s=zsaUoprw8-hewGW9RwEVxCJdDksLM2tfwwQC40jny3Q&e=" style="text-decoration:none" target="_blank" class=""><span style="font-size:15px;font-family:Arial;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">OpenID
 Foundation’s IPR Policy</span></a><span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">.</span></span><br class="">
</div>
</div>
<div class="gmail_extra"><br class="">
<div class="gmail_quote">On Thu, Feb 26, 2015 at 10:36 PM, Adam Dawes <span dir="ltr" class="">
<<a href="mailto:adawes@google.com" target="_blank" class="">adawes@google.com</a>></span> wrote:<br class="">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr" class="">I'm resubmitting back under the name of AATOC since Linked In has already executed an IPR with that name as well as adding the Trust Framework deliverable. 
<div class=""><br class="">
</div>
<div class=""><span class=""><span class="">
<h2 dir="ltr" style="line-height:1.2;margin-top:10pt;margin-bottom:8pt;text-align:center" class="">
<span style="font-size: 17px; font-family: 'Trebuchet MS'; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">AATOC Charter</span></h2>
<br class="">
<h2 dir="ltr" style="line-height:1.2;margin-top:10pt;margin-bottom:8pt" class=""><span style="font-size: 17px; font-family: 'Trebuchet MS'; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">1) Working Group name:
</span></h2>
</span><p dir="ltr" style="line-height:1.2;margin-top:0pt;margin-bottom:8pt" class=""><span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Abuse and Account Take-Over Coordination Working
 Group (AATOC Working Group)</span></p>
<h2 dir="ltr" style="line-height:1.2;margin-top:10pt;margin-bottom:8pt" class=""><span style="font-size: 17px; font-family: 'Trebuchet MS'; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">2) Purpose</span></h2><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">The goal of AATOC is to provide data sharing
 schemas, privacy recommendations and protocols to:</span></div>
<span class=""><br class="">
<ul style="margin-top:0pt;margin-bottom:0pt" class="">
<li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Share information about important security events in order to thwart attackers from leveraging
 compromised accounts from one Service Provider to gain access to accounts on other Service Providers (mobile or web application developers and owners).
</span></div>
</li><li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Enable users and providers to coordinate in order to securely restore accounts following a compromise.</span></div>
</li></ul>
<br class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Internet accounts that use email addresses
 or phone numbers as the primary identifier for the account will be the initial focus.
</span></div>
</span>
<h2 dir="ltr" style="line-height:1.2;margin-top:10pt;margin-bottom:8pt" class=""><span style="font-size: 17px; font-family: 'Trebuchet MS'; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">3) Scope</span></h2>
<span class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">The group will define:</span></div>
<ul style="margin-top:0pt;margin-bottom:0pt" class="">
<li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-weight:bold;vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Security events</span><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class=""><br class="">
</span><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">These are events – whether directly authentication-related or occurring at another time in the user flow – that take place on one service that could also have security
 implications on other Service Providers. The group will develop a taxonomy of security events and a common set of semantics to express relevant information about a security event.</span><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class=""><br class="">
<br class="">
</span></div>
</li><li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-weight:bold;vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Privacy Implications</span><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class=""><br class="">
</span><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Sharing security information amongst providers has potential privacy implications for both end users and service providers. These privacy implications must be balanced
 against the recognized benefits of protecting users’ accounts and data from abuse.  The group will consider ways to optimize this balance when defining mechanisms to handle the various security events and recommend best practices for the industry.</span></div>
</li></ul>
<br class="">
<ul style="margin-top:0pt;margin-bottom:0pt" class="">
<li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-weight:bold;vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Communications mechanisms</span><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class=""><br class="">
</span><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Define bindings for the use of an existing transport protocol defined elsewhere.</span></div>
</li></ul>
<br class="">
<ul style="margin-top:0pt;margin-bottom:0pt" class="">
<li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-weight:bold;vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Event schema</span><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class=""><br class="">
</span><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Define a schema describing relevant events and relationships to allow for dissemination between interested and authorized parties.  </span><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class=""><br class="">
<br class="">
</span></div>
</li><li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-weight:bold;vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Trust Frameworks</span><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class=""><br class="">
</span><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Define at least one model for the conditions under which information would be shared.
</span></div>
</li></ul>
<br class="">
<ul style="margin-top:0pt;margin-bottom:0pt" class="">
<li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; font-weight: bold; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Account recovery mechanisms</span></div>
</li></ul><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt; margin-left: 36pt;" class="">
<span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Standardized mechanism(s) to allow providers to signal that a user has regained control of an account, or allow a
 user to explicitly restore control of a previously compromised account, with or without direct user involvement.</span></div>
<h2 dir="ltr" style="line-height:1.15714285714286;margin-top:10pt;margin-bottom:8pt" class="">
<span style="font-size: 17px; font-family: 'Trebuchet MS'; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Out of scope:</span></h2><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Determining the account quality/reputation
 of a user on a particular service and communicating that to others.</span></div>
<br class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Definition of APIs and underlying mechanisms
 for connecting to, interacting with and operating centralized databases or intelligence clearinghouses when these are used to communicate security events between account providers.</span></div>
<br class="">
<h2 dir="ltr" style="line-height:1.2;margin-top:10pt;margin-bottom:8pt" class=""><span style="font-size: 17px; font-family: 'Trebuchet MS'; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">4) Proposed Deliverables</span></h2><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">The group proposes the following
</span><span style="font-size: 15px; font-family: Arial; font-weight: bold; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Non-Specification</span><span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">
 deliverables:</span></div>
<br class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt; margin-left: 36pt;" class="">
<span style="font-size: 15px; font-family: Arial; font-weight: bold; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Security Event and Account Lifecycle Schema</span></div>
<ul style="margin-top:0pt;margin-bottom:0pt" class="">
<li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; margin-left: 48px; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">A taxonomy of security events and a common set of semantics to express relevant information about
 a security event and its relationships to other relevant data, events or indicators.
</span></div>
</li></ul>
<br class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt; margin-left: 36pt;" class="">
<span style="font-size: 15px; font-family: Arial; font-weight: bold; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Security Event Privacy Guidelines</span></div><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt; margin-left: 36pt;" class="">
<span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">A set of recommendations on how to minimize the privacy impact on users and service providers while improving security,
 and how to provide appropriate privacy disclosures, labeling and access control guidelines around information in the Security Event Schema.
</span></div>
<br class="">
</span><span class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt; margin-left: 36pt;" class="">
<span style="font-size: 15px; font-family: Arial; font-weight: bold; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Trust Framework</span></div><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt; margin-left: 36pt;" class="">
<span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">A trust framework defining roles and responsibilities of parties sharing user security event information</span></div>
<br class="">
</span><span class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">The group proposes the following
</span><span style="font-size: 15px; font-family: Arial; font-weight: bold; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Specification
</span><span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">deliverables:</span></div>
<br class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt; margin-left: 36pt;" class="">
<span style="font-size: 15px; font-family: Arial; font-weight: bold; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Communications Mechanisms</span></div><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt; margin-left: 36pt;" class="">
<span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Define bindings for the event messages to an already existing transport protocol to promote interoperability of sending
 event information to another Service Provider. This will allow a Service Provider to implement a single piece of infrastructure that would be able to send or receive event information to any other service provider.
