[Openid-specs-risc] Call notes

Atul Tulshibagwale atultulshi at google.com
Tue Sep 14 17:32:48 UTC 2021 

Hi all,
Notes from today's call are here:
*TL;DR*: Suggest dropping the "sessions revoked" event from RISC in favor
of the one from CAEP, so that RISC is more about account management and
CAEP more about session management.

Call on Sep 14, 2021

Attendees:

   -

   Atul Tulshibagwale (Google)
   -

   Stan Bounev (VeriClouds)
   -

   Tom Sato (VeriClouds)
   -

   Martin Gallo (SecureAuth)


Agenda:

   -

   Pending requests for the SSE and CAEP specs post implementer’s drafts
   -

   Voting period for the RISC spec

Notes:

   -

   Propose a new draft that incorporates feedback so far, which could go
   through another review process.
   -

   Feedback from Google: The old RISC spec discovery URL should be added as
   a discovery URL to the SSE spec, so that existing implementations don’t
   change
   -

   Existing Google implementation is available at:
   https://developers.google.com/identity/protocols/risc
   -

   Create a pull request and discuss it in the next call
   -

   Feedback so far about the RISC spec: Difference between “session
   revoked” in RISC versus CAEP.
   -

   Proposal: drop “sessions revoked” event from RISC spec and use the one
   from the CAEP spec. Stan to review the differences between the RISC and the
   CAEP spec to see if it makes sense to keep it in RISC
   -

   Another feedback: In the “credential compromised” event, the “time”
   field is lacking.
   -

   CAEP should be more about sessions than accounts, and RISC should be
   more about accounts than sessions
   -

   Propose that the above changes should be made to the RISC draft in the
   master branch, and posted to the list as a pull-request. If no feedback is
   received for 1 week or more, we should ask the OpenID committee to start a
   new review process for the updated draft
   -

   Atul to update the draft
   -

   Which companies are working on CAEP / RISC services? Microsoft has made
   announcements and Google has a RISC service in production. SailPoint has
   produced the open source toolkit. SecureAuth status: prototyping SSE
   framework implementation and some selected CAEP/RISC events, thinking on
   moving those to preview at some point to get internal and external feedback.
   -

   Tom Sato (VeriClouds) will suggest some marketing activities to get more
   adoption for the specs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20210914/057e5c3e/attachment.html>

More information about the Openid-specs-risc mailing list