[Openid-specs-risc] Notes from call

Atul Tulshibagwale atultulshi at google.com
Tue May 18 18:06:50 UTC 2021 

Hi all,
Here are the notes from the call today (also in the file here
<https://docs.google.com/document/d/1ZFwJJDwwSBNKX35VObClC1ctMbMMuHJtr5qY-7xsLW8/edit?usp=sharing>
)

Call on 5/18/2021

Attendees:

   -

   Atul Tulshibagwale (Google)
   -

   Matt Domsch (SailPoint)
   -

   Tim Cappalli (Microsoft)
   -

   Martin Gallo (SecureAuth)
   -

   Stan Bounev (VeriClouds)


Agenda:

   -

   Credentials-compromised event
   -

   Tim’s PR RE: reason_user/admin
   -

   Open PR review


Notes:

   -

   Is there already an IANA registry for credential types? Check WebAuthN /
   Fido2
   -

   Is this too much detail for the “credentials compromised” event?
   -

   We also need a credential identifier in the event
   -

   We should have a “credential” property in the event that is of type
   Subject Identifier, in addition to a “subject” property which is the
   principal associated with the event
   -

   We could potentially use “credential type” from the CAEP spec to specify
   the credential type here.
   -

   Should session token be addressed in the same event?
   -

   It’s a credential used by code rather than a principal
   -

   How a token compromise is handled is very different from how a password
   compromise is handled. The issuer / receiver for token compromise may also
   be different
   -

   Session revoked may cover the token compromise case
   -

   We should have a credential type registry
   -

   We could decouple the review of the SSE Framework and CAEP specs from
   the RISC spec
   -

   Should the values of credential_type in the CAEP spec be strings? Yes,
   but they should be well defined
   -

   Should the values be registered in a registry?
   -

   We could mimic what the JWT spec does in terms of claim names
   -
   -

   Tim’s PR: Did anyone review? Matt did
   -

   JSON Objects to support localization of reason strings seems good for
   all participants on the call
   -

   Are there more fields where this is needed? Should we have some
   standardization of this format? For now we should keep it in the CAEP spec
   where it is needed
   -

   We should assume we are going to have a call next week unless we find
   out that we can break out the review process.





Atul Tulshibagwale

Software Engineer,

Google Workspace

atultulshi at google.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20210518/6bc95259/attachment-0001.html>

More information about the Openid-specs-risc mailing list