</span></div>
<br class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size: 15px; font-family: Arial; font-weight: bold; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Order of Deliverables</span></div>
</span><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">The group will work to produce the Security
 Event and Account Lifecycle Schema before beginning work on the Communications Mechanism or Trust Framework.</span></div>
<div class="">
<div class=""><br class="">
<h2 dir="ltr" style="line-height:1.2;margin-top:10pt;margin-bottom:8pt" class=""><span style="font-size: 17px; font-family: 'Trebuchet MS'; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">5) Anticipated audience
 or users</span></h2>
<ul style="margin-top:0pt;margin-bottom:0pt" class="">
<li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Service Providers who manage their own account systems which require an email address or phone
 number for registration.</span></div>
</li><li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Account and email providers that understand key security events that happen to a user’s account.</span></div>
</li><li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Identity as a Service (IDaaS) vendors that manage account and authentication systems for their
 customers.</span></div>
</li><li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Users seeking to regain control of a compromised account.</span></div>
</li></ul>
<br class="">
<h2 dir="ltr" style="line-height:1.2;margin-top:10pt;margin-bottom:8pt" class=""><span style="font-size: 17px; font-family: 'Trebuchet MS'; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">6) Language</span></h2><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">English</span></div>
<br class="">
<h2 dir="ltr" style="line-height:1.2;margin-top:10pt;margin-bottom:8pt" class=""><span style="font-size: 17px; font-family: 'Trebuchet MS'; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">7) Method of work:</span></h2><p dir="ltr" style="line-height:1.63636363636364;margin-top:0pt;margin-bottom:8pt" class="">
<span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">E-mail discussions on the working group mailing list, working group conference calls, and face-to-face meetings from
 time to time.</span></p>
<br class="">
<h2 dir="ltr" style="line-height:1.63636363636364;margin-top:10pt;margin-bottom:8pt" class="">
<span style="font-size: 17px; font-family: 'Trebuchet MS'; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">8) Basis for determining when the work is completed:</span></h2><p dir="ltr" style="line-height:1.63636363636364;margin-top:0pt;margin-bottom:8pt" class="">
<span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Rough consensus and running code. The work will be completed once it is apparent that maximal consensus on the draft
 has been achieved, consistent with the purpose and scope.</span></p>
<br class="">
<h2 dir="ltr" style="line-height:1.2;margin-top:10pt;margin-bottom:8pt" class=""><span style="font-size: 17px; font-family: 'Trebuchet MS'; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Background information</span></h2>
<br class="">
<h2 dir="ltr" style="line-height:1.2;margin-top:10pt;margin-bottom:8pt" class=""><span style="font-size: 17px; font-family: 'Trebuchet MS'; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Related work:</span></h2>
<ul style="margin-top:0pt;margin-bottom:0pt" class="">
<li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">RFC6545 Real-time Inter-network Defense (RID)</span></div>
</li><li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">RFC6546 Transport of Real-time Inter-network Defense (RID) Messages over HTTP/TLS</span></div>
</li><li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">RFC6684 Guidelines and Template for Defining Extensions to the Incident Object Description Exchange
 Format (IODEF)</span></div>
</li><li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">draft-ietf-mile-rolie Resource-Oriented Lightweight Indicator Exchange
</span></div>
</li><li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">ISO/IEC 27002:2013  Information technology — Security techniques — Code of practice for information
 security controls</span></div>
</li><li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">ISO/IEC 27035:2011 Information technology — Security techniques — Information security incident
 management</span></div>
</li></ul>
<br class="">
<br class="">
<h2 dir="ltr" style="line-height:1.2;margin-top:10pt;margin-bottom:8pt" class=""><span style="font-size: 17px; font-family: 'Trebuchet MS'; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Proposers</span></h2>
<ul style="margin-top:0pt;margin-bottom:0pt" class="">
<li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.63636363636364; margin-top: 0pt; margin-bottom: 0pt;" class="">
<span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Adam Dawes, Google
</span></div>
</li><li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.63636363636364; margin-top: 0pt; margin-bottom: 0pt;" class="">
<span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Mark Risher, Google</span></div>
</li><li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.63636363636364; margin-top: 0pt; margin-bottom: 0pt;" class="">
<span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Trent Adams, Paypal</span></div>
</li><li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.63636363636364; margin-top: 0pt; margin-bottom: 0pt;" class="">
<span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">George Fletcher, AOL</span></div>
</li><li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.63636363636364; margin-top: 0pt; margin-bottom: 0pt;" class="">
<span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Andrew Nash, Confyrm</span></div>
</li><li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.63636363636364; margin-top: 0pt; margin-bottom: 0pt;" class="">
<span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Nat Sakimura, Nomura Research Institute</span></div>
</li><li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><div style="line-height: 1.63636363636364; margin-top: 0pt; margin-bottom: 0pt;" class="">
<span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">John Bradley, Ping Identity</span></div>
</li><li dir="ltr" style="list-style-type: disc; font-size: 15px; font-family: Arial; vertical-align: baseline; background-color: transparent;" class=""><p dir="ltr" style="line-height:1.63636363636364;margin-top:0pt;margin-bottom:8pt" class="">
<span style="vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">Henrik Biering, Peercraft</span></p>
</li></ul>
<h2 dir="ltr" style="line-height:1.2;margin-top:10pt;margin-bottom:8pt" class=""><span style="font-size: 17px; font-family: 'Trebuchet MS'; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">Anticipated contributions:</span></h2><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">“Security event reporting between Service
 Providers 1.0” under the </span><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__openid.net_intellectual-2Dproperty_&d=AwMF_g&c=Sqcl0Ez6M0X8aeM67LKIiDJAXVeAw-YihVMNtXt-uEs&r=PDGu4NI-duocVzLKrMLVZV9ccYh2Q-1cXto7c2DRReM&m=IR5tru86Ihv2g1IjtatpVdYMQcw52SU4UWhhLzaHxts&s=zsaUoprw8-hewGW9RwEVxCJdDksLM2tfwwQC40jny3Q&e=" style="text-decoration:none" target="_blank" class=""><span style="font-size:15px;font-family:Arial;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap;background-color:transparent" class="">OpenID
 Foundation’s IPR Policy</span></a><span style="font-size: 15px; font-family: Arial; vertical-align: baseline; white-space: pre-wrap; background-color: transparent;" class="">.</span></div>
<br class="">
</div>
</div>
</span></div>
</div>
<div class="gmail_extra"><br class="">
<div class="gmail_quote"><span class="">On Thu, Feb 26, 2015 at 2:06 PM, John Bradley
<span dir="ltr" class=""><<a href="mailto:ve7jtb@ve7jtb.com" target="_blank" class="">ve7jtb@ve7jtb.com</a>></span> wrote:<br class="">
</span>
<div class="">
<div class="">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="auto" class="">
<div class="">You can start joining the Friday calls now. </div>
<div class=""><br class="">
</div>
<div class="">We need to finalize the charter before people need to worry about signing the WG IPR.  <br class="">
<br class="">
Sent from my iPhone</div>
<div class="">
<div class="">
<div class=""><br class="">
On Feb 26, 2015, at 4:56 PM, Chuck Mortimore <<a href="mailto:cmortimore@salesforce.com" target="_blank" class="">cmortimore@salesforce.com</a>> wrote:<br class="">
<br class="">
</div>
<blockquote type="cite" class="">
<div class="">
<div dir="ltr" class="">Our incident response team want's to participate.    Should we just wait for the mailing list, or is there a way to get working on the agreement?</div>
<div class="gmail_extra"><br class="">
<div class="gmail_quote">On Thu, Feb 26, 2015 at 8:30 AM, Mike Jones <span dir="ltr" class="">
<<a href="mailto:Michael.Jones@microsoft.com" target="_blank" class="">Michael.Jones@microsoft.com</a>></span> wrote:<br class="">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" class="">
<div class=""><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)" class="">I’d hold off posting it until the working group has been created.  Given that the intent is clear, I’m OK with accepting the agreement as-is, but
 would defer to others if they’d prefer that it be revised before being posted.<u class=""></u><u class=""></u></span></p><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)" class=""><u class=""></u> <u class=""></u></span></p><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)" class="">Out of curiosity, who was the agreement from?<u class=""></u><u class=""></u></span></p><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)" class=""><u class=""></u> <u class=""></u></span></p>
<div class="">
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in" class=""><p class="MsoNormal"><b class=""><span style="font-size:10pt;font-family:Tahoma,sans-serif" class="">From:</span></b><span style="font-size:10pt;font-family:Tahoma,sans-serif" class=""> specs-council [mailto:<a href="mailto:openid-specs-council-bounces@lists.openid.net" target="_blank" class="">openid-specs-council-bounces@lists.openid.net</a>]
<b class="">On Behalf Of </b>John Ehrig<br class="">
<b class="">Sent:</b> Thursday, February 26, 2015 7:00 AM<br class="">
<b class="">To:</b> Adam Dawes; Andrew Nash<br class="">
<b class="">Cc:</b> John Bradley; Nat Sakimura; Ashish Jain; <a href="mailto:openid-specs-council@lists.openid.net" target="_blank" class="">
openid-specs-council@lists.openid.net</a>; <a href="mailto:aatoc@googlegroups.com" target="_blank" class="">
aatoc@googlegroups.com</a><br class="">
<b class="">Subject:</b> Re: [OIDFSC] AATOC Working Group Charter<u class=""></u><u class=""></u></span></p>
</div>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)" class="">Hi All,<u class=""></u><u class=""></u></span></p><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)" class=""><u class=""></u> <u class=""></u></span></p><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)" class="">I have already received a contribution agreement for this WG (under the “old” name, however) (see attached).  Can we accept it under the old name.,
