[Openid-specs-risc] [External Sender] Re: reminder: call today at 3 pm Pacific

Richard Backman, Annabelle richanna at amazon.com
Fri Dec 6 19:16:01 UTC 2019 

David,

The way I read the charter, the clearinghouse exclusion applies to APIs/mechanisms designed specifically for clearinghouse use cases. I don’t read it as necessarily excluding features in general purpose APIs that are of particular interest to clearinghouses. If memory serves, when we discussed clearinghouses back in the early days of RISC, the consensus was that their APIs would likely be proprietary, being built around the provider’s specific offerings/value add, hence excluding them from the scope of the WG. But it’s reasonable (and I’d go so far as to say desirable) for clearinghouses to use standard mechanisms for transmitting and receiving events when appropriate.

Regarding your example of transmitting/receiving collections, as co-editor of the Push-Based SET Delivery Using HTTP<https://tools.ietf.org/html/draft-ietf-secevent-http-push-07> and Poll-Based SET Delivery Using HTTP<https://tools.ietf.org/html/draft-ietf-secevent-http-poll-06> drafts working their way to RFC status in the IETF Security Events Working Group I encourage you to review them and provide feedback, preferably via the secevent working group mailing list<https://mailarchive.ietf.org/arch/browse/id-event/> so that it is visible to the working group. They are nearing the end of the review process, so please do so soon. The Poll-Based protocol supports transmission of multiple events per request, but the Push-Based protocol does not. This was discussed for Push, but decided against. Holding and bundling messages for batched transmission introduces non-negligible cost and complexity; IMO horizontal scaling is likely to be cheaper and easier, particularly if the system is already operating at a scale where batching is worth considering.

–
Annabelle Richard Backman
AWS Identity


From: Openid-specs-risc <openid-specs-risc-bounces at lists.openid.net> on behalf of Openid-specs-risc <openid-specs-risc at lists.openid.net>
Reply-To: David Skyberg <david.skyberg at capitalone.com>
Date: Friday, December 6, 2019 at 9:32 AM
To: Openid-specs-risc <openid-specs-risc at lists.openid.net>
Subject: Re: [Openid-specs-risc] [External Sender] Re: reminder: call today at 3 pm Pacific

I agree we need to ensure that discussions are scoped to the WG charter.  I do think that there is a general protocol and data format aspect to the discussion that may be germain.  For example, if we assume that clearinghouse use cases may encompass sending/receiving collections, rather than single events, should we entertain revision to the current data format? However, broader questions such as privacy implications of a clearinghouse model are likely out of scope.  Interesting, but out of scope. ;)

Cheers,
=D=

---
David Skyberg
Product Director
Capital One Identity Services
703.439.8876
david.skyberg at capitalone.com<mailto:david.skyberg at capitalone.com>


On Thu, Dec 5, 2019 at 3:11 PM Richard Backman, Annabelle <richanna at amazon.com<mailto:richanna at amazon.com>> wrote:
It should be noted that the current charter<https://urldefense.com/v3/__https:/openid.net/wg/risc/charter/__;!0Ns9_1dOjwg!L_IHRWDKAjugqfAYNWdNwfIR4zRqmSXC6S-RacX8K66DGod-tTnqQ9Ml6_PayDE77Q5MnaQ$> and draft revised charter<https://urldefense.com/v3/__https:/bitbucket.org/openid/risc/raw/93d4d7afaf0d59e142479052a785d63d8129d8b4/working-group-charter.pdf__;!0Ns9_1dOjwg!L_IHRWDKAjugqfAYNWdNwfIR4zRqmSXC6S-RacX8K66DGod-tTnqQ9Ml6_PayDE7D4vW0_Q$> say that the following is out of scope for the working group:

Definition of APIs and underlying mechanisms for connecting to, interacting with and operating centralized databases or intelligence clearinghouses when these are used to communicate security events between account providers.

So part of this discussion needs to be: is this work that we think belongs in the working group?

