<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">I’d suggest we make an attempt to go through the list Adam presented to the F2F.<div class=""><br class=""></div><div class="">It is useful to examine the overlap with backchannel logout and scim as well.</div><div class=""><br class=""></div><div class="">There is a tight relationship between “security” (which RISC seems to represent), “provisioning” (SCIM), and access/session management (OIDC and OAuth).</div><div class=""><br class=""></div><div class="">For example, some of the events you propose overlap with Backchannel logout and session mgmt. </div><div class=""><br class=""></div><div class="">IMO Logout / Session / Token revoke events should not require consent to share. One could argue they MUST be shared to protect user privacy since user expectation with logout is that PII is cleaned up and sessions/tokens are always cancelled. In a sense some of this is because browser cookie cleanup is so unreliable. </div><div class=""><br class=""></div><div class="">The mandatory disclosure of these events seem different then the higher-level account theft protections that RISC talks about where consent seems more important as it may be surprising.</div><div class=""><br class=""></div><div class=""><div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class=""><span class="Apple-style-span" style="border-collapse: separate; line-height: normal; border-spacing: 0px;"><div class="" style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div class=""><div class=""><div class="">Phil</div><div class=""><br class=""></div><div class="">Oracle Corporation, Identity Cloud Services Architect & Standards</div><div class="">@independentid</div><div class=""><a href="http://www.independentid.com" class="">www.independentid.com</a></div></div></div></div></span><a href="mailto:phil.hunt@oracle.com" class="" style="orphans: 2; widows: 2;">phil.hunt@oracle.com</a></div><div class=""><br class=""></div></div><br class="Apple-interchange-newline"></div><br class="Apple-interchange-newline"></div><br class="Apple-interchange-newline"></div><br class="Apple-interchange-newline"></div><br class="Apple-interchange-newline"></div><br class="Apple-interchange-newline"></div><br class="Apple-interchange-newline"></div><br class="Apple-interchange-newline"></div><br class="Apple-interchange-newline"><br class="Apple-interchange-newline">
</div>
<br class=""><div><blockquote type="cite" class=""><div class="">On Apr 11, 2017, at 11:26 AM, Marius Scurtescu <<a href="mailto:mscurtescu@google.com" class="">mscurtescu@google.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div class="gmail_extra"><div class="gmail_quote">On Tue, Apr 11, 2017 at 11:14 AM, Phil Hunt <span dir="ltr" class=""><<a href="mailto:phil.hunt@oracle.com" target="_blank" class="cremed">phil.hunt@oracle.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word" class=""><div class=""><br class=""></div><div class="">This seems to be a subset of the larger list that Adam has presented during the last few F2F meetings.</div><div class=""><br class=""></div><div class="">Are we talking about a set of MTI events?  Or just the first events to focus in on.</div></div></blockquote><div class=""><br class=""></div><div class="">First events to focus on. I don't think we can mandate any events, to me it is always up to the issuer.</div><div class=""> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word" class=""><div class=""><br class=""></div><div class="">I think it would be worth while writing down definitions for all of them so we can understand the differences between events.</div><div class=""><br class=""></div><div class="">Phil</div><div class=""><div class=""><div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; word-wrap: break-word;" class=""><div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; word-wrap: break-word;" class=""><div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; word-wrap: break-word;" class=""><div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; word-wrap: break-word;" class=""><div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; word-wrap: break-word;" class=""><div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; word-wrap: break-word;" class=""><div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; word-wrap: break-word;" class=""><div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; word-wrap: break-word;" class=""><div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; word-wrap: break-word;" class=""><div class=""><span class="m_2539120173074416954Apple-style-span" style="border-collapse:separate;line-height:normal;border-spacing:0px"><div style="word-wrap:break-word" class=""><div class=""><div class=""><div class=""><br class=""></div><div class="">Oracle Corporation, Identity Cloud Services Architect & Standards</div><div class="">@independentid</div><div class=""><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__www.independentid.com&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=-jtiVB-B3bVj98s3nPoQQzXu6ZdTK_px57kg21l6yIM&s=VlZ0wlVnNuLelhKy1hSMCEzOa2w0WfLLFUIVEGIjX28&e=" target="_blank" class="cremed">www.independentid.com</a></div></div></div></div></span><a href="mailto:phil.hunt@oracle.com" target="_blank" class="cremed">phil.hunt@oracle.com</a></div><div class=""><br class=""></div></div><br class="m_2539120173074416954Apple-interchange-newline"></div><br class="m_2539120173074416954Apple-interchange-newline"></div><br class="m_2539120173074416954Apple-interchange-newline"></div><br class="m_2539120173074416954Apple-interchange-newline"></div><br class="m_2539120173074416954Apple-interchange-newline"></div><br class="m_2539120173074416954Apple-interchange-newline"></div><br class="m_2539120173074416954Apple-interchange-newline"></div><br class="m_2539120173074416954Apple-interchange-newline"></div><br class="m_2539120173074416954Apple-interchange-newline"><br class="m_2539120173074416954Apple-interchange-newline">
