[Openid-specs-risc] Call notes

Atul Tulshibagwale atultulshi at google.com
Tue Mar 23 18:16:53 UTC 2021 

Hi all,
Here are the notes from today's call, document available here
<https://docs.google.com/document/d/1ZFwJJDwwSBNKX35VObClC1ctMbMMuHJtr5qY-7xsLW8/edit#>
:
Call on 3/23/2021

Attendees:

   -

   Atul Tulshibagwale (Google)
   -

   Matt Domsch (SailPoint)
   -

   Asad Ali (Thales)
   -

   Tim (Microsoft)
   -

   Annabelle (AWS)

Agenda:

   -

   Timestamping
   -

   Merge to master
   -

   Compromised Credentials
   -

   RISC Sessions Revoked vs CAEP Session Revoked


Notes:

   -

   Not every event will have a time instant so there is no event timestamp
   in the SSE spec
   -

   For example, the compromised credentials event can say when the
   credential was detected to be compromised but not when it was compromised
   -

   The SSE spec could contain guidance on if there is a timestamp
   associated with an event, then what format and semantics it should have
   -

   Should a timestamp be required in all CAEP events? E.g. Assurance level
   change or device compliance change may not have a known time of failure
   -

   The timestamp can / should indicate the decision of the Transmitter, not
   the actual time at which the event happened
   -

   Two timestamps in the same payload is not desirable from an
   implementation point of view
   -

   Should we recommend using a separate timestamp claim only if the event
   decision time is meaningfully different from the SET issue time
   -

   Implementation is cleaner if the timestamp claim always exists in the
   CAEP events
   -

   Timestamps are easy to code into the event, but are they easy to arrive
   at for every event type?
   -

   Example: identifier change - there is a concrete time when the
   identifier was changed, say by the end-user. The Transmitter has that
   information at the time the change happened, but that is not necessarily
   when the SET was minted
   -

   In the above example, the audit log will carry the event time, which can
   be added to the SET as a timestamp claim
   -

   In the CAEP spec, the timestamp claim may not be required for all
   events. The timestamp, if present, will always mean when the event
   occurred, but the event definition can indicate whether the event means
   that the Transmitter made the decision or when the actual state change
   happened





Atul Tulshibagwale

Software Engineer,

Google Workspace

atultulshi at google.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20210323/c91c184d/attachment.html>

More information about the Openid-specs-risc mailing list