 should I go ahead and post it to the website now, or should I wait until the WG is actually approved?<u class=""></u><u class=""></u></span></p><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)" class=""><u class=""></u> <u class=""></u></span></p><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)" class="">Please let me know.<u class=""></u><u class=""></u></span></p><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)" class=""><u class=""></u> <u class=""></u></span></p><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)" class="">Thanks!<u class=""></u><u class=""></u></span></p><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)" class=""><u class=""></u> <u class=""></u></span></p><p class="MsoNormal"><b class=""><span style="font-size:10pt;font-family:Tahoma,sans-serif" class="">From:</span></b><span style="font-size:10pt;font-family:Tahoma,sans-serif" class=""> specs-council [<a href="mailto:openid-specs-council-bounces@lists.openid.net" target="_blank" class="">mailto:openid-specs-council-bounces@lists.openid.net</a>]
<b class="">On Behalf Of </b>Adam Dawes<br class="">
<b class="">Sent:</b> Thursday, February 26, 2015 1:06 AM<br class="">
<b class="">To:</b> Andrew Nash<br class="">
<b class="">Cc:</b> John Bradley; <a href="mailto:openid-specs-council@lists.openid.net" target="_blank" class="">
openid-specs-council@lists.openid.net</a>; Ashish Jain; Nat Sakimura; <a href="mailto:aatoc@googlegroups.com" target="_blank" class="">
aatoc@googlegroups.com</a><br class="">
<b class="">Subject:</b> Re: [OIDFSC] AATOC Working Group Charter<u class=""></u><u class=""></u></span></p><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div class=""><p class="MsoNormal">Okay, I've revised the charter, with a new name, USESC (I couldn't fathom losing the "O" in AATOC). It doesn't have quite the ring but it's a bit more general which is useful since I think what will be produced will have uses beyond abuse
 and account takeovers. I've also included a deliverable on trust frameworks.<u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
</div>
<div class=""><p class="MsoNormal">Here it is:<u class=""></u><u class=""></u></p>
</div>
<div class="">
<h2 align="center" style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in;text-align:center" class="">
<span style="font-size: 13pt; font-family: 'Trebuchet MS', sans-serif;" class="">USESC Charter</span><u class=""></u><u class=""></u></h2><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class=""><span style="font-size: 13pt; font-family: 'Trebuchet MS', sans-serif;" class="">1) Working Group name:
</span><u class=""></u><u class=""></u></h2><p style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class=""><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">User Security Event Sharing and Coordination Working Group (USESC Working Group)</span><u class=""></u><u class=""></u></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class=""><span style="font-size: 13pt; font-family: 'Trebuchet MS', sans-serif;" class="">2) Purpose</span><u class=""></u><u class=""></u></h2><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">The goal of USESC is to provide data sharing schemas, privacy recommendations and protocols to:</span><u class=""></u><u class=""></u></div><p class="MsoNormal"><u class=""></u> <u class=""></u></p><p style="margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;vertical-align:baseline" class="">
<u class=""></u><span style="font-size: 10pt;" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">Share information about important security events related to user accounts in order to thwart attackers from leveraging compromised accounts from one
 Service Provider to gain access to accounts on other Service Providers (mobile or web application developers and owners).
<u class=""></u><u class=""></u></span></p><p style="margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;vertical-align:baseline" class="">
<u class=""></u><span style="font-size: 10pt;" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">Enable users and providers to coordinate in order to securely restore accounts following a compromise.<u class=""></u><u class=""></u></span></p><p class="MsoNormal"><u class=""></u> <u class=""></u></p><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">Internet accounts that use email addresses or phone numbers as the primary identifier for the account will be the initial focus.
</span><u class=""></u><u class=""></u></div>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class=""><span style="font-size: 13pt; font-family: 'Trebuchet MS', sans-serif;" class="">3) Scope</span><u class=""></u><u class=""></u></h2><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">The group will define:</span><u class=""></u><u class=""></u></div><p style="margin-right:0in;margin-bottom:12.0pt;margin-left:.5in;vertical-align:baseline" class="">
<u class=""></u><span style="font-size: 10pt;" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><b class=""><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">Security events</span></b><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class=""><br class="">
These are events – whether directly authentication-related or occurring at another time in the user flow – that take place on one service that could also have security implications on other Service Providers. The group will develop a taxonomy of security events
 and a common set of semantics to express relevant information about a security event.<u class=""></u><u class=""></u></span></p><p style="margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;vertical-align:baseline" class="">
<u class=""></u><span style="font-size: 10pt;" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><b class=""><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">Privacy Implications</span></b><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class=""><br class="">
Sharing security information amongst providers has potential privacy implications for both end users and service providers. These privacy implications must be balanced against the recognized benefits of protecting users’ accounts and data from abuse.  The group
 will consider ways to optimize this balance when defining mechanisms to handle the various security events and recommend best practices for the industry.<u class=""></u><u class=""></u></span></p><p class="MsoNormal"><u class=""></u> <u class=""></u></p><p style="margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;vertical-align:baseline" class="">
<u class=""></u><span style="font-size: 10pt;" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><b class=""><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">Communications mechanisms</span></b><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class=""><br class="">
Define bindings for the use of an existing transport protocol defined elsewhere.<u class=""></u><u class=""></u></span></p><p class="MsoNormal"><u class=""></u> <u class=""></u></p><p style="margin-right:0in;margin-bottom:12.0pt;margin-left:.5in;vertical-align:baseline" class="">
<u class=""></u><span style="font-size: 10pt;" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><b class=""><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">Event schema</span></b><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class=""><br class="">
Define a schema describing relevant events and relationships to allow for dissemination between interested and authorized parties.  <u class=""></u><u class=""></u></span></p><p style="margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;vertical-align:baseline" class="">
<u class=""></u><span style="font-size: 10pt;" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><b class=""><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">Trust Frameworks</span></b><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class=""><br class="">
Define at least one model for the conditions under which information would be shared.
<u class=""></u><u class=""></u></span></p><p class="MsoNormal"><u class=""></u> <u class=""></u></p><p style="margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;vertical-align:baseline" class="">
<u class=""></u><span style="font-size: 10pt;" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><b class=""><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">Account recovery mechanisms<u class=""></u><u class=""></u></span></b></p><p style="margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt" class="">
<span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">Standardized mechanism(s) to allow providers to signal that a user has regained control of an account, or allow a user to explicitly restore control of a previously compromised account,
 with or without direct user involvement.</span><u class=""></u><u class=""></u></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class=""><span style="font-size: 13pt; font-family: 'Trebuchet MS', sans-serif;" class="">Out of scope:</span><u class=""></u><u class=""></u></h2><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">Determining the account quality/reputation of a user on a particular service and communicating that to others.</span><u class=""></u><u class=""></u></div><p class="MsoNormal"><u class=""></u> <u class=""></u></p><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">Definition of APIs and underlying mechanisms for connecting to, interacting with and operating centralized databases or intelligence
 clearinghouses when these are used to communicate security events between account providers.</span><u class=""></u><u class=""></u></div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class=""><span style="font-size: 13pt; font-family: 'Trebuchet MS', sans-serif;" class="">4) Proposed Deliverables</span><u class=""></u><u class=""></u></h2><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">The group proposes the following
<b class="">Non-Specification</b> deliverables:</span><u class=""></u><u class=""></u></div><p class="MsoNormal"><u class=""></u> <u class=""></u></p><div style="margin: 0in 0in 0.0001pt;" class=""><b class=""><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">Security Event and Account Lifecycle Schema</span></b><u class=""></u><u class=""></u></div><p style="margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;vertical-align:baseline" class="">
<u class=""></u><span style="font-size: 10pt;" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">A taxonomy of security events and a common set of semantics to express relevant information about a security event and its relationships to other relevant
 data, events or indicators. <u class=""></u><u class=""></u></span></p><p class="MsoNormal"><u class=""></u> <u class=""></u></p><div style="margin: 0in 0in 0.0001pt;" class=""><b class=""><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">Security Event Privacy Guidelines</span></b><u class=""></u><u class=""></u></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">A set of recommendations on how to minimize the privacy impact on users and service providers while improving security, and how to provide
 appropriate privacy disclosures, labeling and access control guidelines around information in the Security Event Schema.
