<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">No the specs council is appointed from current and past editors.   Tim is still current if inattentive.  Some one can ping him, otherwise there is a two week time limit for objections.<div class=""><br class=""></div><div class="">Close but not done.<br class=""><div class=""><br class=""></div><div class="">John B.  <br class=""><div><blockquote type="cite" class=""><div class="">On Mar 6, 2015, at 7:14 AM, Adam Dawes <<a href="mailto:adawes@google.com" class="">adawes@google.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">I think we have +1's from all but Tim Bray. I don't believe Tim is active as an editor for Account Chooser any more, that mantle has probably passed to Pam. <div class=""><br class=""></div><div class="">Are we done yet?</div></div><div class="gmail_extra"><br class=""><div class="gmail_quote">On Mon, Mar 2, 2015 at 9:11 AM, Mike Jones <span dir="ltr" class=""><<a href="mailto:Michael.Jones@microsoft.com" target="_blank" class="">Michael.Jones@microsoft.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">





<div lang="EN-US" link="blue" vlink="purple" class="">
<div class=""><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class="">Per
<a href="http://openid.net/foundation/specs-council/" target="_blank" class="">http://openid.net/foundation/specs-council/</a>, the current specs council members are:<u class=""></u><u class=""></u></span></p><p class="MsoNormal" style="margin-left:3.75pt;line-height:15.0pt">
<u class=""></u><span style="font-size:10.0pt;font-family:Symbol;color:#5a5a5a" class=""><span class="">·<span style="font:7.0pt "Times New Roman"" class="">       
</span></span></span><u class=""></u><span style="font-size:10.5pt;font-family:"Helvetica","sans-serif";color:#5a5a5a" class="">John Bradley<u class=""></u><u class=""></u></span></p><p class="MsoNormal" style="margin-left:3.75pt;line-height:15.0pt">
<u class=""></u><span style="font-size:10.0pt;font-family:Symbol;color:#5a5a5a" class=""><span class="">·<span style="font:7.0pt "Times New Roman"" class="">       
</span></span></span><u class=""></u><span style="font-size:10.5pt;font-family:"Helvetica","sans-serif";color:#5a5a5a" class="">Tim Bray<u class=""></u><u class=""></u></span></p><p class="MsoNormal" style="margin-left:3.75pt;line-height:15.0pt">
<u class=""></u><span style="font-size:10.0pt;font-family:Symbol;color:#5a5a5a" class=""><span class="">·<span style="font:7.0pt "Times New Roman"" class="">       
</span></span></span><u class=""></u><span style="font-size:10.5pt;font-family:"Helvetica","sans-serif";color:#5a5a5a" class="">Ashish Jain<u class=""></u><u class=""></u></span></p><p class="MsoNormal" style="margin-left:3.75pt;line-height:15.0pt">
<u class=""></u><span style="font-size:10.0pt;font-family:Symbol;color:#5a5a5a" class=""><span class="">·<span style="font:7.0pt "Times New Roman"" class="">       
</span></span></span><u class=""></u><span style="font-size:10.5pt;font-family:"Helvetica","sans-serif";color:#5a5a5a" class="">Mike Jones<u class=""></u><u class=""></u></span></p><p class="MsoNormal" style="margin-left:3.75pt;line-height:15.0pt">
<u class=""></u><span style="font-size:10.0pt;font-family:Symbol;color:#5a5a5a" class=""><span class="">·<span style="font:7.0pt "Times New Roman"" class="">       
</span></span></span><u class=""></u><span style="font-size:10.5pt;font-family:"Helvetica","sans-serif";color:#5a5a5a" class="">Breno de Medeiros<u class=""></u><u class=""></u></span></p><p class="MsoNormal" style="margin-left:3.75pt;line-height:15.0pt">
<u class=""></u><span style="font-size:10.0pt;font-family:Symbol;color:#5a5a5a" class=""><span class="">·<span style="font:7.0pt "Times New Roman"" class="">       
</span></span></span><u class=""></u><span style="font-size:10.5pt;font-family:"Helvetica","sans-serif";color:#5a5a5a" class="">Chuck Mortimore<u class=""></u><u class=""></u></span></p><p class="MsoNormal" style="margin-left:3.75pt;line-height:15.0pt">
<u class=""></u><span style="font-size:10.0pt;font-family:Symbol;color:#5a5a5a" class=""><span class="">·<span style="font:7.0pt "Times New Roman"" class="">       
</span></span></span><u class=""></u><span style="font-size:10.5pt;font-family:"Helvetica","sans-serif";color:#5a5a5a" class="">Nat Sakimura<u class=""></u><u class=""></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class="">At this point that leaves Tim, Breno, and Chuck left to vote.<u class=""></u><u class=""></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class=""><u class=""></u> <u class=""></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class="">                                                            -- Mike<u class=""></u><u class=""></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class=""><u class=""></u> <u class=""></u></span></p>
<div class="">
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in" class=""><p class="MsoNormal"><b class=""><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class="">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class=""> John Bradley [mailto:<a href="mailto:ve7jtb@ve7jtb.com" target="_blank" class="">ve7jtb@ve7jtb.com</a>]
<br class="">
<b class="">Sent:</b> Monday, March 02, 2015 12:04 AM<br class="">
<b class="">To:</b> Adam Dawes<br class="">
<b class="">Cc:</b> Nat Sakimura; Ashish Jain; Mike Jones; Chuck Mortimore; John Ehrig; Andrew Nash; <a href="mailto:openid-specs-council@lists.openid.net" target="_blank" class="">openid-specs-council@lists.openid.net</a>; <a href="mailto:aatoc@googlegroups.com" target="_blank" class="">aatoc@googlegroups.com</a><br class="">
<b class="">Subject:</b> Re: [OIDFSC] AATOC Working Group Charter<u class=""></u><u class=""></u></span></p>
</div>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p><p class="MsoNormal">No you have to give the other members of the specs council time to vote.<u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
</div>
<div class=""><p class="MsoNormal">However I also vote to approve the creation of the working group with the charter.<u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
</div>
<div class=""><p class="MsoNormal">That makes 3 yes and no opposed at this point.<u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
</div>
<div class=""><p class="MsoNormal">After approval people sign the IPR to join the WG.<u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal">Then there is a WG founding meeting where the members vote to adopt the charter.<u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
</div>
<div class=""><p class="MsoNormal">After that you are a full WG.<u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
</div>
<div class=""><p class="MsoNormal">John B.<u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div class="">
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt" class="">
<div class=""><p class="MsoNormal">On Mar 2, 2015, at 8:15 AM, Adam Dawes <<a href="mailto:adawes@google.com" target="_blank" class="">adawes@google.com</a>> wrote:<u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div class="">
<div class=""><p class="MsoNormal">Does this mean that we're an official working group now?<u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div class=""><p class="MsoNormal">On Sun, Mar 1, 2015 at 4:59 PM, Nat Sakimura <<a href="mailto:sakimura@gmail.com" target="_blank" class="">sakimura@gmail.com</a>> wrote:<u class=""></u><u class=""></u></p>
<div class="">
<div class=""><p class="MsoNormal">+1<br class="">
<br class="">
=nat via iPhone<u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal" style="margin-bottom:12.0pt"><br class="">
2015/03/02 2:33<span style="font-family:"MS Mincho"" class="">、</span>Ashish Jain <<a href="mailto:ashishjain@vmware.com" target="_blank" class="">ashishjain@vmware.com</a>>
<span style="font-family:"MS Mincho"" class="">のメッセージ</span>:<u class=""></u><u class=""></u></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt" class="">
<div class="">
<div class=""><p class="MsoNormal">+1<u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
</div>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in" class=""><p class="MsoNormal"><b class=""><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="">From:
</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="">Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank" class="">Michael.Jones@microsoft.com</a>><br class="">
<b class="">Date: </b>Friday, February 27, 2015 at 4:54 PM<br class="">
<b class="">To: </b>Adam Dawes <<a href="mailto:adawes@google.com" target="_blank" class="">adawes@google.com</a>>, John Bradley <<a href="mailto:ve7jtb@ve7jtb.com" target="_blank" class="">ve7jtb@ve7jtb.com</a>><br class="">
<b class="">Cc: </b>Chuck Mortimore <<a href="mailto:cmortimore@salesforce.com" target="_blank" class="">cmortimore@salesforce.com</a>>, John Ehrig <<a href="mailto:jehrig@inventures.com" target="_blank" class="">jehrig@inventures.com</a>>, Andrew Nash <<a href="mailto:andrew@confyrm.com" target="_blank" class="">andrew@confyrm.com</a>>,
 "<a href="mailto:openid-specs-council@lists.openid.net" target="_blank" class="">openid-specs-council@lists.openid.net</a>" <<a href="mailto:openid-specs-council@lists.openid.net" target="_blank" class="">openid-specs-council@lists.openid.net</a>>, Ashish Jain <<a href="mailto:ashishjain@vmware.com" target="_blank" class="">ashishjain@vmware.com</a>>,
 Nat Sakimura <<a href="mailto:sakimura@gmail.com" target="_blank" class="">sakimura@gmail.com</a>>, "<a href="mailto:aatoc@googlegroups.com" target="_blank" class="">aatoc@googlegroups.com</a>" <<a href="mailto:aatoc@googlegroups.com" target="_blank" class="">aatoc@googlegroups.com</a>><br class="">
<b class="">Subject: </b>RE: [OIDFSC] AATOC Working Group Charter<u class=""></u><u class=""></u></span></p>
</div>
<div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
</div>
<div class="">
<div class="">
<div class="">
<div class=""><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="">I approve of the creation of this working group with this charter.<u class=""></u><u class=""></u></span></p>
</div>
</div>
<div class="">
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="3" width="100%" align="center" class="">
