[Openid-specs-risc] Call notes

Wed Sep 22 00:30:16 UTC 2021

Sorry for missing the last call. Some comments/questions inline.

I would also add that there continues to be confusion about the spec names. I think we need to better align the CAEP and RISC spec names from a constistency standpoint.

I propose the following two tweaked names:

  *   OpenID Risk and Incident Sharing and Collaboration Profile Specification
  *   OpenID Continuous Access Evaluation Profile Specification

________________________________
From: Openid-specs-risc <openid-specs-risc-bounces at lists.openid.net> on behalf of Atul Tulshibagwale via Openid-specs-risc <openid-specs-risc at lists.openid.net>
Sent: Tuesday, September 14, 2021 13:32
To: Openid-specs-risc <openid-specs-risc at lists.openid.net>
Subject: [Openid-specs-risc] Call notes

Hi all,
Notes from today's call are here:
TL;DR: Suggest dropping the "sessions revoked" event from RISC in favor of the one from CAEP, so that RISC is more about account management and CAEP more about session management.

Call on Sep 14, 2021

Attendees:

  *   Atul Tulshibagwale (Google)

  *   Stan Bounev (VeriClouds)

  *   Tom Sato (VeriClouds)

  *   Martin Gallo (SecureAuth)

Agenda:

  *   Pending requests for the SSE and CAEP specs post implementer’s drafts

  *   Voting period for the RISC spec

Notes:

  *   Propose a new draft that incorporates feedback so far, which could go through another review process.

  *   Feedback from Google: The old RISC spec discovery URL should be added as a discovery URL to the SSE spec, so that existing implementations don’t change

  *   Existing Google implementation is available at: https://developers.google.com/identity/protocols/risc<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdevelopers.google.com%2Fidentity%2Fprotocols%2Frisc&data=04%7C01%7Ctim.cappalli%40microsoft.com%7C023158facc1541d6c9d008d977a5b83d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637672376685588841%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=h9rE90QA286IpTYR%2BQJTm0%2B6b6upLDmk%2FguwVfnkE4M%3D&reserved=0>

  *   Create a pull request and discuss it in the next call

  *   Feedback so far about the RISC spec: Difference between “session revoked” in RISC versus CAEP.

  *   Proposal: drop “sessions revoked” event from RISC spec and use the one from the CAEP spec. Stan to review the differences between the RISC and the CAEP spec to see if it makes sense to keep it in RISC [tim] I agree. I often get this question and struggle to answer it.

  *   Another feedback: In the “credential compromised” event, the “time” field is lacking. [tim] Is this essentially saying that this specific event needs some form of timestamp? The RISC events do not have a 'common' event_timestamp like the CAEP events.

  *   CAEP should be more about sessions than accounts, and RISC should be more about accounts than sessions

  *   Propose that the above changes should be made to the RISC draft in the master branch, and posted to the list as a pull-request. If no feedback is received for 1 week or more, we should ask the OpenID committee to start a new review process for the updated draft

  *   Atul to update the draft

  *   Which companies are working on CAEP / RISC services? Microsoft has made announcements and Google has a RISC service in production. SailPoint has produced the open source toolkit. SecureAuth status: prototyping SSE framework implementation and some selected CAEP/RISC events, thinking on moving those to preview at some point to get internal and external feedback.

  *   Tom Sato (VeriClouds) will suggest some marketing activities to get more adoption for the specs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20210922/58065e1c/attachment-0001.html>