</span><u class=""></u><u class=""></u></div><p class="MsoNormal"><u class=""></u> <u class=""></u></p><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">The group proposes the following
<b class="">Specification </b>deliverables:</span><u class=""></u><u class=""></u></div><p class="MsoNormal"><u class=""></u> <u class=""></u></p><div style="margin: 0in 0in 0.0001pt;" class=""><b class=""><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">Communications Mechanisms</span></b><u class=""></u><u class=""></u></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">Define bindings for the event messages to an already existing transport protocol to promote interoperability of sending event information
 to another Service Provider. This will allow a Service Provider to implement a single piece of infrastructure that would be able to send or receive event information to any other service provider.
</span><u class=""></u><u class=""></u></div><p class="MsoNormal"><u class=""></u> <u class=""></u></p><div style="margin: 0in 0in 0.0001pt;" class=""><b class=""><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">Order of Deliverables</span></b><u class=""></u><u class=""></u></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">The group will work to produce the Security Event and Account Lifecycle Schema before beginning work on the Communications Mechanism.</span><u class=""></u><u class=""></u></div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class=""><span style="font-size: 13pt; font-family: 'Trebuchet MS', sans-serif;" class="">5) Anticipated audience or users</span><u class=""></u><u class=""></u></h2><p style="margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;vertical-align:baseline" class="">
<u class=""></u><span style="font-size: 10pt;" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">Service Providers who manage their own account systems which require an email address or phone number for registration.<u class=""></u><u class=""></u></span></p><p style="margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;vertical-align:baseline" class="">
<u class=""></u><span style="font-size: 10pt;" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">Account and email providers that understand key security events that happen to a user’s account.<u class=""></u><u class=""></u></span></p><p style="margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;vertical-align:baseline" class="">
<u class=""></u><span style="font-size: 10pt;" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">Identity as a Service (IDaaS) vendors that manage account and authentication systems for their customers.<u class=""></u><u class=""></u></span></p><p style="margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;vertical-align:baseline" class="">
<u class=""></u><span style="font-size: 10pt;" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">Users seeking to regain control of a compromised account.<u class=""></u><u class=""></u></span></p><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class=""><span style="font-size: 13pt; font-family: 'Trebuchet MS', sans-serif;" class="">6) Language</span><u class=""></u><u class=""></u></h2><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">English</span><u class=""></u><u class=""></u></div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class=""><span style="font-size: 13pt; font-family: 'Trebuchet MS', sans-serif;" class="">7) Method of work:</span><u class=""></u><u class=""></u></h2><p style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class=""><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">E-mail discussions on the working group mailing list, working group conference calls, and face-to-face meetings
 from time to time.</span><u class=""></u><u class=""></u></p><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class=""><span style="font-size: 13pt; font-family: 'Trebuchet MS', sans-serif;" class="">8) Basis for determining when the work is completed:</span><u class=""></u><u class=""></u></h2><p style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class=""><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">Rough consensus and running code. The work will be completed once it is apparent that maximal consensus on the draft
 has been achieved, consistent with the purpose and scope.</span><u class=""></u><u class=""></u></p><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class=""><span style="font-size: 13pt; font-family: 'Trebuchet MS', sans-serif;" class="">Background information</span><u class=""></u><u class=""></u></h2><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class=""><span style="font-size: 13pt; font-family: 'Trebuchet MS', sans-serif;" class="">Related work:</span><u class=""></u><u class=""></u></h2><p style="margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;vertical-align:baseline" class="">
<u class=""></u><span style="font-size: 10pt;" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">RFC6545 Real-time Inter-network Defense (RID)<u class=""></u><u class=""></u></span></p><p style="margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;vertical-align:baseline" class="">
<u class=""></u><span style="font-size: 10pt;" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">RFC6546 Transport of Real-time Inter-network Defense (RID) Messages over HTTP/TLS<u class=""></u><u class=""></u></span></p><p style="margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;vertical-align:baseline" class="">
<u class=""></u><span style="font-size: 10pt;" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">RFC6684 Guidelines and Template for Defining Extensions to the Incident Object Description Exchange Format (IODEF)<u class=""></u><u class=""></u></span></p><p style="margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;vertical-align:baseline" class="">
<u class=""></u><span style="font-size: 10pt;" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">draft-ietf-mile-rolie Resource-Oriented Lightweight Indicator Exchange
<u class=""></u><u class=""></u></span></p><p style="margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;vertical-align:baseline" class="">
<u class=""></u><span style="font-size: 10pt;" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">ISO/IEC 27002:2013  Information technology — Security techniques — Code of practice for information security controls<u class=""></u><u class=""></u></span></p><p style="margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;vertical-align:baseline" class="">
<u class=""></u><span style="font-size: 10pt;" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">ISO/IEC 27035:2011 Information technology — Security techniques — Information security incident management<u class=""></u><u class=""></u></span></p><p class="MsoNormal" style="margin-bottom:12.0pt"><u class=""></u> <u class=""></u></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class=""><span style="font-size: 13pt; font-family: 'Trebuchet MS', sans-serif;" class="">Proposers</span><u class=""></u><u class=""></u></h2><p style="margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;vertical-align:baseline" class="">
<u class=""></u><span style="font-size: 10pt;" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">Adam Dawes, Google
<u class=""></u><u class=""></u></span></p><p style="margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;vertical-align:baseline" class="">
<u class=""></u><span style="font-size: 10pt;" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">Mark Risher, Google<u class=""></u><u class=""></u></span></p><p style="margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;vertical-align:baseline" class="">
<u class=""></u><span style="font-size: 10pt;" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">Trent Adams, Paypal<u class=""></u><u class=""></u></span></p><p style="margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;vertical-align:baseline" class="">
<u class=""></u><span style="font-size: 10pt;" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">George Fletcher, AOL<u class=""></u><u class=""></u></span></p><p style="margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;vertical-align:baseline" class="">
<u class=""></u><span style="font-size: 10pt;" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">Andrew Nash, Confyrm<u class=""></u><u class=""></u></span></p><p style="margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;vertical-align:baseline" class="">
<u class=""></u><span style="font-size: 10pt;" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">Nat Sakimura, Nomura Research Institute<u class=""></u><u class=""></u></span></p><p style="margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;vertical-align:baseline" class="">
<u class=""></u><span style="font-size: 10pt;" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">John Bradley, Ping Identity<u class=""></u><u class=""></u></span></p><p style="margin-right:0in;margin-bottom:8.0pt;margin-left:.5in;vertical-align:baseline" class="">
<u class=""></u><span style="font-size: 10pt;" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">Henrik Biering, Peercraft<u class=""></u><u class=""></u></span></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class=""><span style="font-size: 13pt; font-family: 'Trebuchet MS', sans-serif;" class="">Anticipated contributions:</span><u class=""></u><u class=""></u></h2><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">“Security event reporting between Service Providers 1.0” under the
</span><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__openid.net_intellectual-2Dproperty_&d=AwMF_g&c=Sqcl0Ez6M0X8aeM67LKIiDJAXVeAw-YihVMNtXt-uEs&r=PDGu4NI-duocVzLKrMLVZV9ccYh2Q-1cXto7c2DRReM&m=IR5tru86Ihv2g1IjtatpVdYMQcw52SU4UWhhLzaHxts&s=zsaUoprw8-hewGW9RwEVxCJdDksLM2tfwwQC40jny3Q&e=" target="_blank" class=""><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">OpenID
 Foundation’s IPR Policy</span></a><span style="font-size: 11.5pt; font-family: Arial, sans-serif;" class="">.</span><u class=""></u><u class=""></u></div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
