[Openid-specs-risc] Notes from today's call

Atul Tulshibagwale atultulshi at google.com
Tue Mar 30 18:03:02 UTC 2021 

Hi all,
Here are the notes from today's call, also captured in this doc
<https://docs.google.com/document/d/1ZFwJJDwwSBNKX35VObClC1ctMbMMuHJtr5qY-7xsLW8/edit>
:
Call on 3/30/2021

Attendees:

   -

   Atul Tulshibagwale (Google)
   -

   Matt Domsch (SailPoint)
   -

   Hazel Kennedy (UK FCO)
   -

   Martin Gallo (SecureAuth)
   -

   Jeff Broberg (SecureAuth)
   -

   Lee Tschetter (Okta)
   -

   Rich Smith (Gemini)
   -

   Stan Bounev (VeriClouds)
   -

   Tim Cappalli (Microsoft)


Agenda:

   -

   Merge to master
   -

   RISC Sessions Revoked vs CAEP Session Revoked
   -

   Compromised Credentials
   -

   Naming


Notes:

Event Separation

   -

   There are three namespaces in the set of specs - SSE, CAEP and RISC.
   There isn’t a lot of overlap, but there are some properties that are
   required in CAEP but the same event doesn’t have anything required in RISC
   -

   RISC “sessions-revoked” versus CAEP “session-revoked”; RISC
   “account-credential-change-required” versus CAEP “credential-change”
   -

   Credential change in CAEP is an indication that something has already
   occurred. The RISC event seems identical to that
   -

   Hard to understand the difference between CAEP and RISC overlapping
   event types from an implementer’s point of view
   -

   Many RISC events could be acted upon by doing a GET on the User object
   in SCIM. Almost all RISC events are signalling an interesting change in the
   user object
   -

   There is a good bit of legal work that has gone into RISC event
   definition, so we should keep it the same even if there is overlap with RISC
   -

   As long as we can explain the difference between RISC and CAEP clearly
   -

   “Sessions-revoked” versus “session-revoked” is the only real one we need
   to worry about
   -

   You could achieve the same effect with CAEP “session-revoked” that you
   can with RISC “sessions-revoked”
   -

   Should we call RISC “sessions-revoked” as deprecated in favor of the
   CAEP “session-revoked”, and provide an example of how the CAEP event can be
   used to achieve the same effect?

Compromised credentials

   -

   Timestamp property can be the same as that used by the other CAEP events
   -

   Is “compromised credentials” a RISC or CAEP event? It was initially
   thought of as a RISC event, but it can be in either.
   -

   Based on the definition of RISC vs CAEP, it makes more sense to be a
   RISC event.
   -

   2nd use case was when the Transmitter determines that the credential may
   be compromised. Concern in the last call was that some Transmitters may be
   more aggressive than others.
   -

   The event definition should clarify that it is a “transmitter decision”
   and not an absolute determination
   -

   The spec should not recommend any action by the receiver of such an event


Naming:

   -

   Proposal: Rename the “CAEP Event Types” and “RISC Event Types” specs to
   simply CAEP and RISC respectively. Update the specs to refer to the SSE
   profile.





Atul Tulshibagwale

Software Engineer,

Google Workspace

atultulshi at google.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20210330/54a72037/attachment.html>

More information about the Openid-specs-risc mailing list