[Openid-specs-fapi] Issue #704: Consider recommendations from Cyber Safety Review Board report (openid/fapi)

Sun Jul 7 11:17:26 UTC 2024

New issue 704: Consider recommendations from Cyber Safety Review Board report
https://bitbucket.org/openid/fapi/issues/704/consider-recommendations-from-cyber-safety

Joseph Heenan:

I don’t think the working group has discussed this report yet:

[https://www.cisa.gov/resources-tools/resources/cyber-safety-review-board-releases-report-microsoft-online-exchange-incident-summer-2023](https://www.cisa.gov/resources-tools/resources/cyber-safety-review-board-releases-report-microsoft-online-exchange-incident-summer-2023)

In particular it seems worth drawing the groups attention to recommendation 13 that explicitly names OIDF:

> CSPs and relevant standards bodies, such as OpenID Foundation \(OIDF\), Organization for the Advancement of Structured Information Standards \(OASIS\), and The Internet Engineering Task Force \(IETF\), should develop or update profiles for core digital identity standards such as OIDC and Security Assertion Markup Language \(SAML\) to include requirements and/or security considerations around key rotation, stateful credentials, credential linking, and key scope.

‌

But these two are also fairly relevant:

> RECOMMENDATION 11: CSPs should implement emerging standards such as Open Authorization \(OAuth\) 2 Demonstrating Proof-of-Possession \(DPoP\) \(bound tokens\) and OpenID Shared Signals and Events \(SSE\) \(sharing session risk\) that better secure cloud services against credential related attacks.
>
> RECOMMENDATION 12: Relevant standards bodies should refine and update these standards to account for a threat model of advanced nation-state attackers targeting core CSP identity systems.

\(Thanks to Tom Sato for sharing this on the SSE WG mailing list\)

‌

I’m not sure all of this feels like it might be in scope for FAPI, but I think we could say something about:

* Key rotation
* Key scope
* Shared Signals & Events spec

I don’t fully understand what “stateful credentials” or “credential linking” might mean, and I’m not sure what extra we could do to specifically address “advanced nation-state attackers”.