[Openid-specs-risc] Update on new drafts, and call notes

Tue Jun 18 18:44:14 UTC 2024

The versions without draft numbers, such as https://openid.net/specs/openid-sharedsignals-framework-1_0.html still need to be published.

Please do not start the review until the published drafts are self consistent.

-- Mike

________________________________
From: Openid-specs-risc <openid-specs-risc-bounces at lists.openid.net> on behalf of Atul Tulshibagwale via Openid-specs-risc <openid-specs-risc at lists.openid.net>
Sent: Tuesday, June 18, 2024 11:25:43 AM
To: OpenID RISC List <openid-specs-risc at lists.openid.net>
Subject: [Openid-specs-risc] Update on new drafts, and call notes

Hi all,
FYI, I have sent the new drafts to the OIDF secretary for starting the review period on three specs:

  *   Shared Signals Framework Draft 03<https://openid.net/specs/openid-sharedsignals-framework-1_0-03.html>
  *   CAEP Draft 04<https://openid.net/specs/openid-caep-1_0-04.html>
  *   CAEP Interoperability Profile Draft 01<https://openid.net/specs/openid-caep-interoperability-profile-1_0-01.html>

We will be changing the call frequency back to biweekly, and the next call will be on July 2nd. I will ask Mike Leczcz to send out new invites to reflect this schedule.

The notes from today's call are below. They are also stored here<https://hackmd.io/@oidf-wg-sse/wg-meeting-20240618>.

Atul

--

[https://lh7-us.googleusercontent.com/OubMXEaSzW6cz-Rt9RyUGsuX2z_G2pbaWOSLNAI_1YuZEk9lVaehxLoZgJt6AbxshlaXTZ4HHvQjpxPRVTWVxlwCl-fPKhGsbSTcgVVvejMX1rS_DaeeX4yOVQyvp2y3cFkC6XMBihqiTrDY3qBYwq8]

 Atul Tulshibagwale

 CTO

 [https://lh7-us.googleusercontent.com/nf4RO594hvFNyujzHdKSn1RCJcOIC1-Mk2-_S2GLH4LUi6Prxj4bL0tyguJ-6XH50k_fHPq6nynNBdkJwAzgGdYlImXDDKv07yQuj5PcskVaBqf9vL1Z2esDwZsb5Z9J4tvDcPiiZdQSuyzywRbH3Fs] <https://www.linkedin.com/in/tulshi/> [https://lh7-us.googleusercontent.com/jy9xWqMUZyDKsa5W_-BxVILzsnbgKHSkJVzdCeCWVVSvhJbGal-I_Ja-qTTnA1SpYE65RrEcWMMLNPfbrp9HXjBOKdeXNIVuhOBg-vZe-Ed8e0rCV8BMjih-COWlyljD_Hfqg2SzCuqKASIsPk1O6_w] <mailto:atul at sgnl.ai> [https://lh7-us.googleusercontent.com/N98NNhPOiQxQunuxKbv5L50QKM2TRayIDZDsOkFpZBpnxX7DATMDAj6a1zNXbjWfqluWTHt6BLNE9WbRSEYForDpaWWxtEd63NkpNqVY_9xAKyidyaSrYvOdHmKaijtXcPetATtR_eUKqs21wuYLq5w] <https://x.com/zirotrust>

---

WG Meeting: 2024-06-18
Agenda
Risk score in Session Presented event
Call schedule
Blog draft feedback
Attendees
Sean O'Dell (Disney)
Shayne Miel (Cisco)
Atul Tulshibagwale (SGNL)
Nick Wooler (Cisco Webex)
Notes
Risk Score
(Sean) A risk indicator could be added to more events
It's a behavioral indicator, which could apply to a lot of things
This can map to something Shayne talked about, which is a "risk score changed" event
You could give the reason within the "Session Presented" event, but not the score itself
(Atul) I'm a bit concerned about a "confidence score" in general transmitter events
(Sean) It's not a confidence score
(Shayne) What is the value of putting it in the session presented event
(Atul) Risk score is always associated with the session presence
(Shayne) That's not true - a risk score could change due to other activity, e.g. 3 other people got hacked, so this could also be hacked
(Shayne) You could send two events: "session presented" and "risk score changed", and tie them with the same txn value
(Sean) Thinking it through from a race condition: If the ITDR system is doing its job, then you should not see a "session presented" event, you should just be OK with a "risk score changed" event
(Atul) There are two independent vectors here. Unusual activity within an app, and unusual activity across different apps, where each individual app doesn't see anything unusual
(Sean) Now I think the risk score is needed in both places - "session presented" and "risk score changed"
(Atul) We could revisit whether to put one event in one SET, and add both those events in one SET
(Nick) Are there standard risk indicator levels like SAML?
(Atul) I had proposed 4 levels in the PR
(Sean) The "session presented" event has an interesting consequence: If I have a Fidelity account linked to the Schwab account, if the Fidelity service calls the Schwab service on behalf of a user, without user presence.
(Atul) That could be a separate event, because that represents a token compromise rather than the user doing something unusual
(Shayne)
Biweekly schedule?
(Atul) Should we meet biweekly going forward?
(Shayne and Sean) agree
Blog draft feedback
(Shayne) Should we update the draft? It's an important part of the security review
(Atul) OK by me
(Shayne) What is the proposed new language?
(Sean) The last line in the 3rd paragraph of Section 7 does say that right now
(Atul) 9110 covers bearer authentication in Section 11. The last sentence begins with "This authorization must …", which references that, therefore we are OK.
Action Items
Atul to fix the blog post action and send to Elizabeth
Atul to ask Mike to change the cadence of the meeting to biweekly, so the next meeting will be on July 2nd.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20240618/ec28d8d6/attachment.html>