[Openid-specs-risc] event proposal: credential-compromised

Stan Bounev stanb at vericlouds.com
Mon Dec 23 02:00:51 UTC 2019 

Marius, thanks for sending. Such event can unlock a lot of additional value from this WG. I agree with Annabelle’s points. I suggest we collect feedback from the rest of the group and then address all of it at the same time.

Stan

From: Openid-specs-risc <openid-specs-risc-bounces at lists.openid.net> on behalf of "Richard Backman, Annabelle via Openid-specs-risc" <openid-specs-risc at lists.openid.net>
Reply-To: "Richard Backman, Annabelle" <richanna at amazon.com>
Date: Saturday, December 21, 2019 at 10:37 PM
To: Marius Scurtescu <marius.scurtescu at coinbase.com>
Cc: "openid-specs-risc at lists.openid.net" <openid-specs-risc at lists.openid.net>
Subject: Re: [Openid-specs-risc] event proposal: credential-compromised

We need to be very careful if we’re going to include credentials or artifacts derived from credentials in events. A plain hash of the password is vulnerable to rainbow tables and cracking rigs. A hash of a PIN is especially vulnerable, given the reduced search space.
Sent from my iPad


On Dec 20, 2019, at 8:13 PM, Marius Scurtescu via Openid-specs-risc <openid-specs-risc at lists.openid.net> wrote:
A new RISC event type came up while looking at clearing house use cases, see meeting notes for December 10.

   Event Type URI:
   https://schemas.openid.net/secevent/risc/event-type/credential-compromised

   Credential Compromised signals that a given credential for the account identified
   by the subject was compromised. If the exact same credential is used by the same
   account then the Receiver should take action.

   Attributes:
     - credential-type:
       - password
       - PIN
       - ...
     - credential-hash
     - hash-method:
       - SHA-256
       - ...

   {
     "iss": "https://idp.example.com/",
     "jti": "756E69717565206964656E746966696572",
     "iat": 1508184845,
     "aud": "636C69656E745F6964",
     "events": {
       "https://schemas.openid.net/secevent/risc/event-type/credential-compromised": {
         "subject": {
           "subject_type": "iss-sub",
           "iss": "https://idp.example.com/",
           "sub": "7375626A656374",
         },
         "credential-type": "password",
         "credential-hash": "41ef4bb0b23661e66301aac36066912dac037827b4ae63a7b1165a5aa93ed4eb",
         "hash-method": "SHA-256",
       }
     }
   }


Keep in mind that an event like this is useful not only for a clearing house use case but for all implicit and pseudo implicit use cases, see sections 3.3, 3.4 and 3.5:
https://tools.ietf.org/html/draft-scurtescu-secevent-risc-use-cases


_______________________________________________
Openid-specs-risc mailing list
Openid-specs-risc at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-risc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20191223/509b2a3e/attachment.html>

More information about the Openid-specs-risc mailing list