</div>
</div>
<div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div class=""><p class="MsoNormal">On Wed, Feb 25, 2015 at 5:37 PM, Andrew Nash <<a href="mailto:andrew@confyrm.com" target="_blank" class="">andrew@confyrm.com</a>> wrote:<u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal">Trent,<u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
</div>
<div class=""><p class="MsoNormal">we (Confyrm) have started work on a number of aspects of a trust framework in conjunction with Tom Smedinghoff  as part of the work we did with the Uk Govt and the NSTIC pilot - still early but hopefully will bootstrap some of the work
 here <u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"><span style="color:#888888" class=""><u class=""></u> <u class=""></u></span></p>
</div>
<div class=""><p class="MsoNormal"><span style="color:#888888" class="">--Andrew<u class=""></u><u class=""></u></span></p>
</div>
</div>
<div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div class="">
<div class="">
<div class=""><p class="MsoNormal">On Tue, Feb 24, 2015 at 11:00 PM, 'Adam Dawes' via Abuse and ATO Coordination <<a href="mailto:aatoc@googlegroups.com" target="_blank" class="">aatoc@googlegroups.com</a>> wrote:<u class=""></u><u class=""></u></p>
</div>
</div>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt" class="">
<div class="">
<div class="">
<div class="">
<div class=""><p class="MsoNormal">+aatoc-list<u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
</div><p class="MsoNormal">For name, I agree with Nat's suggestion of 'Abuse and Account Take Over Coordination Work Group (AATOC Work Group)'. This just prevents a name change for everyone as well as the mailing list mechanics. <u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
</div>
<div class=""><p class="MsoNormal">@mike, I think your suggestions about defining trust frameworks also make sense. Do you have any good examples of where this has been done? Will need to discuss this with the rest of the group but in our discussion of transport, there have
 been some implicit trust framework concepts at play. In the end, I think there may be different models about with whom info is shared. This will depend on the specific data we define, the quality of data that service providers can share, and the relevant privacy
 policies of those providers. <u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
</div>
<div class=""><p class="MsoNormal">thanks,<u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal">AD<u class=""></u><u class=""></u></p>
</div>
</div>
<div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div class=""><p class="MsoNormal">On Tue, Feb 24, 2015 at 7:13 PM, Nat Sakimura <<a href="mailto:sakimura@gmail.com" target="_blank" class="">sakimura@gmail.com</a>> wrote:<u class=""></u><u class=""></u></p><p class="MsoNormal">While we are in the title, in view of the recent executive order
<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__m.whitehouse.gov_the-2Dpress-2Doffice_2015_02_13_executive-2Dorder-2Dpromoting-2Dprivate-2Dsector-2Dcybersecurity-2Dinformation-2Dshari&d=AwMF_g&c=Sqcl0Ez6M0X8aeM67LKIiDJAXVeAw-YihVMNtXt-uEs&r=PDGu4NI-duocVzLKrMLVZV9ccYh2Q-1cXto7c2DRReM&m=IR5tru86Ihv2g1IjtatpVdYMQcw52SU4UWhhLzaHxts&s=Ymz_Lkzf4BW4FvJ38IDtvVKeQPQkd2kDaKuoWlotzrs&e=" target="_blank" class="">
http://m.whitehouse.gov/the-press-office/2015/02/13/executive-order-promoting-private-sector-cybersecurity-information-shari</a>, we might suggest including the name "Information Sharing and analysis", e.g., AATISAC.
<u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal">2015<span style="font-family:'\00ff2d\00ff33  \0030b4\0030b7\0030c3\0030af','MS Gothic'" class="">年</span>2<span style="font-family:'\00ff2d\00ff33  \0030b4\0030b7\0030c3\0030af','MS Gothic'" class="">月</span>25<span style="font-family:'\00ff2d\00ff33  \0030b4\0030b7\0030c3\0030af','MS Gothic'" class="">日</span>(<span style="font-family:'\00ff2d\00ff33  \0030b4\0030b7\0030c3\0030af','MS Gothic'" class="">水</span>)<span style="font-family:'\00ff2d\00ff33  \0030b4\0030b7\0030c3\0030af','MS Gothic'" class="">、</span>11:59
 John Bradley <<a href="mailto:ve7jtb@ve7jtb.com" target="_blank" class="">ve7jtb@ve7jtb.com</a>>:<u class=""></u><u class=""></u></p>
<div class="">
<div class="">
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt" class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div class=""><p class="MsoNormal">That is a different WG outside of the OIDF;)<u class=""></u><u class=""></u></p>
</div>
<div class="">
<div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div class="">
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt" class="">
<div class=""><p class="MsoNormal">On Feb 24, 2015, at 9:40 PM, Nat Sakimura <<a href="mailto:sakimura@gmail.com" target="_blank" class="">sakimura@gmail.com</a>> wrote:<u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div class="">
<div class=""><p class="MsoNormal">Simplicity wins, but does not it sound like the WG is creating a protocol to take over accounts ;-) ? <u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div class=""><p class="MsoNormal">2015-02-25 11:25 GMT+09:00 Ashish Jain <<a href="mailto:ashishjain@vmware.com" target="_blank" class="">ashishjain@vmware.com</a>>:<u class=""></u><u class=""></u></p>
<div class="">
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:Calibri,sans-serif" class="">I’m not objecting…merely suggesting that referring it as Account Takeover WG is simpler <u class=""></u><u class=""></u></span></p>
</div>
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></span></p>
</div>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in" class=""><p class="MsoNormal"><b class=""><span style="font-size:11pt;font-family:Calibri,sans-serif" class="">From:
</span></b><span style="font-size:11pt;font-family:Calibri,sans-serif" class="">Nat Sakimura <<a href="mailto:sakimura@gmail.com" target="_blank" class="">sakimura@gmail.com</a>><br class="">
<b class="">Date: </b>Tuesday, February 24, 2015 at 6:09 PM<br class="">
<b class="">To: </b>Ashish Jain <<a href="mailto:ashishjain@vmware.com" target="_blank" class="">ashishjain@vmware.com</a>><br class="">
<b class="">Cc: </b>Adam Dawes <<a href="mailto:adawes@google.com" target="_blank" class="">adawes@google.com</a>>, "<a href="mailto:openid-specs-council@lists.openid.net" target="_blank" class="">openid-specs-council@lists.openid.net</a>" <<a href="mailto:openid-specs-council@lists.openid.net" target="_blank" class="">openid-specs-council@lists.openid.net</a>><u class=""></u><u class=""></u></span></p>
<div class="">
<div class=""><p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif" class=""><br class="">
<b class="">Subject: </b>Re: [OIDFSC] AATOC Working Group Charter<u class=""></u><u class=""></u></span></p>
</div>
</div>
</div>
<div class="">
<div class="">
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></span></p>
</div>
<div class="">
<div class="">
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:Calibri,sans-serif" class="">I am fine with ATO WG as well. My objection was that the name had the Group in it, which is not a defined word in OpenID Process, so the WG name would become AATOC Group
 WG, which is repeating "Group" and awkward. It is just an editorial stuff.  <u class=""></u><u class=""></u></span></p>
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></span></p>
</div>
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:Calibri,sans-serif" class="">Are you objecting to the first A and the last C of AATOC? <u class=""></u><u class=""></u></span></p>
<div class="">
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></span></p>
</div>
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></span></p>
</div>
</div>
</div>
</div>
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></span></p>
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:Calibri,sans-serif" class="">2015-02-25 10:59 GMT+09:00 Ashish Jain <<a href="mailto:ashishjain@vmware.com" target="_blank" class="">ashishjain@vmware.com</a>>:<u class=""></u><u class=""></u></span></p>
<div class="">
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:Calibri,sans-serif" class="">I understand the need to be precise but ATO WG can probably convey the same message.<u class=""></u><u class=""></u></span></p>
</div>
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></span></p>
</div>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in" class=""><p class="MsoNormal"><b class=""><span style="font-size:11pt;font-family:Calibri,sans-serif" class="">From:
</span></b><span style="font-size:11pt;font-family:Calibri,sans-serif" class="">Nat Sakimura <<a href="mailto:sakimura@gmail.com" target="_blank" class="">sakimura@gmail.com</a>><br class="">
<b class="">Date: </b>Tuesday, February 24, 2015 at 4:56 PM<br class="">
<b class="">To: </b>Adam Dawes <<a href="mailto:adawes@google.com" target="_blank" class="">adawes@google.com</a>><br class="">
<b class="">Cc: </b>"<a href="mailto:openid-specs-council@lists.openid.net" target="_blank" class="">openid-specs-council@lists.openid.net</a>" <<a href="mailto:openid-specs-council@lists.openid.net" target="_blank" class="">openid-specs-council@lists.openid.net</a>><br class="">
<b class="">Subject: </b>Re: [OIDFSC] AATOC Working Group Charter<u class=""></u><u class=""></u></span></p>
</div>
<div class="">
<div class="">
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></span></p>
</div>
<div class="">
<div class="">
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:Calibri,sans-serif" class="">Dear Specs Council members,
<br class="">
<br class="">
It looks generally fine, with one friendly amendment: <br class="">
<br class="">
Change the title of the working group from: <br class="">
Abuse and Account Takeover Coordination Group<br class="">
<br class="">
to:<br class="">
Abuse and Account Takeover Coordination Working Group<br class="">
<br class="">
as "Abuse and Account Takeover Coordination Group Working Group" is a bit awkward. 
