[Openid-specs-risc] Feedback on the draft spec

Tue May 26 23:45:46 UTC 2020

Hi all,

We have a new PR about the ‘compromised’ use case. I would like to ask you if you could provide feedback - https://bitbucket.org/openid/risc/pull-requests/2/add-compromised-credential-use-case/diff

Here is more detail that also provides some of the main points that will be included in a potential ‘compromised’ event.

  1.  Transmitter finds compromised credential with the RP domain
  2.  Transmitter sends the compromised event that includes the identifier
  3.  RP acknowledges this is or it is not a valid identifier (user ID/email address).
  4.  RP either makes a to request to transmitter to get an identifier’s attribute (password) or not to do that
  5.  If RP makes a request, the transmitter sends: a)identifier; b) credential type, e.g. ‘password;’ c) credential hash; d) hash method.

#5 above could be a subject of an additional agreement between the transmitter and RP. The main reason for a separate agreement is that there are multiple ways the attribute could be sent based on receivers systems and regulations. My question to the group is if you agree to have a separate agreement outside of the event type or to find a way to standardize how to transmit the compromised attribute (i.e. password).

Thanks,
Stan

From: Openid-specs-risc <openid-specs-risc-bounces at lists.openid.net> on behalf of Stan Bounev via Openid-specs-risc <openid-specs-risc at lists.openid.net>
Reply-To: Stan <stanb at vericlouds.com>
Date: Tuesday, May 26, 2020 at 10:09 AM
To: Atul Tulshibagwale <atultulshi at google.com>, Openid-specs-risc <openid-specs-risc at lists.openid.net>
Subject: Re: [Openid-specs-risc] Feedback on the draft spec

Hi all,

I had some issues with the permissions to Bitbucket and was not able to add the ‘compromised’ use case to the RISC spec. I just asked Marius if he could do it before the meeting at 10am.

In case he is not able to, I’ve attached the use case to this email.

I will be available during the meeting and after that to address questions about the use case.

Thanks,
Stan

From: Openid-specs-risc <openid-specs-risc-bounces at lists.openid.net> on behalf of Atul Tulshibagwale via Openid-specs-risc <openid-specs-risc at lists.openid.net>
Reply-To: Atul Tulshibagwale <atultulshi at google.com>
Date: Tuesday, May 26, 2020 at 6:45 AM
To: Openid-specs-risc <openid-specs-risc at lists.openid.net>
Subject: [Openid-specs-risc] Feedback on the draft spec

Hi all,
Seeing some excellent feedback on the draft spec in the Google Doc below. Thanks to all those who have reviewed it.

For those who haven't seen it yet: If possible, please review the spec and add your feedback / comments before the call today, so that we can focus more on the feedback rather than introducing the changes in the call.

[Image removed by sender.] openid-sse-profile-draft<https://docs.google.com/document/d/1EShCGEAI_m3Syu5ZF-zcK-dAxEh4p_HrVNQA4kjKtOM/edit?usp=drive_web>

Thanks,
Atul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20200526/fd1eb3ab/attachment-0001.html>