</div><p class="MsoNormal" style="margin-bottom:12.0pt"><b class=""><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="">From:
</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class=""><a href="mailto:adawes@google.com" target="_blank" class="">Adam Dawes</a></span><br class="">
<b class=""><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="">Sent: </span>
</b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="">‎2/‎27/‎2015 11:22 AM</span><br class="">
<b class=""><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="">To: </span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class=""><a href="mailto:ve7jtb@ve7jtb.com" target="_blank" class="">John Bradley</a></span><br class="">
<b class=""><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="">Cc: </span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class=""><a href="mailto:cmortimore@salesforce.com" target="_blank" class="">Chuck Mortimore</a>;
<a href="mailto:Michael.Jones@microsoft.com" target="_blank" class="">Mike Jones</a>; <a href="mailto:jehrig@inventures.com" target="_blank" class="">
John Ehrig</a>; <a href="mailto:andrew@confyrm.com" target="_blank" class="">Andrew Nash</a>;
<a href="mailto:openid-specs-council@lists.openid.net" target="_blank" class="">openid-specs-council@lists.openid.net</a>;
<a href="mailto:ashishjain@vmware.com" target="_blank" class="">Ashish Jain</a>; <a href="mailto:sakimura@gmail.com" target="_blank" class="">
Nat Sakimura</a>; <a href="mailto:aatoc@googlegroups.com" target="_blank" class="">aatoc@googlegroups.com</a></span><br class="">
<b class=""><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="">Subject: </span>
</b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="">Re: [OIDFSC] AATOC Working Group Charter</span><u class=""></u><u class=""></u></p>
</div>
<div class="">
<div class=""><p class="MsoNormal">We had our weekly meeting today and everyone was okay with the Trust Framework addition. We also made an update to the language around privacy considerations. Here is the updated text:
<u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
</div>
<div class="">
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class="">
<span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">1) Working Group name:
</span><u class=""></u><u class=""></u></h2><p class="MsoNormal" style="margin-bottom:8.0pt"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Abuse and Account Take-Over Coordination Working Group</span><u class=""></u><u class=""></u></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class="">
<span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">2) Purpose</span><u class=""></u><u class=""></u></h2>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">The goal of AATOC is to provide data sharing schemas, privacy recommendations and protocols to:</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Share information about important security events in order to thwart attackers from leveraging compromised accounts from one Service Provider to gain access to accounts on other Service Providers
 (mobile or web application developers and owners). <u class=""></u><u class=""></u></span></li></ul>
</div>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Enable users and providers to coordinate in order to securely restore accounts following a compromise.<u class=""></u><u class=""></u></span></li></ul>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Internet accounts that use email addresses or phone numbers as the primary identifier for the account will be the initial focus.
</span><u class=""></u><u class=""></u></p>
</div>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class="">
<span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">3) Scope</span><u class=""></u><u class=""></u></h2>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">The group will define:</span><u class=""></u><u class=""></u></p>
</div>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Security events</span></b><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class=""><br class="">
These are events – whether directly authentication-related or occurring at another time in the user flow – that take place on one service that could also have security implications on other Service Providers. The group will develop a taxonomy of security events
 and a common set of semantics to express relevant information about a security event.<br class="">
<br class="">
<br class="">
<u class=""></u><u class=""></u></span></li></ul>
</div>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Privacy Implications</span></b><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class=""><br class="">
Sharing security information amongst providers has potential privacy implications for both end users and service providers. These privacy implications must be considered against both (a) applicable regulations, policies, and the principles of user notice, choice
 and consent, and (b) the recognized benefits of protecting users’ accounts and data from abuse. The group will consider ways to address such potential privacy implications when defining mechanisms to handle the various security events and recommend best practices
 for the industry.<u class=""></u><u class=""></u></span></li></ul>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Communications mechanisms</span></b><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class=""><br class="">
Define bindings for the use of an existing transport protocol defined elsewhere.<u class=""></u><u class=""></u></span></li></ul>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Event schema</span></b><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class=""><br class="">
Define a schema describing relevant events and relationships to allow for dissemination between interested and authorized parties.  <br class="">
<br class="">
<br class="">
<u class=""></u><u class=""></u></span></li></ul>
</div>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Trust Frameworks</span></b><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class=""><br class="">
Define at least one model for the conditions under which information would be shared.
<u class=""></u><u class=""></u></span></li></ul>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Account recovery mechanisms<u class=""></u><u class=""></u></span></b></li></ul>
</div>
<div style="margin-left:.5in" class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Standardized mechanism(s) to allow providers to signal that a user has regained control of an account, or allow a user to explicitly restore control of a previously compromised
 account, with or without direct user involvement.</span><u class=""></u><u class=""></u></p>
</div>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class="">
<span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">Out of scope:</span><u class=""></u><u class=""></u></h2>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Determining the account quality/reputation of a user on a particular service and communicating that to others.</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Definition of APIs and underlying mechanisms for connecting to, interacting with and operating centralized databases or intelligence clearinghouses when these are used to communicate
 security events between account providers.</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class="">
<span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">4) Proposed Deliverables</span><u class=""></u><u class=""></u></h2>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">The group proposes the following
<b class="">Non-Specification</b> deliverables:</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div style="margin-left:.5in" class=""><p class="MsoNormal"><b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Security Event and Account Lifecycle Schema</span></b><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:1.0in;vertical-align:baseline">
<u class=""></u><span style="font-size:10.0pt;font-family:Symbol" class=""><span class="">·<span style="font:7.0pt "Times New Roman"" class="">       
</span></span></span><u class=""></u><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">A taxonomy of security events and a common set of semantics to express relevant information about a security event and its relationships to other relevant data, events
 or indicators. <u class=""></u><u class=""></u></span></p>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div style="margin-left:.5in" class=""><p class="MsoNormal"><b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Security Event Privacy Guidelines</span></b><u class=""></u><u class=""></u></p>
</div>
<div style="margin-left:.5in" class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">A set of recommendations on how to minimize the privacy impact on users and service providers while improving security, and how to provide appropriate privacy disclosures,
 labeling and access control guidelines around information in the Security Event Schema.
</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div style="margin-left:.5in" class=""><p class="MsoNormal"><b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Trust Framework</span></b><u class=""></u><u class=""></u></p>
</div>
<div style="margin-left:.5in" class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">A trust framework defining roles and responsibilities of parties sharing user security event information</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">The group proposes the following
<b class="">Specification </b>deliverables:</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div style="margin-left:.5in" class=""><p class="MsoNormal"><b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Communications Mechanisms</span></b><u class=""></u><u class=""></u></p>
</div>
<div style="margin-left:.5in" class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Define bindings for the event messages to an already existing transport protocol to promote interoperability of sending event information to another Service Provider. This
 will allow a Service Provider to implement a single piece of infrastructure that would be able to send or receive event information to any other service provider.
