[Openid-specs-risc] Call notes

Atul Tulshibagwale atultulshi at gmail.com
Tue Mar 15 18:14:10 UTC 2022 

Hi all,
Here are the notes of the out-of-turn WG meeting that focused on exploring
whether it makes sense for the SSE Framework to be used in cybersecurity
applications. The notes are also stored here
<https://github.com/openid/sse/wiki/WG_Meeting-2022-03-15>.

Out-of-turn meeting for Cybersecurity applications
<https://github.com/openid/sse/wiki/WG_Meeting-2022-03-15#attendees>
Attendees

   - Atul Tulshibagwale (SGNL)
   - Stefan Duernberger (Cisco)
   - Jason Garbis (Appgate)
   - Tim Cappalli (Microsoft)
   - Nancy Cam Winget (Cisco)
   - Martin Gallo (SecureAuth)
   - Tom Sato (VeriClouds)
   - Lee Tschetter (Okta)
   - Gail Hodges (OpenID Foundation)

<https://github.com/openid/sse/wiki/WG_Meeting-2022-03-15#agenda>Agenda

   - Review Sharing Cybersecurity Signals
   <https://docs.google.com/document/d/1tmMqiXNB-lW9HXIzrivOvaFSts23zAzKLWPcSD740kE/edit?usp=sharing>
    doc

<https://github.com/openid/sse/wiki/WG_Meeting-2022-03-15#notes>Notes

   - Wasn't SSE always meant to be for Cybersecurity? What is specifically
   being proposed here? Is it an effort to broaden the scope of SSE? Is this a
   means of sharing intelligence? Perhaps before getting into the details, we
   should discuss the goals. There are a lot of efforts in terms of trying to
   share data, so how is this different?
      - There could be more applications of the SSE Framework than offered
      by CAEP and RISC, so there could be other types of "profiles"
      - Some text in the doc highlights that there is the SSE Framework,
      which could be used in different ways
      - Cybersecurity is a very broad area
      - We are trying to bridge existing efforts in the IETF
      - Alternative take: Can SSE do this? Yes. But should we? For example,
      Subject Identifiers are in the core SSE spec, and we end up "blowing up"
      the core spec
      - It could be much much deeper than just adding a profile
      - Since we are still struggling to get adoption, so we should not
      distract from that
      - A value that SSE provides is that it is a standard for sharing
      signals, but specific to account, identity and session information
      - The specific identity-centric use cases of SSE is appealing to some
      companies (such as SecureAuth)
      - If we broaden the scope too much, we might lose the value that SSE
      brings to tackling the specific identity / account / session problems.
      - We should make sure we do not put too broad requirements on the SSE
      Framework in order to support new applications such as cybersecurity
   - We should add a section that gives reason why we should not do this
   - If we can arrive at a structural role that is not fulfilled today,
   only then we should proceed
   - We should address the question: "Why is SSE special?" and only then
   move forward
   - The biggest contribution that the SSE WG can do is bring the RISC
   draft into the OpenID foundation
   - We should try to arrive at a matrix that differentiates SSE and
   existing efforts (e.g. TAXII)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20220315/3f382e33/attachment.html>

More information about the Openid-specs-risc mailing list