<u class=""></u><u class=""></u></span></p>
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:Calibri,sans-serif" class="">I am fine with putting it as just "Abuse and Account Takeover Coordination" as well, since there is a precedence for it. <br class="">
<br class="">
Could any specs council member respond early in this thread if you have any objection or friendly amendment. We have been a bit slack lately that we have been relying on two weeks limit to execute a charter, but we should be able to act more quickly.<br class="">
<br class="">
Cheers,  <u class=""></u><u class=""></u></span></p>
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:Calibri,sans-serif" class=""><br class="">
Nat<u class=""></u><u class=""></u></span></p>
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></span></p>
</div>
</div>
</div>
</div>
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></span></p>
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:Calibri,sans-serif" class="">2015-02-24 19:02 GMT+09:00 Adam Dawes <<a href="mailto:adawes@google.com" target="_blank" class="">adawes@google.com</a>>:<u class=""></u><u class=""></u></span></p>
<div class="">
<div class=""><p class="MsoNormal"><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class="">I would like to form a new work group, AATOC. Here is our proposed charter:<u class=""></u><u class=""></u></span></p>
</div>
<div class=""><p class="MsoNormal"><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></span></p>
</div>
<div class="">
<h2 align="center" style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in;text-align:center" class="">
<span style="font-size:13pt;font-family:'Trebuchet MS',sans-serif" class="">AATOC Charter</span><span style="font-family:Calibri,sans-serif" class=""><u class=""></u><u class=""></u></span></h2><p class="MsoNormal"><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></span></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class=""><span style="font-size:13pt;font-family:'Trebuchet MS',sans-serif" class="">1) Working Group name:
</span><span style="font-family:Calibri,sans-serif" class=""><u class=""></u><u class=""></u></span></h2><p style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class=""><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">Abuse and Account Takeover Coordination Group (AATOC)</span><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u><u class=""></u></span></p><p class="MsoNormal"><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></span></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class=""><span style="font-size:13pt;font-family:'Trebuchet MS',sans-serif" class="">2) Purpose</span><span style="font-family:Calibri,sans-serif" class=""><u class=""></u><u class=""></u></span></h2>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">The goal of AATOC is to provide data sharing schemas, privacy recommendations and protocols to:</span><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u><u class=""></u></span></p>
</div><p class="MsoNormal"><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></span></p>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline"><u class=""></u><span style="font-size:10pt" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">Share information about important security events in order to thwart attackers from leveraging compromised accounts from one Service Provider to gain access to accounts
 on other Service Providers (mobile or web application developers and owners). <u class="">
</u><u class=""></u></span></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline"><u class=""></u><span style="font-size:10pt" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">Enable users and providers to coordinate in order to securely restore accounts following a compromise.<u class=""></u><u class=""></u></span></p>
</div><p class="MsoNormal"><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></span></p>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">Internet accounts that use email addresses or phone numbers as the primary identifier for the account will be the initial focus.
</span><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u><u class=""></u></span></p>
</div>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class=""><span style="font-size:13pt;font-family:'Trebuchet MS',sans-serif" class="">2) Scope</span><span style="font-family:Calibri,sans-serif" class=""><u class=""></u><u class=""></u></span></h2>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">The group will define:</span><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u><u class=""></u></span></p>
</div>
<div class=""><p class="MsoNormal" style="margin-bottom:12.0pt;margin-left:47.25pt;vertical-align:baseline">
<u class=""></u><span style="font-size:10pt" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><b class=""><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">Security events</span></b><span style="font-size:11.5pt;font-family:Arial,sans-serif" class=""><br class="">
These are events – whether directly authentication-related or occurring at another time in the user flow – that take place on one service that could also have security implications on other Service Providers. The group will develop a taxonomy of security events
 and a common set of semantics to express relevant information about a security event.<u class=""></u><u class=""></u></span></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline"><u class=""></u><span style="font-size:10pt" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><b class=""><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">Privacy Implications</span></b><span style="font-size:11.5pt;font-family:Arial,sans-serif" class=""><br class="">
Sharing security information amongst providers has potential privacy implications for both end users and service providers. These privacy implications must be balanced against the recognized benefits of protecting users’ accounts and data from abuse.  The group
 will consider ways to optimize this balance when defining mechanisms to handle the various security events and recommend best practices for the industry.<u class=""></u><u class=""></u></span></p>
</div><p class="MsoNormal"><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></span></p>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline"><u class=""></u><span style="font-size:10pt" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><b class=""><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">Communications mechanisms</span></b><span style="font-size:11.5pt;font-family:Arial,sans-serif" class=""><br class="">
Define bindings for the use of an existing transport protocol defined elsewhere.<u class=""></u><u class=""></u></span></p>
</div><p class="MsoNormal"><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></span></p>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline"><u class=""></u><span style="font-size:10pt" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><b class=""><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">Event schema</span></b><span style="font-size:11.5pt;font-family:Arial,sans-serif" class=""><br class="">
Define a schema describing relevant events and relationships to allow for dissemination between interested and authorized parties.  <u class=""></u><u class=""></u></span></p>
</div><p class="MsoNormal"><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></span></p>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline"><u class=""></u><span style="font-size:10pt" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><b class=""><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">Account recovery mechanisms<u class=""></u><u class=""></u></span></b></p>
</div>
<div style="margin-left:.5in" class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">Standardized mechanism(s) to allow providers to signal that a user has regained control of an account, or allow a user to explicitly restore control of a previously compromised
 account, with or without direct user involvement.</span><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u><u class=""></u></span></p>
</div>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class=""><span style="font-size:13pt;font-family:'Trebuchet MS',sans-serif" class="">Out of scope:</span><span style="font-family:Calibri,sans-serif" class=""><u class=""></u><u class=""></u></span></h2>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">Determining the account quality/reputation of a user on a particular service and communicating that to others.</span><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u><u class=""></u></span></p>
</div><p class="MsoNormal"><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></span></p>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">Definition of APIs and underlying mechanisms for connecting to, interacting with and operating centralized databases or intelligence clearinghouses when these are used to
 communicate security events between account providers.</span><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u><u class=""></u></span></p>
</div><p class="MsoNormal"><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></span></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class=""><span style="font-size:13pt;font-family:'Trebuchet MS',sans-serif" class="">4) Proposed Deliverables</span><span style="font-family:Calibri,sans-serif" class=""><u class=""></u><u class=""></u></span></h2>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">The group proposes the following
<b class="">Non-Specification</b> deliverables:</span><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u><u class=""></u></span></p>
</div><p class="MsoNormal"><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></span></p>
<div class=""><p class="MsoNormal"><b class=""><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">Security Event and Account Lifecycle Schema</span></b><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u><u class=""></u></span></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline"><u class=""></u><span style="font-size:10pt" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">A taxonomy of security events and a common set of semantics to express relevant information about a security event and its relationships to other relevant data, events
 or indicators. <u class=""></u><u class=""></u></span></p>
</div>
<div class=""><p class="MsoNormal"><b class=""><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">Security Event Privacy Guidelines</span></b><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u><u class=""></u></span></p>
</div>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">A set of recommendations on how to minimize the privacy impact on users and service providers while improving security, and how to provide appropriate privacy disclosures,
 labeling and access control guidelines around information in the Security Event Schema.