</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div class=""><p class="MsoNormal"><b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Order of Deliverables</span></b><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">The group will work to produce the Security Event and Account Lifecycle Schema before beginning work on the Communications Mechanism or Trust Framework.</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class="">
<span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">5) Anticipated audience or users</span><u class=""></u><u class=""></u></h2>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Service Providers who manage their own account systems which require an email address or phone number for registration.<u class=""></u><u class=""></u></span></li></ul>
</div>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Account and email providers that understand key security events that happen to a user’s account.<u class=""></u><u class=""></u></span></li></ul>
</div>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Identity as a Service (IDaaS) vendors that manage account and authentication systems for their customers.<u class=""></u><u class=""></u></span></li></ul>
</div>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Users seeking to regain control of a compromised account.<u class=""></u><u class=""></u></span></li></ul>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class="">
<span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">6) Language</span><u class=""></u><u class=""></u></h2>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">English</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class="">
<span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">7) Method of work:</span><u class=""></u><u class=""></u></h2><p class="MsoNormal" style="margin-bottom:8.0pt"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">E-mail discussions on the working group mailing list, working group conference calls, and face-to-face meetings from time to time.</span><u class=""></u><u class=""></u></p><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class="">
<span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">8) Basis for determining when the work is completed:</span><u class=""></u><u class=""></u></h2><p class="MsoNormal" style="margin-bottom:8.0pt"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Rough consensus and running code. The work will be completed once it is apparent that maximal consensus on the draft has been achieved, consistent
 with the purpose and scope.</span><u class=""></u><u class=""></u></p><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class="">
<span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">Background information</span><u class=""></u><u class=""></u></h2><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class="">
<span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">Related work:</span><u class=""></u><u class=""></u></h2>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">RFC6545 Real-time Inter-network Defense (RID)<u class=""></u><u class=""></u></span></li></ul>
</div>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">RFC6546 Transport of Real-time Inter-network Defense (RID) Messages over HTTP/TLS<u class=""></u><u class=""></u></span></li></ul>
</div>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">RFC6684 Guidelines and Template for Defining Extensions to the Incident Object Description Exchange Format (IODEF)<u class=""></u><u class=""></u></span></li></ul>
</div>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">draft-ietf-mile-rolie Resource-Oriented Lightweight Indicator Exchange
<u class=""></u><u class=""></u></span></li></ul>
</div>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">ISO/IEC 27002:2013  Information technology — Security techniques — Code of practice for information security controls<u class=""></u><u class=""></u></span></li></ul>
</div>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">ISO/IEC 27035:2011 Information technology — Security techniques — Information security incident management<u class=""></u><u class=""></u></span></li></ul>
</div><p class="MsoNormal" style="margin-bottom:12.0pt"><u class=""></u> <u class=""></u></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class="">
<span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">Proposers</span><u class=""></u><u class=""></u></h2>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Adam Dawes, Google
<u class=""></u><u class=""></u></span></li></ul>
</div>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Mark Risher, Google<u class=""></u><u class=""></u></span></li></ul>
</div>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Trent Adams, Paypal<u class=""></u><u class=""></u></span></li></ul>
</div>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">George Fletcher, AOL<u class=""></u><u class=""></u></span></li></ul>
</div>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Andrew Nash, Confyrm<u class=""></u><u class=""></u></span></li></ul>
</div>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Nat Sakimura, Nomura Research Institute<u class=""></u><u class=""></u></span></li></ul>
</div>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">John Bradley, Ping Identity<u class=""></u><u class=""></u></span></li></ul>
</div>
<ul style="margin-top:0in" type="disc" class="">
<li class="MsoNormal" style="margin-bottom:8.0pt;vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Henrik Biering, Peercraft<u class=""></u><u class=""></u></span></li></ul>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class="">
<span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">Anticipated contributions:</span><u class=""></u><u class=""></u></h2><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">“Security event reporting between Service Providers 1.0” under the
</span><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__openid.net_intellectual-2Dproperty_&d=AwMF_g&c=Sqcl0Ez6M0X8aeM67LKIiDJAXVeAw-YihVMNtXt-uEs&r=PDGu4NI-duocVzLKrMLVZV9ccYh2Q-1cXto7c2DRReM&m=IR5tru86Ihv2g1IjtatpVdYMQcw52SU4UWhhLzaHxts&s=zsaUoprw8-hewGW9RwEVxCJdDksLM2tfwwQC40jny3Q&e=" target="_blank" class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">OpenID
 Foundation’s IPR Policy</span></a><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">.</span><u class=""></u><u class=""></u></p>
</div>
</div>
<div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div class=""><p class="MsoNormal">On Thu, Feb 26, 2015 at 10:36 PM, Adam Dawes <<a href="mailto:adawes@google.com" target="_blank" class="">adawes@google.com</a>> wrote:<u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal">I'm resubmitting back under the name of AATOC since Linked In has already executed an IPR with that name as well as adding the Trust Framework deliverable. 
<u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
</div>
<div class="">
<h2 align="center" style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in;text-align:center" class="">
<span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">AATOC Charter</span><u class=""></u><u class=""></u></h2><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class="">
<span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">1) Working Group name:
</span><u class=""></u><u class=""></u></h2><p class="MsoNormal" style="margin-bottom:8.0pt"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Abuse and Account Take-Over Coordination Working Group (AATOC Working Group)</span><u class=""></u><u class=""></u></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class="">
<span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">2) Purpose</span><u class=""></u><u class=""></u></h2>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">The goal of AATOC is to provide data sharing schemas, privacy recommendations and protocols to:</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Share information about important security events in order to thwart attackers from leveraging compromised accounts from one Service Provider to gain access to accounts on other Service Providers
 (mobile or web application developers and owners). <u class=""></u><u class=""></u></span></li></ul>
</div>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Enable users and providers to coordinate in order to securely restore accounts following a compromise.<u class=""></u><u class=""></u></span></li></ul>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Internet accounts that use email addresses or phone numbers as the primary identifier for the account will be the initial focus.
</span><u class=""></u><u class=""></u></p>
</div>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class="">
<span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">3) Scope</span><u class=""></u><u class=""></u></h2>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">The group will define:</span><u class=""></u><u class=""></u></p>
</div>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Security events</span></b><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class=""><br class="">
These are events – whether directly authentication-related or occurring at another time in the user flow – that take place on one service that could also have security implications on other Service Providers. The group will develop a taxonomy of security events
 and a common set of semantics to express relevant information about a security event.<br class="">
<br class="">
<br class="">
<u class=""></u><u class=""></u></span></li></ul>
</div>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Privacy Implications</span></b><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class=""><br class="">
Sharing security information amongst providers has potential privacy implications for both end users and service providers. These privacy implications must be balanced against the recognized benefits of protecting users’ accounts and data from abuse.  The group
 will consider ways to optimize this balance when defining mechanisms to handle the various security events and recommend best practices for the industry.<u class=""></u><u class=""></u></span></li></ul>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Communications mechanisms</span></b><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class=""><br class="">
Define bindings for the use of an existing transport protocol defined elsewhere.<u class=""></u><u class=""></u></span></li></ul>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Event schema</span></b><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class=""><br class="">
Define a schema describing relevant events and relationships to allow for dissemination between interested and authorized parties.  <br class="">
<br class="">
<br class="">
<u class=""></u><u class=""></u></span></li></ul>
</div>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Trust Frameworks</span></b><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class=""><br class="">
Define at least one model for the conditions under which information would be shared.
<u class=""></u><u class=""></u></span></li></ul>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Account recovery mechanisms<u class=""></u><u class=""></u></span></b></li></ul>
</div>
<div style="margin-left:.5in" class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Standardized mechanism(s) to allow providers to signal that a user has regained control of an account, or allow a user to explicitly restore control of a previously compromised
 account, with or without direct user involvement.</span><u class=""></u><u class=""></u></p>
</div>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class="">
<span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">Out of scope:</span><u class=""></u><u class=""></u></h2>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Determining the account quality/reputation of a user on a particular service and communicating that to others.</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Definition of APIs and underlying mechanisms for connecting to, interacting with and operating centralized databases or intelligence clearinghouses when these are used to communicate
 security events between account providers.</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class="">
<span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">4) Proposed Deliverables</span><u class=""></u><u class=""></u></h2>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">The group proposes the following
<b class="">Non-Specification</b> deliverables:</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div style="margin-left:.5in" class=""><p class="MsoNormal"><b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Security Event and Account Lifecycle Schema</span></b><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:1.0in;vertical-align:baseline">
<u class=""></u><span style="font-size:10.0pt;font-family:Symbol" class=""><span class="">·<span style="font:7.0pt "Times New Roman"" class="">       
</span></span></span><u class=""></u><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">A taxonomy of security events and a common set of semantics to express relevant information about a security event and its relationships to other relevant data, events
 or indicators. <u class=""></u><u class=""></u></span></p>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div style="margin-left:.5in" class=""><p class="MsoNormal"><b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Security Event Privacy Guidelines</span></b><u class=""></u><u class=""></u></p>
</div>
<div style="margin-left:.5in" class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">A set of recommendations on how to minimize the privacy impact on users and service providers while improving security, and how to provide appropriate privacy disclosures,
 labeling and access control guidelines around information in the Security Event Schema.
</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div style="margin-left:.5in" class=""><p class="MsoNormal"><b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Trust Framework</span></b><u class=""></u><u class=""></u></p>
</div>
<div style="margin-left:.5in" class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">A trust framework defining roles and responsibilities of parties sharing user security event information</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">The group proposes the following
<b class="">Specification </b>deliverables:</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div style="margin-left:.5in" class=""><p class="MsoNormal"><b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Communications Mechanisms</span></b><u class=""></u><u class=""></u></p>
</div>
<div style="margin-left:.5in" class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Define bindings for the event messages to an already existing transport protocol to promote interoperability of sending event information to another Service Provider. This
 will allow a Service Provider to implement a single piece of infrastructure that would be able to send or receive event information to any other service provider.