–
Annabelle Richard Backman
AWS Identity


From: Openid-specs-risc <openid-specs-risc-bounces at lists.openid.net<mailto:openid-specs-risc-bounces at lists.openid.net>> on behalf of Openid-specs-risc <openid-specs-risc at lists.openid.net<mailto:openid-specs-risc at lists.openid.net>>
Reply-To: David Skyberg <david.skyberg at capitalone.com<mailto:david.skyberg at capitalone.com>>
Date: Thursday, December 5, 2019 at 11:40 AM
To: Openid-specs-risc <openid-specs-risc at lists.openid.net<mailto:openid-specs-risc at lists.openid.net>>
Subject: Re: [Openid-specs-risc] [External Sender] Re: reminder: call today at 3 pm Pacific

Hi folks,
I would like to suggest a discussion topic - Clearing House support.
The spec is currently targeted at point to point event exchange.  There are also very valid use cases for supporting a pub/sub style clearing house model.  This was the goal of Andrew Nash's startup, Confyrm (acquired by Capital One).
There are at least two interesting threads under this topic:

  *   Event format, control plane, and protocol requirements for clearing house support.
  *   Privacy ('nuff said)
I've had a couple very limited conversations (seriously, like 5 minutes) with Annabelle and Mike.  Both agree we should at least start the discussion. I'm open to bribery.  If you have a doc that needs editing, or your car needs cleaning, I'm your guy.

Cheers,
=D=

---
David Skyberg
Product Director
Capital One Identity Services
703.439.8876
david.skyberg at capitalone.com<mailto:david.skyberg at capitalone.com>


On Tue, Nov 26, 2019 at 6:27 PM Richard Backman, Annabelle via Openid-specs-risc <openid-specs-risc at lists.openid.net<mailto:openid-specs-risc at lists.openid.net>> wrote:
Apologies for the confusion over the call today. We had some difficulties getting access to start the call. That should be resolved by the next one.

We did hold a brief call this afternoon, which we ended early due to low participation (unsurprising, given the confusion). Notes from that meeting follow:

Re-Chartering Update
The proposed charter was submitted to the Specifications Council last week after amendment based on feedback received at the CAEP face-to-face meeting. We are awaiting confirmation of the re-chartering from the Council.

RISC Ramp Up
We answered a few questions regarding how to get ramped up on the RISC work, and how to participate:

  *   How can I learn about the work that the working group has done so far?

     *   Read the working group’s documents, available in our repository<https://urldefense.com/v3/__https:/bitbucket.org/openid/risc/src/master/__;!0Ns9_1dOjwg!JY0jeiE4y3ye6E_-a2dSiCZEgxpThPrsPV4nY70cbzPqHfMOwaGfEeRrVv7o5ntJNO33Ans$> and on the OpenID Foundation Specifications page<https://urldefense.com/v3/__https:/openid.net/developers/specs/__;!0Ns9_1dOjwg!JY0jeiE4y3ye6E_-a2dSiCZEgxpThPrsPV4nY70cbzPqHfMOwaGfEeRrVv7o5ntJkFLwvbw$>. There are three documents in total:

        *   OpenID RISC Profile of IETF Security Events 1.0: Describes our use of SET and SET transport mechanisms, and the Event Stream Management API.
        *   OpenID RISC Event Types 1.0: Defines event types for security events related to account-related use cases.
        *   OAuth Event Types 1.0: Defines event types for security events related to OAuth 2.0 use cases.

     *   Read the mailing list archive<https://urldefense.com/v3/__http:/lists.openid.net/pipermail/openid-specs-risc/__;!0Ns9_1dOjwg!JY0jeiE4y3ye6E_-a2dSiCZEgxpThPrsPV4nY70cbzPqHfMOwaGfEeRrVv7o5ntJQnclMH4$>, particularly meeting notes from past meetings. Unfortunately, these are not curated anywhere and the list does not have a good search mechanism.

  *   What is the best way to participate in the working group?

     *   The simplest and easiest way is to post to the mailing list (note that you must have an IPR agreement on file with the OpenID Foundation in order to participate).

–
Annabelle Richard Backman
AWS Identity


From: "Richard Backman, Annabelle" <richanna at amazon.com<mailto:richanna at amazon.com>>
Date: Tuesday, November 26, 2019 at 3:03 PM
To: Marius Scurtescu <marius.scurtescu at coinbase.com<mailto:marius.scurtescu at coinbase.com>>, Openid-specs-risc <openid-specs-risc at lists.openid.net<mailto:openid-specs-risc at lists.openid.net>>
Subject: Re: [Openid-specs-risc] reminder: call today at 3 pm Pacific

Scratch that, the call is open. We’ll see how many people make it, given the mixed messages.