</span><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u><u class=""></u></span></p>
</div><p class="MsoNormal"><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></span></p>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">The group proposes the following
<b class="">Specification </b>deliverables:</span><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u><u class=""></u></span></p>
</div><p class="MsoNormal"><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></span></p>
<div class=""><p class="MsoNormal"><b class=""><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">Communications Mechanisms</span></b><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u><u class=""></u></span></p>
</div>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">Define bindings for the event messages to an already existing transport protocol to promote interoperability of sending event information to another Service Provider. This
 will allow a Service Provider to implement a single piece of infrastructure that would be able to send or receive event information to any other service provider.
</span><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u><u class=""></u></span></p>
</div><p class="MsoNormal"><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></span></p>
<div class=""><p class="MsoNormal"><b class=""><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">Order of Deliverables</span></b><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u><u class=""></u></span></p>
</div>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">The group will work to produce the Security Event and Account Lifecycle Schema before beginning work on the Communications Mechanism.</span><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u><u class=""></u></span></p>
</div><p class="MsoNormal"><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></span></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class=""><span style="font-size:13pt;font-family:'Trebuchet MS',sans-serif" class="">5) Anticipated audience or users</span><span style="font-family:Calibri,sans-serif" class=""><u class=""></u><u class=""></u></span></h2>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline"><u class=""></u><span style="font-size:10pt" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">Service Providers who manage their own account systems which require an email address or phone number for registration.<u class=""></u><u class=""></u></span></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline"><u class=""></u><span style="font-size:10pt" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">Account and email providers that understand key security events that happen to a user’s account.<u class=""></u><u class=""></u></span></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline"><u class=""></u><span style="font-size:10pt" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">Identity as a Service (IDaaS) vendors that manage account and authentication systems for their customers.<u class=""></u><u class=""></u></span></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline"><u class=""></u><span style="font-size:10pt" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">Users seeking to regain control of a compromised account.<u class=""></u><u class=""></u></span></p>
</div><p class="MsoNormal"><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></span></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class=""><span style="font-size:13pt;font-family:'Trebuchet MS',sans-serif" class="">6) Language</span><span style="font-family:Calibri,sans-serif" class=""><u class=""></u><u class=""></u></span></h2>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">English</span><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u><u class=""></u></span></p>
</div><p class="MsoNormal"><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></span></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class=""><span style="font-size:13pt;font-family:'Trebuchet MS',sans-serif" class="">7) Method of work:</span><span style="font-family:Calibri,sans-serif" class=""><u class=""></u><u class=""></u></span></h2><p style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class=""><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">E-mail discussions on the working group mailing list, working group conference calls, and face-to-face meetings from time to time.</span><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u><u class=""></u></span></p><p class="MsoNormal"><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></span></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class=""><span style="font-size:13pt;font-family:'Trebuchet MS',sans-serif" class="">8) Basis for determining when the work is completed:</span><span style="font-family:Calibri,sans-serif" class=""><u class=""></u><u class=""></u></span></h2><p style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class=""><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">Rough consensus and running code. The work will be completed once it is apparent that maximal consensus on the draft has been
 achieved, consistent with the purpose and scope.</span><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u><u class=""></u></span></p><p class="MsoNormal"><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></span></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class=""><span style="font-size:13pt;font-family:'Trebuchet MS',sans-serif" class="">Background information</span><span style="font-family:Calibri,sans-serif" class=""><u class=""></u><u class=""></u></span></h2><p class="MsoNormal"><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></span></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class=""><span style="font-size:13pt;font-family:'Trebuchet MS',sans-serif" class="">Related work:</span><span style="font-family:Calibri,sans-serif" class=""><u class=""></u><u class=""></u></span></h2>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline"><u class=""></u><span style="font-size:10pt" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">RFC6545 Real-time Inter-network Defense (RID)<u class=""></u><u class=""></u></span></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline"><u class=""></u><span style="font-size:10pt" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">RFC6546 Transport of Real-time Inter-network Defense (RID) Messages over HTTP/TLS<u class=""></u><u class=""></u></span></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline"><u class=""></u><span style="font-size:10pt" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">RFC6684 Guidelines and Template for Defining Extensions to the Incident Object Description Exchange Format (IODEF)<u class=""></u><u class=""></u></span></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline"><u class=""></u><span style="font-size:10pt" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">draft-ietf-mile-rolie Resource-Oriented Lightweight Indicator Exchange
<u class=""></u><u class=""></u></span></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline"><u class=""></u><span style="font-size:10pt" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">ISO/IEC 27002:2013  Information technology — Security techniques — Code of practice for information security controls<u class=""></u><u class=""></u></span></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline"><u class=""></u><span style="font-size:10pt" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">ISO/IEC 27035:2011 Information technology — Security techniques — Information security incident management<u class=""></u><u class=""></u></span></p>
</div><p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></span></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class=""><span style="font-size:13pt;font-family:'Trebuchet MS',sans-serif" class="">Proposers</span><span style="font-family:Calibri,sans-serif" class=""><u class=""></u><u class=""></u></span></h2>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline"><u class=""></u><span style="font-size:10pt" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">Adam Dawes, Google