</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div class=""><p class="MsoNormal"><b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Order of Deliverables</span></b><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">The group will work to produce the Security Event and Account Lifecycle Schema before beginning work on the Communications Mechanism or Trust Framework.</span><u class=""></u><u class=""></u></p>
</div>
<div class="">
<div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class="">
<span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">5) Anticipated audience or users</span><u class=""></u><u class=""></u></h2>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Service Providers who manage their own account systems which require an email address or phone number for registration.<u class=""></u><u class=""></u></span></li></ul>
</div>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Account and email providers that understand key security events that happen to a user’s account.<u class=""></u><u class=""></u></span></li></ul>
</div>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Identity as a Service (IDaaS) vendors that manage account and authentication systems for their customers.<u class=""></u><u class=""></u></span></li></ul>
</div>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Users seeking to regain control of a compromised account.<u class=""></u><u class=""></u></span></li></ul>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class="">
<span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">6) Language</span><u class=""></u><u class=""></u></h2>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">English</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class="">
<span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">7) Method of work:</span><u class=""></u><u class=""></u></h2><p class="MsoNormal" style="margin-bottom:8.0pt"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">E-mail discussions on the working group mailing list, working group conference calls, and face-to-face meetings from time to time.</span><u class=""></u><u class=""></u></p><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class="">
<span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">8) Basis for determining when the work is completed:</span><u class=""></u><u class=""></u></h2><p class="MsoNormal" style="margin-bottom:8.0pt"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Rough consensus and running code. The work will be completed once it is apparent that maximal consensus on the draft has been achieved, consistent
 with the purpose and scope.</span><u class=""></u><u class=""></u></p><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class="">
<span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">Background information</span><u class=""></u><u class=""></u></h2><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class="">
<span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">Related work:</span><u class=""></u><u class=""></u></h2>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">RFC6545 Real-time Inter-network Defense (RID)<u class=""></u><u class=""></u></span></li></ul>
</div>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">RFC6546 Transport of Real-time Inter-network Defense (RID) Messages over HTTP/TLS<u class=""></u><u class=""></u></span></li></ul>
</div>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">RFC6684 Guidelines and Template for Defining Extensions to the Incident Object Description Exchange Format (IODEF)<u class=""></u><u class=""></u></span></li></ul>
</div>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">draft-ietf-mile-rolie Resource-Oriented Lightweight Indicator Exchange
<u class=""></u><u class=""></u></span></li></ul>
</div>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">ISO/IEC 27002:2013  Information technology — Security techniques — Code of practice for information security controls<u class=""></u><u class=""></u></span></li></ul>
</div>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">ISO/IEC 27035:2011 Information technology — Security techniques — Information security incident management<u class=""></u><u class=""></u></span></li></ul>
</div><p class="MsoNormal" style="margin-bottom:12.0pt"><u class=""></u> <u class=""></u></p>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class="">
<span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">Proposers</span><u class=""></u><u class=""></u></h2>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Adam Dawes, Google
<u class=""></u><u class=""></u></span></li></ul>
</div>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Mark Risher, Google<u class=""></u><u class=""></u></span></li></ul>
</div>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Trent Adams, Paypal<u class=""></u><u class=""></u></span></li></ul>
</div>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">George Fletcher, AOL<u class=""></u><u class=""></u></span></li></ul>
</div>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Andrew Nash, Confyrm<u class=""></u><u class=""></u></span></li></ul>
</div>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Nat Sakimura, Nomura Research Institute<u class=""></u><u class=""></u></span></li></ul>
</div>
<div class="">
<ul type="disc" class="">
<li class="MsoNormal" style="vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">John Bradley, Ping Identity<u class=""></u><u class=""></u></span></li></ul>
</div>
<ul style="margin-top:0in" type="disc" class="">
<li class="MsoNormal" style="margin-bottom:8.0pt;vertical-align:baseline">
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Henrik Biering, Peercraft<u class=""></u><u class=""></u></span></li></ul>
<h2 style="margin-right:0in;margin-bottom:8.0pt;margin-left:0in" class="">
<span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">Anticipated contributions:</span><u class=""></u><u class=""></u></h2>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">“Security event reporting between Service Providers 1.0” under the
</span><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__openid.net_intellectual-2Dproperty_&d=AwMF_g&c=Sqcl0Ez6M0X8aeM67LKIiDJAXVeAw-YihVMNtXt-uEs&r=PDGu4NI-duocVzLKrMLVZV9ccYh2Q-1cXto7c2DRReM&m=IR5tru86Ihv2g1IjtatpVdYMQcw52SU4UWhhLzaHxts&s=zsaUoprw8-hewGW9RwEVxCJdDksLM2tfwwQC40jny3Q&e=" target="_blank" class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">OpenID
 Foundation’s IPR Policy</span></a><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">.</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
</div>
</div>
</div>
</div>
<div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div class=""><p class="MsoNormal">On Thu, Feb 26, 2015 at 2:06 PM, John Bradley <<a href="mailto:ve7jtb@ve7jtb.com" target="_blank" class="">ve7jtb@ve7jtb.com</a>> wrote:<u class=""></u><u class=""></u></p>
<div class="">
<div class="">
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in" class="">
<div class="">
<div class=""><p class="MsoNormal">You can start joining the Friday calls now. <u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
</div>
<div class=""><p class="MsoNormal">We need to finalize the charter before people need to worry about signing the WG IPR.  <br class="">
<br class="">
Sent from my iPhone<u class=""></u><u class=""></u></p>
</div>
<div class="">
<div class="">
<div class=""><p class="MsoNormal" style="margin-bottom:12.0pt"><br class="">
On Feb 26, 2015, at 4:56 PM, Chuck Mortimore <<a href="mailto:cmortimore@salesforce.com" target="_blank" class="">cmortimore@salesforce.com</a>> wrote:<u class=""></u><u class=""></u></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt" class="">
<div class="">
<div class=""><p class="MsoNormal">Our incident response team want's to participate.    Should we just wait for the mailing list, or is there a way to get working on the agreement?<u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div class=""><p class="MsoNormal">On Thu, Feb 26, 2015 at 8:30 AM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank" class="">Michael.Jones@microsoft.com</a>> wrote:<u class=""></u><u class=""></u></p>
<div class="">
<div class=""><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class="">I’d hold off posting it until the working group has been created.  Given that the intent is clear,
 I’m OK with accepting the agreement as-is, but would defer to others if they’d prefer that it be revised before being posted.</span><u class=""></u><u class=""></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class=""> </span><u class=""></u><u class=""></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class="">Out of curiosity, who was the agreement from?</span><u class=""></u><u class=""></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class=""> </span><u class=""></u><u class=""></u></p>
<div class="">
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in" class=""><p class="MsoNormal"><b class=""><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class="">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class=""> specs-council [mailto:<a href="mailto:openid-specs-council-bounces@lists.openid.net" target="_blank" class="">openid-specs-council-bounces@lists.openid.net</a>]
<b class="">On Behalf Of </b>John Ehrig<br class="">
<b class="">Sent:</b> Thursday, February 26, 2015 7:00 AM<br class="">
<b class="">To:</b> Adam Dawes; Andrew Nash<br class="">
<b class="">Cc:</b> John Bradley; Nat Sakimura; Ashish Jain; <a href="mailto:openid-specs-council@lists.openid.net" target="_blank" class="">
openid-specs-council@lists.openid.net</a>; <a href="mailto:aatoc@googlegroups.com" target="_blank" class="">
aatoc@googlegroups.com</a><br class="">
<b class="">Subject:</b> Re: [OIDFSC] AATOC Working Group Charter</span><u class=""></u><u class=""></u></p>
</div>
</div><p class="MsoNormal"> <u class=""></u><u class=""></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class="">Hi All,</span><u class=""></u><u class=""></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class=""> </span><u class=""></u><u class=""></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class="">I have already received a contribution agreement for this WG (under the “old” name, however) (see
 attached).  Can we accept it under the old name., should I go ahead and post it to the website now, or should I wait until the WG is actually approved?</span><u class=""></u><u class=""></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class=""> </span><u class=""></u><u class=""></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class="">Please let me know.</span><u class=""></u><u class=""></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class=""> </span><u class=""></u><u class=""></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class="">Thanks!</span><u class=""></u><u class=""></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class=""> </span><u class=""></u><u class=""></u></p><p class="MsoNormal"><b class=""><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class="">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class=""> specs-council [<a href="mailto:openid-specs-council-bounces@lists.openid.net" target="_blank" class="">mailto:openid-specs-council-bounces@lists.openid.net</a>]
<b class="">On Behalf Of </b>Adam Dawes<br class="">
<b class="">Sent:</b> Thursday, February 26, 2015 1:06 AM<br class="">
<b class="">To:</b> Andrew Nash<br class="">
<b class="">Cc:</b> John Bradley; <a href="mailto:openid-specs-council@lists.openid.net" target="_blank" class="">
openid-specs-council@lists.openid.net</a>; Ashish Jain; Nat Sakimura; <a href="mailto:aatoc@googlegroups.com" target="_blank" class="">
aatoc@googlegroups.com</a><br class="">
<b class="">Subject:</b> Re: [OIDFSC] AATOC Working Group Charter</span><u class=""></u><u class=""></u></p><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal">Okay, I've revised the charter, with a new name, USESC (I couldn't fathom losing the "O" in AATOC). It doesn't have quite the ring but it's a bit more general which is useful since
 I think what will be produced will have uses beyond abuse and account takeovers. I've also included a deliverable on trust frameworks.<u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal">Here it is:<u class=""></u><u class=""></u></p>
</div>
<div class="">
<h2 align="center" style="margin-bottom:8.0pt;text-align:center" class=""><span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">USESC Charter</span><u class=""></u><u class=""></u></h2><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
<h2 style="margin-bottom:8.0pt" class=""><span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">1) Working Group name:
</span><u class=""></u><u class=""></u></h2><p class="MsoNormal" style="margin-bottom:8.0pt"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">User Security Event Sharing and Coordination Working Group (USESC Working Group)</span><u class=""></u><u class=""></u></p>
<h2 style="margin-bottom:8.0pt" class=""><span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">2) Purpose</span><u class=""></u><u class=""></u></h2>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">The goal of USESC is to provide data sharing schemas, privacy recommendations and protocols to:</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"> <u class=""></u><u class=""></u></p><p class="MsoNormal" style="margin-left:.5in;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Share information about important security events related to user accounts in order to thwart attackers from leveraging compromised accounts from one Service Provider to gain access to accounts
 on other Service Providers (mobile or web application developers and owners). </span>
<u class=""></u><u class=""></u></p><p class="MsoNormal" style="margin-left:.5in;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Enable users and providers to coordinate in order to securely restore accounts following a compromise.</span><u class=""></u><u class=""></u></p><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Internet accounts that use email addresses or phone numbers as the primary identifier for the account will be the initial focus.