–
Annabelle Richard Backman
AWS Identity


From: Openid-specs-risc <openid-specs-risc-bounces at lists.openid.net<mailto:openid-specs-risc-bounces at lists.openid.net>> on behalf of Openid-specs-risc <openid-specs-risc at lists.openid.net<mailto:openid-specs-risc at lists.openid.net>>
Reply-To: Marius Scurtescu <marius.scurtescu at coinbase.com<mailto:marius.scurtescu at coinbase.com>>
Date: Tuesday, November 26, 2019 at 2:49 PM
To: Openid-specs-risc <openid-specs-risc at lists.openid.net<mailto:openid-specs-risc at lists.openid.net>>
Subject: Re: [Openid-specs-risc] reminder: call today at 3 pm Pacific

We are running into last minute technical issues and we won't be able to have the call today. Sorry about that.

We should be able to have the calls two weeks from today.

Best,
Marius


On Tue, Nov 26, 2019, 8:53 AM Marius Scurtescu <marius.scurtescu at coinbase.com<mailto:marius.scurtescu at coinbase.com>> wrote:
Just a reminder about the bi-weekly call today at 3 pm Pacific.

The embedded calendar and the iCal download are up to date, but the wording on the page still needs to be updated:
https://openid.net/wg/risc/<https://urldefense.com/v3/__https:/openid.net/wg/risc/__;!0Ns9_1dOjwg!JY0jeiE4y3ye6E_-a2dSiCZEgxpThPrsPV4nY70cbzPqHfMOwaGfEeRrVv7o5ntJLCYFT64$>

In order to join the call:

Please join my meeting from your computer, tablet or smartphone.

https://global.gotomeeting.com/join/576653581<https://urldefense.com/v3/__https:/global.gotomeeting.com/join/576653581__;!0Ns9_1dOjwg!JY0jeiE4y3ye6E_-a2dSiCZEgxpThPrsPV4nY70cbzPqHfMOwaGfEeRrVv7o5ntJu1decNc$>
You can also dial in using your phone.

United States +1 (786) 358-5410

Access Code: 576-653-581

More phone numbers
Australia (Long distance): +61 2 9087 3604
Austria (Long distance): +43 7 2088 1400
Belgium (Long distance): +32 (0) 92 98 0592
Canada (Long distance): +1 (647) 497-9350
Denmark (Long distance): +45 69 91 88 62
Finland (Long distance): +358 (0) 942 41 5778
France (Long distance): +33 (0) 182 880 456
Germany (Long distance): +49 (0) 692 5736 7211
Ireland (Long distance): +353 (0) 14 845 976
Italy (Long distance): +39 0 247 92 12 39
Netherlands (Long distance): +31 (0) 208 080 379
New Zealand (Long distance): +64 4 974 7215
Norway (Long distance): +47 21 03 58 96
Spain (Long distance): +34 911 82 9782
Sweden (Long distance): +46 (0) 313 613 558
Switzerland (Long distance): +41 (0) 225 3314 51
United Kingdom (Long distance): +44 (0) 20 3535 0621
_______________________________________________
Openid-specs-risc mailing list
Openid-specs-risc at lists.openid.net<mailto:Openid-specs-risc at lists.openid.net>
https://urldefense.com/v3/__http://lists.openid.net/mailman/listinfo/openid-specs-risc__;!0Ns9_1dOjwg!JY0jeiE4y3ye6E_-a2dSiCZEgxpThPrsPV4nY70cbzPqHfMOwaGfEeRrVv7o5ntJoOLWS0s$<https://urldefense.com/v3/__http:/lists.openid.net/mailman/listinfo/openid-specs-risc__;!0Ns9_1dOjwg!JY0jeiE4y3ye6E_-a2dSiCZEgxpThPrsPV4nY70cbzPqHfMOwaGfEeRrVv7o5ntJoOLWS0s$>
________________________________


The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.


________________________________


The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20191206/4f25fac8/attachment-0001.html>

More information about the Openid-specs-risc mailing list