<u class=""></u><u class=""></u></span></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline"><u class=""></u><span style="font-size:10pt" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">Mark Risher, Google<u class=""></u><u class=""></u></span></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline"><u class=""></u><span style="font-size:10pt" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">Trent Adams, Paypal<u class=""></u><u class=""></u></span></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline"><u class=""></u><span style="font-size:10pt" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">George Fletcher, AOL<u class=""></u><u class=""></u></span></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline"><u class=""></u><span style="font-size:10pt" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">Andrew Nash, Confyrm<u class=""></u><u class=""></u></span></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline"><u class=""></u><span style="font-size:10pt" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">Nat Sakimura, Nomura Research Institute<u class=""></u><u class=""></u></span></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline"><u class=""></u><span style="font-size:10pt" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">John Bradley, Ping Identity<u class=""></u><u class=""></u></span></p>
</div><p style="margin-right:0in;margin-bottom:8.0pt;margin-left:47.25pt;vertical-align:baseline" class="">
<u class=""></u><span style="font-size:10pt" class=""><span class="">·<span style="font-style:normal;font-variant:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'" class="">       
</span></span></span><u class=""></u><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">Henrik Biering, Peercraft<u class=""></u><u class=""></u></span></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class=""><span style="font-size:13pt;font-family:'Trebuchet MS',sans-serif" class="">Anticipated contributions:</span><span style="font-family:Calibri,sans-serif" class=""><u class=""></u><u class=""></u></span></h2>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">“Security event reporting between Service Providers 1.0” under the
</span><span style="font-size:9.5pt;font-family:"Calibri","sans-serif"" class=""><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__openid.net_intellectual-2Dproperty_&d=AwMFaQ&c=Sqcl0Ez6M0X8aeM67LKIiDJAXVeAw-YihVMNtXt-uEs&r=PDGu4NI-duocVzLKrMLVZV9ccYh2Q-1cXto7c2DRReM&m=his8oMG2sVamzBa3dQLPovSTmI9fUVGF3mbIZ4ZzISQ&s=yV7iQ-h1QNIAyTmfXm6S6vIszebI2q_snUSkFyjxlkg&e=" target="_blank" class=""><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">OpenID
 Foundation’s IPR Policy</span></a></span><span style="font-size:11.5pt;font-family:Arial,sans-serif" class="">.</span><span style="font-size:9.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u><u class=""></u></span></p>
</div>
</div>
</div>
</div><p class="MsoNormal"><span style="font-size:10.5pt;font-family:Calibri,sans-serif" class=""><br class="">
<br clear="all" class="">
<u class=""></u><u class=""></u></span></p>
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></span></p>
</div><p class="MsoNormal"><span style="font-size:10.5pt;font-family:Calibri,sans-serif" class="">--
<u class=""></u><u class=""></u></span></p>
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:Calibri,sans-serif" class="">Nat Sakimura (=nat)
<u class=""></u><u class=""></u></span></p>
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:Calibri,sans-serif" class="">Chairman, OpenID Foundation<br class="">
<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__nat.sakimura.org_&d=AwMFaQ&c=Sqcl0Ez6M0X8aeM67LKIiDJAXVeAw-YihVMNtXt-uEs&r=PDGu4NI-duocVzLKrMLVZV9ccYh2Q-1cXto7c2DRReM&m=his8oMG2sVamzBa3dQLPovSTmI9fUVGF3mbIZ4ZzISQ&s=jmKQL3OD_c7eJXduzdJt5OJefY8ZjNiYCoAm8g-7oOA&e=" target="_blank" class="">http://nat.sakimura.org/</a><br class="">
@_nat_en<u class=""></u><u class=""></u></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div><p class="MsoNormal"><span style="font-size:10.5pt;font-family:Calibri,sans-serif" class=""><br class="">
<br clear="all" class="">
<u class=""></u><u class=""></u></span></p>
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:Calibri,sans-serif" class=""><u class=""></u> <u class=""></u></span></p>
</div><p class="MsoNormal"><span style="font-size:10.5pt;font-family:Calibri,sans-serif" class="">--
<u class=""></u><u class=""></u></span></p>
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:Calibri,sans-serif" class="">Nat Sakimura (=nat)
<u class=""></u><u class=""></u></span></p>
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:Calibri,sans-serif" class="">Chairman, OpenID Foundation<br class="">
<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__nat.sakimura.org_&d=AwMFaQ&c=Sqcl0Ez6M0X8aeM67LKIiDJAXVeAw-YihVMNtXt-uEs&r=PDGu4NI-duocVzLKrMLVZV9ccYh2Q-1cXto7c2DRReM&m=dibzrL00q20lgLcDv94EYh8Ums_bAaYivHuqDQgNfSI&s=jq4oX-tF55oVVtUOW6sW0RsihIhuUzSlJVyRWCVyAhQ&e=" target="_blank" class="">http://nat.sakimura.org/</a><br class="">
@_nat_en<u class=""></u><u class=""></u></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div><p class="MsoNormal"><br class="">
<br clear="all" class="">
<span style="color:#888888" class=""><u class=""></u><u class=""></u></span></p>
<div class=""><p class="MsoNormal"><span style="color:#888888" class=""><u class=""></u> <span class=""><font color="#888888" class=""><u class=""></u></font></span></span></p>
<span class=""><font color="#888888" class=""></font></span></div>
<span class=""><font color="#888888" class=""><p class="MsoNormal"><span style="color:#888888" class="">-- <u class=""></u><u class=""></u></span></p>
<div class=""><p class="MsoNormal"><span style="color:#888888" class="">Nat Sakimura (=nat)<u class=""></u><u class=""></u></span></p>
<div class=""><p class="MsoNormal"><span style="color:#888888" class="">Chairman, OpenID Foundation<br class="">
<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__nat.sakimura.org_&d=AwMF_g&c=Sqcl0Ez6M0X8aeM67LKIiDJAXVeAw-YihVMNtXt-uEs&r=PDGu4NI-duocVzLKrMLVZV9ccYh2Q-1cXto7c2DRReM&m=IR5tru86Ihv2g1IjtatpVdYMQcw52SU4UWhhLzaHxts&s=ZBjiNJFuAuQhY9EfZmff4-R5LvM5fz_i_xoQXnZzNBg&e=" target="_blank" class="">http://nat.sakimura.org/</a><br class="">
@_nat_en<u class=""></u><u class=""></u></span></p>
</div>
</div>
</font></span></div>
<span class=""><font color="#888888" class=""></font></span></div>
<span class=""><font color="#888888" class=""></font></span></blockquote>
<span class=""><font color="#888888" class=""></font></span></div>
<span class=""><font color="#888888" class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
</font></span></div>
<span class=""><font color="#888888" class=""></font></span></div>
<span class=""><font color="#888888" class=""></font></span></blockquote>
<span class=""><font color="#888888" class=""></font></span></div>
<span class=""><font color="#888888" class=""></font></span></div>
<span class=""><font color="#888888" class=""></font></span></div>
<span class=""><font color="#888888" class=""></font></span></div>
<span class=""><font color="#888888" class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
</font></span></div>
<span class=""><font color="#888888" class=""></font></span></div>
<span class=""><font color="#888888" class=""></font></span></div>
<span class=""><font color="#888888" class=""><p class="MsoNormal"><span style="color:#888888" class="">-- <br class="">
You received this message because you are subscribed to the Google Groups "Abuse and ATO Coordination" group.<br class="">
To unsubscribe from this group and stop receiving emails from it, send an email to
<a href="mailto:aatoc+unsubscribe@googlegroups.com" target="_blank" class="">aatoc+unsubscribe@googlegroups.com</a>.<br class="">
To post to this group, send email to <a href="mailto:aatoc@googlegroups.com" target="_blank" class="">
aatoc@googlegroups.com</a>.<br class="">
To view this discussion on the web visit <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__groups.google.com_d_msgid_aatoc_CAOJhRMYKX6O8LVPzCf8x-252BFDnmuMuLDH8RdssTXqZ1YeU54bLNA-2540mail.gmail.com-3Futm-5Fmedium-3Demail-26utm-5Fsource-3Dfooter&d=AwMF_g&c=Sqcl0Ez6M0X8aeM67LKIiDJAXVeAw-YihVMNtXt-uEs&r=PDGu4NI-duocVzLKrMLVZV9ccYh2Q-1cXto7c2DRReM&m=IR5tru86Ihv2g1IjtatpVdYMQcw52SU4UWhhLzaHxts&s=5lX731FD9xPT7XHaq_TymfCgMB4LpcDi1T_6AH4z2UE&e=" target="_blank" class="">
https://groups.google.com/d/msgid/aatoc/CAOJhRMYKX6O8LVPzCf8x%2BFDnmuMuLDH8RdssTXqZ1YeU54bLNA%40mail.gmail.com</a>.<br class="">
For more options, visit <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__groups.google.com_d_optout&d=AwMF_g&c=Sqcl0Ez6M0X8aeM67LKIiDJAXVeAw-YihVMNtXt-uEs&r=PDGu4NI-duocVzLKrMLVZV9ccYh2Q-1cXto7c2DRReM&m=IR5tru86Ihv2g1IjtatpVdYMQcw52SU4UWhhLzaHxts&s=_ArfcCFBHUilGTdBgpsiBBSJ1Yqz0rX_H5s7Jfmkq-o&e=" target="_blank" class="">
https://groups.google.com/d/optout</a>.</span><u class=""></u><u class=""></u></p>
</font></span></blockquote>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
</div>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
<br class="">
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</div>
</span>


</div></blockquote></div></blockquote></div><br class=""></div>
</div></blockquote></div><br class=""></div></body></html>