[Openid-specs-risc] "Credential compromise" event discussion tomorrow
Stan Bounev
stanb at vericlouds.com
Tue Mar 2 07:29:41 UTC 2021
Hi all,
I’d like to add for discussion tomorrow the “credential compromise” event. I’d like to get feedback. See below.
Thanks,
Stan
<section anchor="credential-compromise-examples" title="Examples">
<t>NOTE: The event type URI is wrapped, the backslash is the continuation character.</t>
<t>Credential Compromised signals that the identifier specified in the subject was found to be compromised. The subject type MUST be either <spanx style="verb">email</spanx> or <spanx style="verb">phone</spanx>.</t>
<figure title="Example: Compromised credential found" anchor="credential-compromise-example"><artwork type="json"><![CDATA[
{
"iss": "https://idp.example.com/3456790/",
"jti": "756E69717565206964656E746966696572",
"iat": 1508184845,
"aud": "https://sp.example2.net/caep",
"events": {
"https://schemas.openid.net/secevent/risc/event-type/credential-compromise": {
"subject": {
"subject_type": "iss-sub",
"iss": "https://idp.example.com/3456790/",
"sub": "joe.smith at example.com"
},
"credential-compromise-id": "email", “phone”
}
}
}
-</sourcecode>
-</figure>
+]]></artwork></figure>
+
</section>
From: Openid-specs-risc <openid-specs-risc-bounces at lists.openid.net> on behalf of Atul Tulshibagwale via Openid-specs-risc <openid-specs-risc at lists.openid.net>
Date: Monday, February 22, 2021 at 5:51 PM
To: Openid-specs-risc <openid-specs-risc at lists.openid.net>
Subject: Re: [Openid-specs-risc] "Compound" subject types in SSE
Hi all,
A quick reminder to please review this proposal and provide your feedback and / or comments. It'll be good to review the feedback in the call on Tuesday next week.
Thanks,
Atul
On Tue, Feb 16, 2021 at 12:22 PM Atul Tulshibagwale <atultulshi at google.com<mailto:atultulshi at google.com>> wrote:
Hi all,
We discussed an important topic on the call today, and some of us had separately discussed this earlier. There are a couple of issues with the draft today:
1. The use of "common claims" e.g. "spag_id" conflicts with the Subject Identifiers draft that specifies claims other than those defined within the "subject_type" definition must not be included in a subject claim of that subject_type.
2. We defined a specific "user-device-session" subject type, but are now discovering use cases that create a multitude of other possibilities. The immediate one that caused this discussion was the use of an "application" principal. The use case is where a Transmitter may want to invalidate sessions associated with a specific application on a specific user or device.
To address both these issues, Tim Cappalli (Microsoft) and I came up with this proposal to create multi-valued or "compound" subject claims in SSE events. This will not require the use of common claims such as "spag_id", but we can create specific new subject_types such as "tenant" or "OU" as needed.
Please review the proposal here<https://docs.google.com/document/d/1stTI18cQy8zTw0u0UjC6NLkjBZAYEU1kNCDru7dEdfQ/edit?usp=sharing>. It will be great if you can provide your comments and feedback in the next couple of weeks so that we can have a productive discussion in our next call on March 2nd. If we can make sufficient progress in the call there, we can incorporate the changes into the draft.
Thanks,
Atul
[https://lh6.googleusercontent.com/fmoDQ26Qu6nUCxkO3-_idifYd4drGNvt7Ab_LQBqsdPH7EwOjHOqIJRzGXtqFHoor0bKiVZNFnj86FL59uqJJ1_-mSVOlfdsnlvDYTpq0wfcQFDXJr7miiOpLOie6c-pxXWWqpFqRg]
Atul Tulshibagwale
Software Engineer,
Google Workspace
atultulshi at google.com<mailto:atultulshi at google.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20210302/35aca089/attachment-0001.html>
More information about the Openid-specs-risc
mailing list