[Openid-specs-risc] draft agenda

Stan Bounev stanb at vericlouds.com
Wed Jun 3 23:34:19 UTC 2020 

Couple of points:


  *   I wasn’t able to do the PR as I didn’t have the right permission and Marius was kind enough to add it.
  *   I agree this is related to RISC. My understanding is that RISC gets merged with SSE. If not, I will continue working towards adding it to RISC spec.
  *   I didn’t provide the event details as we still haven’t discussed the use case. I can give you just very early draft thoughts about the event below. Will be happy to modify based on feedback.

Here is more detail that also provides some of the main points that will be included in a potential ‘compromised’ event.


  1.  Transmitter finds compromised credential with the RP domain
  2.  Transmitter sends the compromised event that includes the identifier
  3.  RP acknowledges this is or it is not a valid identifier (user ID/email address).
  4.  RP either makes a to request to transmitter to get an identifier’s attribute (password) or not to do that
  5.  If RP makes a request, the transmitter sends: a)identifier; b) credential type, e.g. ‘password;’ c) credential hash; d) hash method.


   Event Type URI:
   https://schemas.openid.net/secevent/risc/event-type/credential-compromised

   Credential Compromised signals that a given credential for the account identified
   by the Transmitter was compromised. If the exact same credential is used by the same
   account then the Receiver should take action.

   Attributes:
     + credential identifier:
       - user ID
       - email
       - phone
       - ...
+ credential type

  *   password
  *   …
+ identifier attribute:
     - credential-hash (password hash)
+  hash-method:
       - SHA-256
       - ...

Let me know what you think.

Thanks,
Stan



From: Jordan Wright <jwright at duo.com>
Date: Wednesday, June 3, 2020 at 3:53 PM
To: Atul Tulshibagwale <atultulshi at google.com>
Cc: Stan <stanb at vericlouds.com>, Openid-specs-risc <openid-specs-risc at lists.openid.net>
Subject: Re: [Openid-specs-risc] draft agenda

I think a compromised credential event is very solidly in the RISC area of the spec, not CAEP. I'd be happy to discuss it during the workshop though.

I was looking around for the proposed event structure and couldn't find it. Stan, do you have a copy of the event details you're proposing? I see the use case, which I agree with and appreciate that it's high-level based on my previous feedback, but I'd be curious to read more about the details.

Thanks,
Jordan

On Wed, Jun 3, 2020 at 5:43 PM Atul Tulshibagwale via Openid-specs-risc <openid-specs-risc at lists.openid.net<mailto:openid-specs-risc at lists.openid.net>> wrote:
Also, I looked at your PR, it is modifying the wrong file. There's another file which is the CAEP use cases, we should add your use case there. Please talk to Asad Ali (copied) about that.

Thanks,
Atul


On Wed, Jun 3, 2020 at 3:37 PM Atul Tulshibagwale <atultulshi at google.com<mailto:atultulshi at google.com>> wrote:
Hi Stan,
Happy to discuss the use case during the workshop. Should we schedule some time for it on Thursday (tomorrow)?

Thanks,
Atul


On Wed, Jun 3, 2020 at 2:51 PM Stan Bounev <stanb at vericlouds.com<mailto:stanb at vericlouds.com>> wrote:
Hi Atul,

I would like to also have the ‘compromised’ use case also considered for the SSE spec - after it gets feedback from the group and have an event created for it (assuming it passes the review). I sent an email with a request for feedback to the group on 5/26 (see attached). So far I haven’t gotten received any feedback. Do you think we can discuss the use case as part of the SSE Virtual Workshop, either on day 1 or on day 2?

Thanks,
Stan

From: Openid-specs-risc <openid-specs-risc-bounces at lists.openid.net<mailto:openid-specs-risc-bounces at lists.openid.net>> on behalf of Atul Tulshibagwale via Openid-specs-risc <openid-specs-risc at lists.openid.net<mailto:openid-specs-risc at lists.openid.net>>
Reply-To: Atul Tulshibagwale <atultulshi at google.com<mailto:atultulshi at google.com>>
Date: Wednesday, June 3, 2020 at 9:55 AM
To: Openid-specs-risc <openid-specs-risc at lists.openid.net<mailto:openid-specs-risc at lists.openid.net>>
Subject: [Openid-specs-risc] draft agenda

Hi all,
I've put together a proposed agenda<https://docs.google.com/document/d/1ar7BCG7lXsCjaYN8yIeYQ4xf9Uj6W7euhViVmaCR31g/edit?usp=sharing>. Please feel free to suggest changes.

Thanks,
Atul
_______________________________________________
Openid-specs-risc mailing list
Openid-specs-risc at lists.openid.net<mailto:Openid-specs-risc at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-risc


--
[Image removed by sender.]
[Image removed by sender.]
Jordan Wright
/ Principal R&D Engineer


jwright at duo.com<mailto:jwright at duo.com>


Duo.com<https://duo.com/>


----------
The Most Loved Company in Security

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20200603/ed84803f/attachment-0001.html>

More information about the Openid-specs-risc mailing list