[Openid-specs-risc] Session Extension Event

Dawud Gordon dawud at twosense.ai
Sat Aug 22 00:15:57 UTC 2020 

Hey all,

I'm picking up a conversation we didn't get to on our last call.

I'm interested in finding a way to act as an agent-based trust provider.

Our customers want to set a shorter session, and only extend the session if
there is a reason to trust it. Our endpoint agent supplies trust to a
user/device/session, but is not a prerequisite for a connection.  If the
agent is not present, the user can still access the system but is required
to derisk the situation themselves and provide the "extra" trust required,
for example with an MFA challenge every 30 mins.  Customers actually see
this as a motivation for their users to put security agents on their BYOD
devices (e.g. install us or an MDM).

This is why I'm advocating for a "Session Extension" event.

Is there another way to implement this using events that are already
defined?

Otherwise I will draft the event and send that around for review before our
next call.

Cheers,
-dawud

--
Dawud Gordon, PhD
TWOSENSE.AI | CEO & Co-Founder
195 Montague St, Brooklyn, NY 11201
+1 (845) 652 3579


On Tue, Aug 18, 2020 at 10:40 AM Dawud Gordon <dawud at twosense.ai> wrote:

> Hello All,
>
> On our last call, I proposed adding an event to extend a session for a
> user+device+session.
>
> My goal was to enable CAE to perform with an IdP with a short session
> configuration, where signals and events keep sessions open when trusted,
> rather than only closing them when risk is identified.
>
> This was met with some resistance and I understand that CAEP is designed
> for long sessions with external risk signals instead of trust signals.
>
> From my perspective, we would only need one component for CAEP to support
> both modalities, which would be an event to push a trust-based session
> extension signal from a 3rd party to the IdP.
>
> Without this, it would be an IdP specific implementation outside of CAEP.
>
> Are there previous discussions on this I can catch up on? Or any blatant
> reasons I'm overlooking why this is a bad idea?
>
> Thanks!
>
> Cheers,
> -dawud
>
> --
> Dawud Gordon, PhD
> TWOSENSE.AI | CEO & Co-Founder
> 195 Montague St, Brooklyn, NY 11201
> +1 (845) 652 3579
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20200821/363f1c74/attachment.html>

More information about the Openid-specs-risc mailing list