[Openid-specs-risc] RISC call for today [3pm PDT]

Fri Sep 23 06:38:30 UTC 2016

Notes on today's call:

Sept 22

Attendees

Adam Dawes, Marius Scurtescu, Jeroen Kemperman, Phil Hunt, Brian Campbell,
George Fletcher, Dick Hardt, Henrik Biering

   -

   October 28 F2F at Google on Friday after IIW [please register
   <https://www.eventbrite.com/edit?eid=28032589229&published=0>]
   -

   SET working group charter:
   Who will be a reviewer? (Dick agrees)
   -

   Contract is signed between Microsoft and Google
   Google will get a clean contract and share with Amazon, Facebook,
   Confyrm. Let me know if you have interest in joining as well.
   -

   Reviewed Microsoft-Google F2F (below). Went through first 2 use cases.
   Discussed email header registration process.
   Feedback:
   -

      Header idea is interesting but not sure what it adds
      -

      The recipient still needs to trust that content of the message aligns
      with the header definition - otherwise can just send promo emails to the
      user to receive RISC signals. Nothing empirically more trustworthy about
      the mail.
      -

      Seems to add a lot more complexity than just using the pub/sub
      mechanism. Free to have any 2 parties to use this mechanism if
they desire
      but doesn’t sound like a great fit for the standard.
      -

      Header might be useful for enterprise customers - actually not so
      hard to look MX and then do the registration if the mail is hosted.
      -

   Marius and Phil have been collaborating on the transport spec.

NOTES FROM MICROSOFT MEETING 9/21

Assumptions:

   -

   Relying Parties (RPs) start sending a special email header on all
   password reset and account registration messages. RPs keep track of when
   they request an account recovery from IDP.
   -

   Mail providers (IDPs) need to keep track of the email reset messages
   received by looking for this header. This will qualify as the registration
   for later events.

Mail types

   -

   Password Reset
   -

   Email OTP challenge
   -

   Email verification for new accounts
   -

   Change email address
   -

   Account closed
   -

   Password change successful

Cases

   1.

   Relying Party (RP) tells Mail Provider (IDP) of possible compromise
   RP will tell IDP when compromise of RP account started when RP received
   a password reset or OTP to IDP account.

   RP sends PubSub message to IDP after local detection determines of
   compromise and links it to the account recovery via the IDP.

   2. Proof at risk: IDP tells RP they are at risk

IDP will tell RP when IDP received an OTP or PWR from RP account during a
time IDP account was compromised.

IDP keeps track of incoming PWRs, sends pubsub to RPs that have sent recent
PWRs

On Thu, Sep 22, 2016 at 9:24 AM, Adam Dawes <adawes at google.com> wrote:

> Hi all,
>
> For today's call, I think we'll have a bit to talk about. Google and
> Microsoft spent all day yesterday talking about our collaboration together
> for RISC and today Google, Microsoft and Amazon are talking.
>
> Additionally, if we have time, we can continue our discussion about SET
> and transport.
>
> Hope to see you there.
>
> 1.  Please join my meeting.
> https://global.gotomeeting.com/join/576653581
>
> 2.  Use your microphone and speakers (VoIP) - a headset is recommended.
> Or, call in using your telephone.
>
> United States: +1 (312) 757-3119
> Australia: +61 2 9091 7603
> Austria: +43 (0) 7 2088 0716
> Belgium: +32 (0) 28 08 4372
> Canada: +1 (647) 497-9380
> Denmark: +45 (0) 69 91 84 58
> Finland: +358 (0) 931 58 1773
> France: +33 (0) 170 950 590
> Germany: +49 (0) 692 5736 7300
> Ireland: +353 (0) 15 133 006
> Italy: +39 0 699 26 68 65
> Netherlands: +31 (0) 208 080 759
> New Zealand: +64 9 974 9579
> Norway: +47 21 04 30 59
> Spain: +34 931 76 1534
> Sweden: +46 (0) 852 500 691
> Switzerland: +41 (0) 435 0026 89
> United Kingdom: +44 (0) 20 3713 5011
>
> Access Code: 576-653-581
> Audio PIN: Shown after joining the meeting
>
> Meeting ID: 576-653-581
>
> --
> Adam Dawes | Sr. Product Manager | adawes at google.com | +1 650-214-2410
>
>

-- 
Adam Dawes | Sr. Product Manager | adawes at google.com | +1 650-214-2410
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20160922/a00a6e71/attachment-0001.html>