</span><u class=""></u><u class=""></u></p>
</div>
<h2 style="margin-bottom:8.0pt" class=""><span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">3) Scope</span><u class=""></u><u class=""></u></h2>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">The group will define:</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal" style="margin-bottom:12.0pt;margin-left:.5in;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Security events</span></b><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class=""><br class="">
These are events – whether directly authentication-related or occurring at another time in the user flow – that take place on one service that could also have security implications on other Service Providers. The group will develop a taxonomy of security events
 and a common set of semantics to express relevant information about a security event.</span><u class=""></u><u class=""></u></p><p class="MsoNormal" style="margin-left:.5in;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Privacy Implications</span></b><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class=""><br class="">
Sharing security information amongst providers has potential privacy implications for both end users and service providers. These privacy implications must be balanced against the recognized benefits of protecting users’ accounts and data from abuse.  The group
 will consider ways to optimize this balance when defining mechanisms to handle the various security events and recommend best practices for the industry.</span><u class=""></u><u class=""></u></p><p class="MsoNormal"> <u class=""></u><u class=""></u></p><p class="MsoNormal" style="margin-left:.5in;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Communications mechanisms</span></b><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class=""><br class="">
Define bindings for the use of an existing transport protocol defined elsewhere.</span><u class=""></u><u class=""></u></p><p class="MsoNormal"> <u class=""></u><u class=""></u></p><p class="MsoNormal" style="margin-bottom:12.0pt;margin-left:.5in;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Event schema</span></b><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class=""><br class="">
Define a schema describing relevant events and relationships to allow for dissemination between interested and authorized parties.  </span><u class=""></u><u class=""></u></p><p class="MsoNormal" style="margin-left:.5in;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Trust Frameworks</span></b><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class=""><br class="">
Define at least one model for the conditions under which information would be shared.
</span><u class=""></u><u class=""></u></p><p class="MsoNormal"> <u class=""></u><u class=""></u></p><p class="MsoNormal" style="margin-left:.5in;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Account recovery mechanisms</span></b><u class=""></u><u class=""></u></p><p class="MsoNormal" style="margin-left:.5in"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Standardized mechanism(s) to allow providers to signal that a user has regained control of an account, or allow a user to explicitly
 restore control of a previously compromised account, with or without direct user involvement.</span><u class=""></u><u class=""></u></p>
<h2 style="margin-bottom:8.0pt" class=""><span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">Out of scope:</span><u class=""></u><u class=""></u></h2>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Determining the account quality/reputation of a user on a particular service and communicating that to others.</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Definition of APIs and underlying mechanisms for connecting to, interacting with and operating centralized databases or intelligence clearinghouses when these are used to communicate
 security events between account providers.</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
<h2 style="margin-bottom:8.0pt" class=""><span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">4) Proposed Deliverables</span><u class=""></u><u class=""></u></h2>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">The group proposes the following
<b class="">Non-Specification</b> deliverables:</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"><b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Security Event and Account Lifecycle Schema</span></b><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal" style="margin-left:.5in;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">A taxonomy of security events and a common set of semantics to express relevant information about a security event and its relationships to other relevant data, events or indicators.
</span><u class=""></u><u class=""></u></p><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"><b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Security Event Privacy Guidelines</span></b><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">A set of recommendations on how to minimize the privacy impact on users and service providers while improving security, and how to provide appropriate privacy disclosures,
 labeling and access control guidelines around information in the Security Event Schema.
</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">The group proposes the following
<b class="">Specification </b>deliverables:</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"><b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Communications Mechanisms</span></b><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Define bindings for the event messages to an already existing transport protocol to promote interoperability of sending event information to another Service Provider. This
 will allow a Service Provider to implement a single piece of infrastructure that would be able to send or receive event information to any other service provider.
</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"><b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Order of Deliverables</span></b><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">The group will work to produce the Security Event and Account Lifecycle Schema before beginning work on the Communications Mechanism.</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
<h2 style="margin-bottom:8.0pt" class=""><span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">5) Anticipated audience or users</span><u class=""></u><u class=""></u></h2><p class="MsoNormal" style="margin-left:.5in;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Service Providers who manage their own account systems which require an email address or phone number for registration.</span><u class=""></u><u class=""></u></p><p class="MsoNormal" style="margin-left:.5in;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Account and email providers that understand key security events that happen to a user’s account.</span><u class=""></u><u class=""></u></p><p class="MsoNormal" style="margin-left:.5in;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Identity as a Service (IDaaS) vendors that manage account and authentication systems for their customers.</span><u class=""></u><u class=""></u></p><p class="MsoNormal" style="margin-left:.5in;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Users seeking to regain control of a compromised account.</span><u class=""></u><u class=""></u></p><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
<h2 style="margin-bottom:8.0pt" class=""><span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">6) Language</span><u class=""></u><u class=""></u></h2>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">English</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
<h2 style="margin-bottom:8.0pt" class=""><span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">7) Method of work:</span><u class=""></u><u class=""></u></h2><p class="MsoNormal" style="margin-bottom:8.0pt"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">E-mail discussions on the working group mailing list, working group conference calls, and face-to-face meetings from time
 to time.</span><u class=""></u><u class=""></u></p><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
<h2 style="margin-bottom:8.0pt" class=""><span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">8) Basis for determining when the work is completed:</span><u class=""></u><u class=""></u></h2><p class="MsoNormal" style="margin-bottom:8.0pt"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Rough consensus and running code. The work will be completed once it is apparent that maximal consensus on the draft has
 been achieved, consistent with the purpose and scope.</span><u class=""></u><u class=""></u></p><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
<h2 style="margin-bottom:8.0pt" class=""><span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">Background information</span><u class=""></u><u class=""></u></h2><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
<h2 style="margin-bottom:8.0pt" class=""><span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">Related work:</span><u class=""></u><u class=""></u></h2><p class="MsoNormal" style="margin-left:.5in;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">RFC6545 Real-time Inter-network Defense (RID)</span><u class=""></u><u class=""></u></p><p class="MsoNormal" style="margin-left:.5in;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">RFC6546 Transport of Real-time Inter-network Defense (RID) Messages over HTTP/TLS</span><u class=""></u><u class=""></u></p><p class="MsoNormal" style="margin-left:.5in;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">RFC6684 Guidelines and Template for Defining Extensions to the Incident Object Description Exchange Format (IODEF)</span><u class=""></u><u class=""></u></p><p class="MsoNormal" style="margin-left:.5in;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">draft-ietf-mile-rolie Resource-Oriented Lightweight Indicator Exchange
