[Openid-specs-risc] RISC spec, Credential Compromised event

Stan Bounev stanb at vericlouds.com
Fri May 7 18:22:47 UTC 2021 

Hi Martin,

Thanks for the feedback. I will give you my take on your questions below.


     *   Does “credential” in this context mean that the subject’s email account was compromised?
[Stan] The choice of “credential” is to be able to account for ‘email,’ or ‘phone’. I will add ‘phone’ to the next update.


     *   …considering expanding the event to other subject types trigger similar questions (e.g. what would be the credential related to a session found to be compromised? If thinking about device-level authn certificates, shouldn’t the certificate be the subject compromised credential instead of the device?)
[Stan] ‘Session’ compromise will probably fall under some of the other events from the SSE spec. However, authN certificates could also be added to ‘credential compromise.’ I will pose this question to the group next time.


     *   For the event to be actionable, I think it would be important to carry some meaning of timing.
[Stan] Agreed. We will have two optional dates – date of exposure (when the credential was compromised) and date when the exposure was identified – i.e. when the credential was leaked.

Thanks,
Stan



From: Martin Gallo <mgallo at secureauth.com>
Date: Thursday, May 6, 2021 at 5:03 AM
To: openid-specs-risc at lists.openid.net <openid-specs-risc at lists.openid.net>, Stan Bounev <stanb at vericlouds.com>, Atul Tulshibagwale <atultulshi at google.com>
Subject: RE: RISC spec, Credential Compromised event
Hello everyone!

I was unable to attend Tuesday’s meeting but wanted to provide some feedback, which I think it might be too broad for a comment in the PR.

For an Identity Provider, the Credential Compromised is an event type that is really interesting as it’s actionable and in my perspective fits with RISC’s scope. I see use cases where we can benefit from having a standardized profile to represent and exchange those events, and it’s great that it’s being considered. However, I’ve some questions about how it’s currently represented and want to open it up to exchange feedback:


  1.  I’m not completely sure that the definition of “credential” is clear from the event type definition proposed. The definition is that “the event signals that the identifier specified in the subject (an email) was found to be compromised” but we’re calling it “Credential compromise”.
     *   Does “credential” in this context mean that the subject’s email account was compromised?
     *   Or was the combination of the subject identifier (email) and a given authentication factor (e.g. a password) found compromised at some point?

I’ve seen a couple of cases where “compromised credential” might be interpreted as “compromised account” and not sure if we should be more clear to avoid that. In the same line, considering expanding the event to other subject types trigger similar questions (e.g. what would be the credential related to a session found to be compromised? If thinking about device-level authn certificates, shouldn’t the certificate be the subject compromised credential instead of the device?)



  1.  For the event to be actionable, I think it would be important to carry some meaning of timing.
     *   Does it make sense to include date of exposure? (e.g. when the subject’s record was published)
     *   Does it make sense to include date of identification of the exposure? (e.g. when the transmitter identified the subject’s record)
     *   Might make sense to incorporate something like “event_timestamp” as in CAEP events?


Let me guys know if I’m going too far into the logic of transmitter/receivers..


Regards,
Martin.

From: Openid-specs-risc <openid-specs-risc-bounces at lists.openid.net> On Behalf Of Stan Bounev via Openid-specs-risc
Sent: Monday, May 3, 2021 8:55 PM
To: Atul Tulshibagwale <atultulshi at google.com>; Openid-specs-risc <openid-specs-risc at lists.openid.net>
Subject: [Openid-specs-risc] RISC spec, Credential Compromised event

Hi All,

We have a Credential Compromised PR added to the RISC spec. I’d like to ask you for feedback ahead of our meeting tomorrow. Here is the link - https://bitbucket.org/openid/risc/pull-requests/11

Thanks,
Stan


-----------------------------------------
Stan Bounev
VeriClouds | https://www.vericlouds.com<https://www.vericlouds.com/>
1455 NW Leary Way Ste. 400, Seattle, WA 98107
Direct:   650-353-7269<tel:650-353-7269> | stanb at vericlouds.com<mailto:stanb at vericlouds.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20210507/05943b05/attachment-0001.html>

More information about the Openid-specs-risc mailing list