[Openid-specs-risc] Notes from today's call

Atul Tulshibagwale atultulshi at google.com
Tue May 11 18:01:54 UTC 2021 

Hi all,
Here are the notes from today's call:
Call on 5/11/2021

Attendees:

   -

   Atul Tulshibagwale (Google)
   -

   Stan Bounev (VeriClouds)
   -

   Matt Domsch (SailPoint)
   -

   Jeff Broberg (SecureAuth)
   -

   Martin Gallo (SecureAuth)
   -

   Brian Campbell (Ping Identity)


Agenda:

   1.

   Matt’s PR on fixing opaque subject identifier id member in CAEP spec
   2.

   Compromised Credentials event type


Notes:

   -

   Why should the subject identifier in a credential compromise event be
   restricted to email? It could be potentially any subject identifier (e.g.
   Microsoft seems to use UUIDs for user identifiers)
   -

   What does the “credential compromise” event mean? Does it refer to the
   account or a combination of the account and password, etc.
   -

   It could be that a password for a specific email address is compromised,
   but that may not be the password used at say gmail for logging in with the
   email address
   -

   Should the “iss” be used to identify the provider whose credential has
   been compromised? But the issuer claim may not always be present if the
   subject identifier type is different
   -

   Can we use the “credential change required” event for the same effect?
   There are a few differences.
   -

   What is the difference between the RISC “credential change required” and
   the CAEP “credential change” event? RISC event is when the change is
   required, but not necessarily executed. The CAEP event is when it is
   executed.
   -

   Two open questions:
   1.

      How do you identify the account / provider of the subject principal
      where the credential compromise has taken place
      2.

      How do you identify the type of credential associated with the
      subject principal that has been compromised
      -

   Stan to send an email describing how these two can be addressed
   -

   A “Credential compromise” event is really only about the credentials
   compromised, but not necessarily an account compromise
   -

   Q: Should we meet every two weeks now? Atul to ask the question on email
   -

   Q: Should we break out the review process for SSE+CAEP in one schedule
   and for RISC in another schedule? Atul to ask the question on email






Atul Tulshibagwale

Software Engineer,

Google Workspace

atultulshi at google.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20210511/c17719e1/attachment-0001.html>

More information about the Openid-specs-risc mailing list