</span><u class=""></u><u class=""></u></p><p class="MsoNormal" style="margin-left:.5in;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">ISO/IEC 27002:2013  Information technology — Security techniques — Code of practice for information security controls</span><u class=""></u><u class=""></u></p><p class="MsoNormal" style="margin-left:.5in;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">ISO/IEC 27035:2011 Information technology — Security techniques — Information security incident management</span><u class=""></u><u class=""></u></p><p class="MsoNormal" style="margin-bottom:12.0pt"> <u class=""></u><u class=""></u></p>
<h2 style="margin-bottom:8.0pt" class=""><span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">Proposers</span><u class=""></u><u class=""></u></h2><p class="MsoNormal" style="margin-left:.5in;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Adam Dawes, Google
</span><u class=""></u><u class=""></u></p><p class="MsoNormal" style="margin-left:.5in;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Mark Risher, Google</span><u class=""></u><u class=""></u></p><p class="MsoNormal" style="margin-left:.5in;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Trent Adams, Paypal</span><u class=""></u><u class=""></u></p><p class="MsoNormal" style="margin-left:.5in;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">George Fletcher, AOL</span><u class=""></u><u class=""></u></p><p class="MsoNormal" style="margin-left:.5in;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Andrew Nash, Confyrm</span><u class=""></u><u class=""></u></p><p class="MsoNormal" style="margin-left:.5in;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Nat Sakimura, Nomura Research Institute</span><u class=""></u><u class=""></u></p><p class="MsoNormal" style="margin-left:.5in;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">John Bradley, Ping Identity</span><u class=""></u><u class=""></u></p><p class="MsoNormal" style="margin-bottom:8.0pt;margin-left:.5in;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Henrik Biering, Peercraft</span><u class=""></u><u class=""></u></p>
<h2 style="margin-bottom:8.0pt" class=""><span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">Anticipated contributions:</span><u class=""></u><u class=""></u></h2>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">“Security event reporting between Service Providers 1.0” under the
</span><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__openid.net_intellectual-2Dproperty_&d=AwMF_g&c=Sqcl0Ez6M0X8aeM67LKIiDJAXVeAw-YihVMNtXt-uEs&r=PDGu4NI-duocVzLKrMLVZV9ccYh2Q-1cXto7c2DRReM&m=IR5tru86Ihv2g1IjtatpVdYMQcw52SU4UWhhLzaHxts&s=zsaUoprw8-hewGW9RwEVxCJdDksLM2tfwwQC40jny3Q&e=" target="_blank" class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">OpenID
 Foundation’s IPR Policy</span></a><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">.</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
</div>
</div>
<div class=""><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal">On Wed, Feb 25, 2015 at 5:37 PM, Andrew Nash <<a href="mailto:andrew@confyrm.com" target="_blank" class="">andrew@confyrm.com</a>> wrote:<u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal">Trent,<u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal">we (Confyrm) have started work on a number of aspects of a trust framework in conjunction with Tom Smedinghoff  as part of the work we did with the Uk Govt and the NSTIC pilot -
 still early but hopefully will bootstrap some of the work here <u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"><span style="color:#888888" class=""> </span><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"><span style="color:#888888" class="">--Andrew</span><u class=""></u><u class=""></u></p>
</div>
</div>
<div class=""><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
<div class="">
<div class="">
<div class=""><p class="MsoNormal">On Tue, Feb 24, 2015 at 11:00 PM, 'Adam Dawes' via Abuse and ATO Coordination <<a href="mailto:aatoc@googlegroups.com" target="_blank" class="">aatoc@googlegroups.com</a>> wrote:<u class=""></u><u class=""></u></p>
</div>
</div>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt" class="">
<div class="">
<div class="">
<div class="">
<div class=""><p class="MsoNormal">+aatoc-list<u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
</div><p class="MsoNormal">For name, I agree with Nat's suggestion of 'Abuse and Account Take Over Coordination Work Group (AATOC Work Group)'. This just prevents a name change for everyone as well as the
 mailing list mechanics. <u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal">@mike, I think your suggestions about defining trust frameworks also make sense. Do you have any good examples of where this has been done? Will need to discuss this with the rest
 of the group but in our discussion of transport, there have been some implicit trust framework concepts at play. In the end, I think there may be different models about with whom info is shared. This will depend on the specific data we define, the quality
 of data that service providers can share, and the relevant privacy policies of those providers. <u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal">thanks,<u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal">AD<u class=""></u><u class=""></u></p>
</div>
</div>
<div class=""><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal">On Tue, Feb 24, 2015 at 7:13 PM, Nat Sakimura <<a href="mailto:sakimura@gmail.com" target="_blank" class="">sakimura@gmail.com</a>> wrote:<u class=""></u><u class=""></u></p><p class="MsoNormal">While we are in the title, in view of the recent executive order
<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__m.whitehouse.gov_the-2Dpress-2Doffice_2015_02_13_executive-2Dorder-2Dpromoting-2Dprivate-2Dsector-2Dcybersecurity-2Dinformation-2Dshari&d=AwMF_g&c=Sqcl0Ez6M0X8aeM67LKIiDJAXVeAw-YihVMNtXt-uEs&r=PDGu4NI-duocVzLKrMLVZV9ccYh2Q-1cXto7c2DRReM&m=IR5tru86Ihv2g1IjtatpVdYMQcw52SU4UWhhLzaHxts&s=Ymz_Lkzf4BW4FvJ38IDtvVKeQPQkd2kDaKuoWlotzrs&e=" target="_blank" class="">
http://m.whitehouse.gov/the-press-office/2015/02/13/executive-order-promoting-private-sector-cybersecurity-information-shari</a>, we might suggest including the name "Information Sharing and analysis", e.g., AATISAC.
<u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal">2015<span style="font-family:"MS Gothic"" class="">年</span>2<span style="font-family:"MS Gothic"" class="">月</span>25<span style="font-family:"MS Gothic"" class="">日</span>(<span style="font-family:"MS Gothic"" class="">水</span>)<span style="font-family:"MS Gothic"" class="">、</span>11:59
 John Bradley <<a href="mailto:ve7jtb@ve7jtb.com" target="_blank" class="">ve7jtb@ve7jtb.com</a>>:<u class=""></u><u class=""></u></p>
<div class="">
<div class="">
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt" class=""><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal">That is a different WG outside of the OIDF;)<u class=""></u><u class=""></u></p>
</div>
<div class="">
<div class=""><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
<div class="">
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt" class="">
<div class=""><p class="MsoNormal">On Feb 24, 2015, at 9:40 PM, Nat Sakimura <<a href="mailto:sakimura@gmail.com" target="_blank" class="">sakimura@gmail.com</a>> wrote:<u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
<div class="">
<div class=""><p class="MsoNormal">Simplicity wins, but does not it sound like the WG is creating a protocol to take over accounts ;-) ? <u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal">2015-02-25 11:25 GMT+09:00 Ashish Jain <<a href="mailto:ashishjain@vmware.com" target="_blank" class="">ashishjain@vmware.com</a>>:<u class=""></u><u class=""></u></p>
<div class="">
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif"" class="">I’m not objecting…merely suggesting that referring it as Account Takeover WG is simpler </span><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif"" class=""> </span><u class=""></u><u class=""></u></p>
</div>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in" class=""><p class="MsoNormal"><b class=""><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="">From:
</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="">Nat Sakimura <<a href="mailto:sakimura@gmail.com" target="_blank" class="">sakimura@gmail.com</a>><br class="">
<b class="">Date: </b>Tuesday, February 24, 2015 at 6:09 PM<br class="">
<b class="">To: </b>Ashish Jain <<a href="mailto:ashishjain@vmware.com" target="_blank" class="">ashishjain@vmware.com</a>><br class="">
<b class="">Cc: </b>Adam Dawes <<a href="mailto:adawes@google.com" target="_blank" class="">adawes@google.com</a>>, "<a href="mailto:openid-specs-council@lists.openid.net" target="_blank" class="">openid-specs-council@lists.openid.net</a>" <<a href="mailto:openid-specs-council@lists.openid.net" target="_blank" class="">openid-specs-council@lists.openid.net</a>></span><u class=""></u><u class=""></u></p>
<div class="">
<div class=""><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class=""><br class="">
<b class="">Subject: </b>Re: [OIDFSC] AATOC Working Group Charter</span><u class=""></u><u class=""></u></p>
</div>
</div>
</div>
<div class="">
<div class="">
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif"" class=""> </span><u class=""></u><u class=""></u></p>
</div>
<div class="">
<div class="">
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif"" class="">I am fine with ATO WG as well. My objection was that the name had the Group in it, which is not a defined word
 in OpenID Process, so the WG name would become AATOC Group WG, which is repeating "Group" and awkward. It is just an editorial stuff. 
