[Openid-specs-risc] RISC spec, Credential Compromised event

Martin Gallo mgallo at secureauth.com
Thu May 6 12:03:43 UTC 2021 

Hello everyone!

I was unable to attend Tuesday's meeting but wanted to provide some feedback, which I think it might be too broad for a comment in the PR.

For an Identity Provider, the Credential Compromised is an event type that is really interesting as it's actionable and in my perspective fits with RISC's scope. I see use cases where we can benefit from having a standardized profile to represent and exchange those events, and it's great that it's being considered. However, I've some questions about how it's currently represented and want to open it up to exchange feedback:


  1.  I'm not completely sure that the definition of "credential" is clear from the event type definition proposed. The definition is that "the event signals that the identifier specified in the subject (an email) was found to be compromised" but we're calling it "Credential compromise".
     *   Does "credential" in this context mean that the subject's email account was compromised?
     *   Or was the combination of the subject identifier (email) and a given authentication factor (e.g. a password) found compromised at some point?

I've seen a couple of cases where "compromised credential" might be interpreted as "compromised account" and not sure if we should be more clear to avoid that. In the same line, considering expanding the event to other subject types trigger similar questions (e.g. what would be the credential related to a session found to be compromised? If thinking about device-level authn certificates, shouldn't the certificate be the subject compromised credential instead of the device?)



  1.  For the event to be actionable, I think it would be important to carry some meaning of timing.
     *   Does it make sense to include date of exposure? (e.g. when the subject's record was published)
     *   Does it make sense to include date of identification of the exposure? (e.g. when the transmitter identified the subject's record)
     *   Might make sense to incorporate something like "event_timestamp" as in CAEP events?


Let me guys know if I'm going too far into the logic of transmitter/receivers..


Regards,
Martin.

From: Openid-specs-risc <openid-specs-risc-bounces at lists.openid.net> On Behalf Of Stan Bounev via Openid-specs-risc
Sent: Monday, May 3, 2021 8:55 PM
To: Atul Tulshibagwale <atultulshi at google.com>; Openid-specs-risc <openid-specs-risc at lists.openid.net>
Subject: [Openid-specs-risc] RISC spec, Credential Compromised event

Hi All,

We have a Credential Compromised PR added to the RISC spec. I'd like to ask you for feedback ahead of our meeting tomorrow. Here is the link - https://bitbucket.org/openid/risc/pull-requests/11

Thanks,
Stan


-----------------------------------------
Stan Bounev
VeriClouds | https://www.vericlouds.com<https://www.vericlouds.com/>
1455 NW Leary Way Ste. 400, Seattle, WA 98107
Direct:   650-353-7269<tel:650-353-7269> | stanb at vericlouds.com<mailto:stanb at vericlouds.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20210506/b6ce0d55/attachment.html>

More information about the Openid-specs-risc mailing list