[Openid-specs-risc] Session Extension Event

Mon Aug 24 16:20:18 UTC 2020

Hi Tim,
I'd started working on this doc, but I haven't made much progress. I don't
think I've uploaded the source to the repository.

We need to pick this up soon though. I was hoping to get clarity on the
subject identifiers issue before progressing on this, but perhaps we can
write the doc assuming we'll have subject categories in subject-identifiers
and then modify it if things change.

Atul

On Sun, Aug 23, 2020 at 4:37 PM Tim Cappalli <Tim.Cappalli at microsoft.com>
wrote:

> We don’t have an event type for “Session Events” (which I’d argue this is
> ultimately a session event), but I think this use case makes sense and
> should be added.
>
>
>
> @Atul Tulshibagwale <atultulshi at google.com> are we still just making
> proposed changes on this doc (
> https://docs.google.com/document/d/1jT12NVfmEryytrPMpQiCzfOXQ-8HfQFnLQStoSAbFhY/
> )?
>
>
>
> tim
>
>
>
> *From: *Openid-specs-risc <openid-specs-risc-bounces at lists.openid.net>
> *Date: *Friday, August 21, 2020 at 20:24
> *To: *openid-specs-risc at lists.openid.net <
> openid-specs-risc at lists.openid.net>
> *Subject: *Re: [Openid-specs-risc] Session Extension Event
>
> Hey all,
>
>
>
> I'm picking up a conversation we didn't get to on our last call.
>
>
>
> I'm interested in finding a way to act as an agent-based trust provider.
>
>
>
> Our customers want to set a shorter session, and only extend the session
> if there is a reason to trust it. Our endpoint agent supplies trust to a
> user/device/session, but is not a prerequisite for a connection.  If the
> agent is not present, the user can still access the system but is required
> to derisk the situation themselves and provide the "extra" trust required,
> for example with an MFA challenge every 30 mins.  Customers actually see
> this as a motivation for their users to put security agents on their BYOD
> devices (e.g. install us or an MDM).
>
>
>
> This is why I'm advocating for a "Session Extension" event.
>
>
>
> Is there another way to implement this using events that are already
> defined?
>
>
>
> Otherwise I will draft the event and send that around for review before
> our next call.
>
>
>
> Cheers,
>
> -dawud
>
> --
> Dawud Gordon, PhD
> TWOSENSE.AI
> <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftwosense.ai%2F&data=02%7C01%7Ctim.cappalli%40microsoft.com%7C197758652369492b68a308d84631acc3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637336526461379556&sdata=o1%2BT%2BmhRMsREbhZ9DCqOFZdQwGu7GOl2i8s2jMvCybg%3D&reserved=0> |
> CEO & Co-Founder
>
> 195 Montague St, Brooklyn, NY 11201
>
> +1 (845) 652 3579 <(845)%20652-3579>
>
>
>
>
>
> On Tue, Aug 18, 2020 at 10:40 AM Dawud Gordon <dawud at twosense.ai> wrote:
>
> Hello All,
>
>
>
> On our last call, I proposed adding an event to extend a session for a
> user+device+session.
>
>
>
> My goal was to enable CAE to perform with an IdP with a short session
> configuration, where signals and events keep sessions open when trusted,
> rather than only closing them when risk is identified.
>
>
>
> This was met with some resistance and I understand that CAEP is designed
> for long sessions with external risk signals instead of trust signals.
>
>
>
> From my perspective, we would only need one component for CAEP to support
> both modalities, which would be an event to push a trust-based session
> extension signal from a 3rd party to the IdP.
>
>
>
> Without this, it would be an IdP specific implementation outside of CAEP.
>
>
>
> Are there previous discussions on this I can catch up on? Or any blatant
> reasons I'm overlooking why this is a bad idea?
>
>
>
> Thanks!
>
>
>
> Cheers,
>
> -dawud
>
> --
> Dawud Gordon, PhD
> TWOSENSE.AI
> <https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftwosense.ai%2F&data=02%7C01%7Ctim.cappalli%40microsoft.com%7C197758652369492b68a308d84631acc3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637336526461389549&sdata=Zzxrvz1So5zRzyg9HOcWkfd81MpDhZ1zYYMgmEY5PSI%3D&reserved=0> |
> CEO & Co-Founder
>
> 195 Montague St, Brooklyn, NY 11201
>
> +1 (845) 652 3579 <(845)%20652-3579>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20200824/89b81f4c/attachment.html>