</span><u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif"" class=""> </span><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif"" class="">Are you objecting to the first A and the last C of AATOC? </span><u class=""></u><u class=""></u></p>
<div class="">
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif"" class=""> </span><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif"" class=""> </span><u class=""></u><u class=""></u></p>
</div>
</div>
</div>
</div>
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif"" class=""> </span><u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif"" class="">2015-02-25 10:59 GMT+09:00 Ashish Jain <<a href="mailto:ashishjain@vmware.com" target="_blank" class="">ashishjain@vmware.com</a>>:</span><u class=""></u><u class=""></u></p>
<div class="">
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif"" class="">I understand the need to be precise but ATO WG can probably convey the same message.</span><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif"" class=""> </span><u class=""></u><u class=""></u></p>
</div>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in" class=""><p class="MsoNormal"><b class=""><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="">From:
</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="">Nat Sakimura <<a href="mailto:sakimura@gmail.com" target="_blank" class="">sakimura@gmail.com</a>><br class="">
<b class="">Date: </b>Tuesday, February 24, 2015 at 4:56 PM<br class="">
<b class="">To: </b>Adam Dawes <<a href="mailto:adawes@google.com" target="_blank" class="">adawes@google.com</a>><br class="">
<b class="">Cc: </b>"<a href="mailto:openid-specs-council@lists.openid.net" target="_blank" class="">openid-specs-council@lists.openid.net</a>" <<a href="mailto:openid-specs-council@lists.openid.net" target="_blank" class="">openid-specs-council@lists.openid.net</a>><br class="">
<b class="">Subject: </b>Re: [OIDFSC] AATOC Working Group Charter</span><u class=""></u><u class=""></u></p>
</div>
<div class="">
<div class="">
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif"" class=""> </span><u class=""></u><u class=""></u></p>
</div>
<div class="">
<div class="">
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif"" class="">Dear Specs Council members,
<br class="">
<br class="">
It looks generally fine, with one friendly amendment: <br class="">
<br class="">
Change the title of the working group from: <br class="">
Abuse and Account Takeover Coordination Group<br class="">
<br class="">
to:<br class="">
Abuse and Account Takeover Coordination Working Group<br class="">
<br class="">
as "Abuse and Account Takeover Coordination Group Working Group" is a bit awkward. 
</span><u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif"" class="">I am fine with putting it as just "Abuse and Account Takeover Coordination" as well, since there is a precedence
 for it. <br class="">
<br class="">
Could any specs council member respond early in this thread if you have any objection or friendly amendment. We have been a bit slack lately that we have been relying on two weeks limit to execute a charter, but we should be able to act more quickly.<br class="">
<br class="">
Cheers,  </span><u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif"" class=""><br class="">
Nat</span><u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif"" class=""> </span><u class=""></u><u class=""></u></p>
</div>
</div>
</div>
</div>
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif"" class=""> </span><u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif"" class="">2015-02-24 19:02 GMT+09:00 Adam Dawes <<a href="mailto:adawes@google.com" target="_blank" class="">adawes@google.com</a>>:</span><u class=""></u><u class=""></u></p>
<div class="">
<div class=""><p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Calibri","sans-serif"" class="">I would like to form a new work group, AATOC. Here is our proposed charter:</span><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Calibri","sans-serif"" class=""> </span><u class=""></u><u class=""></u></p>
</div>
<div class="">
<h2 align="center" style="margin-bottom:8.0pt;text-align:center" class=""><span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">AATOC Charter</span><u class=""></u><u class=""></u></h2><p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Calibri","sans-serif"" class=""> </span><u class=""></u><u class=""></u></p>
<h2 style="margin-bottom:8.0pt" class=""><span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">1) Working Group name:
</span><u class=""></u><u class=""></u></h2><p class="MsoNormal" style="margin-bottom:8.0pt"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Abuse and Account Takeover Coordination Group (AATOC)</span><u class=""></u><u class=""></u></p><p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Calibri","sans-serif"" class=""> </span><u class=""></u><u class=""></u></p>
<h2 style="margin-bottom:8.0pt" class=""><span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">2) Purpose</span><u class=""></u><u class=""></u></h2>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">The goal of AATOC is to provide data sharing schemas, privacy recommendations and protocols to:</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Calibri","sans-serif"" class=""> </span><u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Share information about important security events in order to thwart attackers from leveraging compromised accounts from one Service Provider to gain access to accounts on other Service Providers
 (mobile or web application developers and owners). </span><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Enable users and providers to coordinate in order to securely restore accounts following a compromise.</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Calibri","sans-serif"" class=""> </span><u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Internet accounts that use email addresses or phone numbers as the primary identifier for the account will be the
 initial focus. </span><u class=""></u><u class=""></u></p>
</div>
<h2 style="margin-bottom:8.0pt" class=""><span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">2) Scope</span><u class=""></u><u class=""></u></h2>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">The group will define:</span><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal" style="margin-bottom:12.0pt;margin-left:47.25pt;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Security events</span></b><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class=""><br class="">
These are events – whether directly authentication-related or occurring at another time in the user flow – that take place on one service that could also have security implications on other Service Providers. The group will develop a taxonomy of security events
 and a common set of semantics to express relevant information about a security event.</span><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Privacy Implications</span></b><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class=""><br class="">
Sharing security information amongst providers has potential privacy implications for both end users and service providers. These privacy implications must be balanced against the recognized benefits of protecting users’ accounts and data from abuse.  The group
 will consider ways to optimize this balance when defining mechanisms to handle the various security events and recommend best practices for the industry.</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Calibri","sans-serif"" class=""> </span><u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Communications mechanisms</span></b><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class=""><br class="">
Define bindings for the use of an existing transport protocol defined elsewhere.</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Calibri","sans-serif"" class=""> </span><u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Event schema</span></b><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class=""><br class="">
Define a schema describing relevant events and relationships to allow for dissemination between interested and authorized parties.  </span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Calibri","sans-serif"" class=""> </span><u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Account recovery mechanisms</span></b><u class=""></u><u class=""></u></p>
</div>
<div style="margin-left:.5in" class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Standardized mechanism(s) to allow providers to signal that a user has regained control of an account, or allow a
 user to explicitly restore control of a previously compromised account, with or without direct user involvement.</span><u class=""></u><u class=""></u></p>
</div>
<h2 style="margin-bottom:8.0pt" class=""><span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">Out of scope:</span><u class=""></u><u class=""></u></h2>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Determining the account quality/reputation of a user on a particular service and communicating that to others.</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Calibri","sans-serif"" class=""> </span><u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Definition of APIs and underlying mechanisms for connecting to, interacting with and operating centralized databases
 or intelligence clearinghouses when these are used to communicate security events between account providers.</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Calibri","sans-serif"" class=""> </span><u class=""></u><u class=""></u></p>
<h2 style="margin-bottom:8.0pt" class=""><span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">4) Proposed Deliverables</span><u class=""></u><u class=""></u></h2>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">The group proposes the following
<b class="">Non-Specification</b> deliverables:</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Calibri","sans-serif"" class=""> </span><u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"><b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Security Event and Account Lifecycle Schema</span></b><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">A taxonomy of security events and a common set of semantics to express relevant information about a security event and its relationships to other relevant data, events or indicators.
</span><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"><b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Security Event Privacy Guidelines</span></b><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">A set of recommendations on how to minimize the privacy impact on users and service providers while improving security,
 and how to provide appropriate privacy disclosures, labeling and access control guidelines around information in the Security Event Schema.
</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Calibri","sans-serif"" class=""> </span><u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">The group proposes the following
<b class="">Specification </b>deliverables:</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Calibri","sans-serif"" class=""> </span><u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"><b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Communications Mechanisms</span></b><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Define bindings for the event messages to an already existing transport protocol to promote interoperability of sending
 event information to another Service Provider. This will allow a Service Provider to implement a single piece of infrastructure that would be able to send or receive event information to any other service provider.
</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Calibri","sans-serif"" class=""> </span><u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"><b class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Order of Deliverables</span></b><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">The group will work to produce the Security Event and Account Lifecycle Schema before beginning work on the Communications
 Mechanism.</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Calibri","sans-serif"" class=""> </span><u class=""></u><u class=""></u></p>
<h2 style="margin-bottom:8.0pt" class=""><span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">5) Anticipated audience or users</span><u class=""></u><u class=""></u></h2>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Service Providers who manage their own account systems which require an email address or phone number for registration.</span><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Account and email providers that understand key security events that happen to a user’s account.</span><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Identity as a Service (IDaaS) vendors that manage account and authentication systems for their customers.</span><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Users seeking to regain control of a compromised account.</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Calibri","sans-serif"" class=""> </span><u class=""></u><u class=""></u></p>
<h2 style="margin-bottom:8.0pt" class=""><span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">6) Language</span><u class=""></u><u class=""></u></h2>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">English</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Calibri","sans-serif"" class=""> </span><u class=""></u><u class=""></u></p>
<h2 style="margin-bottom:8.0pt" class=""><span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">7) Method of work:</span><u class=""></u><u class=""></u></h2><p class="MsoNormal" style="margin-bottom:8.0pt"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">E-mail discussions on the working group mailing list, working group conference calls, and face-to-face meetings from time
 to time.</span><u class=""></u><u class=""></u></p><p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Calibri","sans-serif"" class=""> </span><u class=""></u><u class=""></u></p>
<h2 style="margin-bottom:8.0pt" class=""><span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">8) Basis for determining when the work is completed:</span><u class=""></u><u class=""></u></h2><p class="MsoNormal" style="margin-bottom:8.0pt"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Rough consensus and running code. The work will be completed once it is apparent that maximal consensus on the draft has
 been achieved, consistent with the purpose and scope.</span><u class=""></u><u class=""></u></p><p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Calibri","sans-serif"" class=""> </span><u class=""></u><u class=""></u></p>
<h2 style="margin-bottom:8.0pt" class=""><span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">Background information</span><u class=""></u><u class=""></u></h2><p class="MsoNormal"><span style="font-size:9.5pt;font-family:"Calibri","sans-serif"" class=""> </span><u class=""></u><u class=""></u></p>
<h2 style="margin-bottom:8.0pt" class=""><span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">Related work:</span><u class=""></u><u class=""></u></h2>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">RFC6545 Real-time Inter-network Defense (RID)</span><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">RFC6546 Transport of Real-time Inter-network Defense (RID) Messages over HTTP/TLS</span><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">RFC6684 Guidelines and Template for Defining Extensions to the Incident Object Description Exchange Format (IODEF)</span><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">draft-ietf-mile-rolie Resource-Oriented Lightweight Indicator Exchange
</span><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">ISO/IEC 27002:2013  Information technology — Security techniques — Code of practice for information security controls</span><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">ISO/IEC 27035:2011 Information technology — Security techniques — Information security incident management</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:9.5pt;font-family:"Calibri","sans-serif"" class=""> </span><u class=""></u><u class=""></u></p>
<h2 style="margin-bottom:8.0pt" class=""><span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">Proposers</span><u class=""></u><u class=""></u></h2>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Adam Dawes, Google
</span><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Mark Risher, Google</span><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Trent Adams, Paypal</span><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">George Fletcher, AOL</span><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Andrew Nash, Confyrm</span><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Nat Sakimura, Nomura Research Institute</span><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal" style="margin-left:47.25pt;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">John Bradley, Ping Identity</span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal" style="margin-bottom:8.0pt;margin-left:47.25pt;vertical-align:baseline">
<span style="font-size:10.0pt" class="">·</span><span style="font-size:7.0pt" class="">        </span>
<span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">Henrik Biering, Peercraft</span><u class=""></u><u class=""></u></p>
<h2 style="margin-bottom:8.0pt" class=""><span style="font-size:13.0pt;font-family:"Trebuchet MS","sans-serif"" class="">Anticipated contributions:</span><u class=""></u><u class=""></u></h2>
<div class=""><p class="MsoNormal"><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">“Security event reporting between Service Providers 1.0” under the
</span><span style="font-size:9.5pt;font-family:"Calibri","sans-serif"" class=""><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__openid.net_intellectual-2Dproperty_&d=AwMFaQ&c=Sqcl0Ez6M0X8aeM67LKIiDJAXVeAw-YihVMNtXt-uEs&r=PDGu4NI-duocVzLKrMLVZV9ccYh2Q-1cXto7c2DRReM&m=his8oMG2sVamzBa3dQLPovSTmI9fUVGF3mbIZ4ZzISQ&s=yV7iQ-h1QNIAyTmfXm6S6vIszebI2q_snUSkFyjxlkg&e=" target="_blank" class=""><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">OpenID
 Foundation’s IPR Policy</span></a></span><span style="font-size:11.5pt;font-family:"Arial","sans-serif"" class="">.</span><u class=""></u><u class=""></u></p>
</div>
</div>
</div>
</div><p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif"" class=""><br class="">
<br clear="all" class="">
</span><u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif"" class=""> </span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif"" class="">--
</span><u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif"" class="">Nat Sakimura (=nat)
</span><u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif"" class="">Chairman, OpenID Foundation<br class="">
<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__nat.sakimura.org_&d=AwMFaQ&c=Sqcl0Ez6M0X8aeM67LKIiDJAXVeAw-YihVMNtXt-uEs&r=PDGu4NI-duocVzLKrMLVZV9ccYh2Q-1cXto7c2DRReM&m=his8oMG2sVamzBa3dQLPovSTmI9fUVGF3mbIZ4ZzISQ&s=jmKQL3OD_c7eJXduzdJt5OJefY8ZjNiYCoAm8g-7oOA&e=" target="_blank" class="">http://nat.sakimura.org/</a><br class="">
@_nat_en</span><u class=""></u><u class=""></u></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div><p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif"" class=""><br class="">
<br clear="all" class="">
</span><u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif"" class=""> </span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif"" class="">--
</span><u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif"" class="">Nat Sakimura (=nat)
</span><u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Calibri","sans-serif"" class="">Chairman, OpenID Foundation<br class="">
<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__nat.sakimura.org_&d=AwMFaQ&c=Sqcl0Ez6M0X8aeM67LKIiDJAXVeAw-YihVMNtXt-uEs&r=PDGu4NI-duocVzLKrMLVZV9ccYh2Q-1cXto7c2DRReM&m=dibzrL00q20lgLcDv94EYh8Ums_bAaYivHuqDQgNfSI&s=jq4oX-tF55oVVtUOW6sW0RsihIhuUzSlJVyRWCVyAhQ&e=" target="_blank" class="">http://nat.sakimura.org/</a><br class="">
@_nat_en</span><u class=""></u><u class=""></u></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div><p class="MsoNormal"><br class="">
<br clear="all" class="">
<u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"><span style="color:#888888" class=""> </span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><span style="color:#888888" class="">--
<u class=""></u><u class=""></u></span></p>
<div class=""><p class="MsoNormal"><span style="color:#888888" class="">Nat Sakimura (=nat)<u class=""></u><u class=""></u></span></p>
<div class=""><p class="MsoNormal"><span style="color:#888888" class="">Chairman, OpenID Foundation<br class="">
<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__nat.sakimura.org_&d=AwMF_g&c=Sqcl0Ez6M0X8aeM67LKIiDJAXVeAw-YihVMNtXt-uEs&r=PDGu4NI-duocVzLKrMLVZV9ccYh2Q-1cXto7c2DRReM&m=IR5tru86Ihv2g1IjtatpVdYMQcw52SU4UWhhLzaHxts&s=ZBjiNJFuAuQhY9EfZmff4-R5LvM5fz_i_xoQXnZzNBg&e=" target="_blank" class="">http://nat.sakimura.org/</a><br class="">
@_nat_en<u class=""></u><u class=""></u></span></p>
</div>
</div>
</div>
</div>
</blockquote>
</div><p class="MsoNormal"><span style="color:#888888" class=""> <u class=""></u><u class=""></u></span></p>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div><p class="MsoNormal"><span style="color:#888888" class=""> <u class=""></u><u class=""></u></span></p>
</div>
</div>
</div><p class="MsoNormal"><span style="color:#888888" class="">--
<br class="">
You received this message because you are subscribed to the Google Groups "Abuse and ATO Coordination" group.<br class="">
To unsubscribe from this group and stop receiving emails from it, send an email to
<a href="mailto:aatoc+unsubscribe@googlegroups.com" target="_blank" class="">aatoc+unsubscribe@googlegroups.com</a>.<br class="">
To post to this group, send email to <a href="mailto:aatoc@googlegroups.com" target="_blank" class="">
aatoc@googlegroups.com</a>.<br class="">
To view this discussion on the web visit <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__groups.google.com_d_msgid_aatoc_CAOJhRMYKX6O8LVPzCf8x-252BFDnmuMuLDH8RdssTXqZ1YeU54bLNA-2540mail.gmail.com-3Futm-5Fmedium-3Demail-26utm-5Fsource-3Dfooter&d=AwMF_g&c=Sqcl0Ez6M0X8aeM67LKIiDJAXVeAw-YihVMNtXt-uEs&r=PDGu4NI-duocVzLKrMLVZV9ccYh2Q-1cXto7c2DRReM&m=IR5tru86Ihv2g1IjtatpVdYMQcw52SU4UWhhLzaHxts&s=5lX731FD9xPT7XHaq_TymfCgMB4LpcDi1T_6AH4z2UE&e=" target="_blank" class="">
https://groups.google.com/d/msgid/aatoc/CAOJhRMYKX6O8LVPzCf8x%2BFDnmuMuLDH8RdssTXqZ1YeU54bLNA%40mail.gmail.com</a>.<br class="">
For more options, visit <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__groups.google.com_d_optout&d=AwMF_g&c=Sqcl0Ez6M0X8aeM67LKIiDJAXVeAw-YihVMNtXt-uEs&r=PDGu4NI-duocVzLKrMLVZV9ccYh2Q-1cXto7c2DRReM&m=IR5tru86Ihv2g1IjtatpVdYMQcw52SU4UWhhLzaHxts&s=_ArfcCFBHUilGTdBgpsiBBSJ1Yqz0rX_H5s7Jfmkq-o&e=" target="_blank" class="">
https://groups.google.com/d/optout</a>.<u class=""></u><u class=""></u></span></p>
</blockquote>
</div><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
</div>
</div><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
</div>
</div>
</div>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
</div>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
</div>
</div>
</blockquote>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
</div>
</div>
</div>

</blockquote></div><br class=""></div>
</div></blockquote></div><br class=""></div></div></body></html>