</div>
<br class=""><div class=""><blockquote type="cite" class=""><div class=""><div class="h5"><div class="">On Apr 11, 2017, at 11:02 AM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank" class="cremed">Michael.Jones@microsoft.com</a>> wrote:</div><br class="m_2539120173074416954Apple-interchange-newline"></div></div><div class=""><div class=""><div class="h5"><div class="m_2539120173074416954WordSection1" style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif" class=""><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(0,32,96)" class="">This is useful, Marius.  What are the arguments for each of these events?<u class=""></u><u class=""></u></span></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif" class=""><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(0,32,96)" class=""><u class=""></u> <u class=""></u></span></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif" class=""><b class=""><span style="font-size:11pt;font-family:Calibri,sans-serif" class="">From:</span></b><span style="font-size:11pt;font-family:Calibri,sans-serif" class=""><span class="m_2539120173074416954Apple-converted-space"> </span>Openid-specs-risc [<a href="mailto:openid-specs-risc-bounces@lists.openid.net" style="color:rgb(149,79,114);text-decoration:underline" target="_blank" class="cremed">mailto:openid-specs-risc-<wbr class="">bounces@lists.openid.net</a>]<span class="m_2539120173074416954Apple-converted-space"> </span><b class="">On Behalf Of<span class="m_2539120173074416954Apple-converted-space"> </span></b>Marius Scurtescu<br class=""><b class="">Sent:</b><span class="m_2539120173074416954Apple-converted-space"> </span>Tuesday, April 11, 2017 10:50 AM<br class=""><b class="">To:</b><span class="m_2539120173074416954Apple-converted-space"> </span><a href="mailto:openid-specs-risc@lists.openid.net" style="color:rgb(149,79,114);text-decoration:underline" target="_blank" class="cremed">openid-specs-risc@lists.<wbr class="">openid.net</a><br class=""><b class="">Subject:</b><span class="m_2539120173074416954Apple-converted-space"> </span>[Openid-specs-risc] RISC events supported by Google<u class=""></u><u class=""></u></span></div><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif" class=""><u class=""></u> <u class=""></u></div><div class=""><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif" class="">Right now Google supports the following events:<br class="">- sessions-revoked - it states the Google closed all existing sessions for given subject<br class="">- tokens-revoked - it states that Google revoked all tokens for given user and recipient (client), no individual token strings provided, applies only to tokens explicitly revoked by the user<br class=""><br class="">In the near future Google is planning to support:<br class="">- account-deleted - the account was deleted, an RP should find an alternative way to authenticate the user, while they still have an active session (if Google was only IdP and no other recovery email then account is practically lost)<br class="">- account-locked - account locked because of possibility of hijacking<br class="">- account-recovered - user recovered previously locked account<br class="">- account-reverification-<wbr class="">requested - account not locked, but all sessions closed and user will be asked to change password on next login<br class=""><br class="">Potentially in the mid future:<br class="">- account-identifier-changed - email address changes<br class="">- other token revocation events (revoked by client through API, revoked by Google for various reasons)<br class="">- log out events<br class=""><br class="">Thoughts?<u class=""></u><u class=""></u></div><div class=""><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif" class=""><u class=""></u> <u class=""></u></div></div><div class=""><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif" class="">Which of these events do you think you would use and how?<u class=""></u><u class=""></u></div></div><div class=""><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif" class=""><u class=""></u> <u class=""></u></div></div><div class=""><div style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif" class="">What other events would you like to receive from Google (and RISC in general)?<br class=""><br class="">Thanks,<br class="">Marius<u class=""></u><u class=""></u></div></div></div></div></div></div><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important" class="">______________________________<wbr class="">_________________</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" class=""><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important" class="">Openid-specs-risc mailing list</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" class=""><a href="mailto:Openid-specs-risc@lists.openid.net" style="color:rgb(149,79,114);text-decoration:underline;font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" class="cremed">Openid-specs-risc@lists.<wbr class="">openid.net</a><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" class=""><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Drisc&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=I457x4aQqCx7MBVL6ZjO_SlwfA4PpSO72h__VrpGxBA&s=YQvshO69_ITj0EEukIKbIHcSEKZUY9z-gG7kKzIx8eo&e=" style="color:rgb(149,79,114);text-decoration:underline;font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" target="_blank" class="cremed">https://urldefense.proofpoint.<wbr class="">com/v2/url?u=http-3A__lists.<wbr class="">openid.net_mailman_listinfo_<wbr class="">openid-2Dspecs-2Drisc&d=<wbr class="">DwICAg&c=<wbr class="">RoP1YumCXCgaWHvlZYR8PQcxBKCX5Y<wbr class="">TpkKY057SbK10&r=<wbr class="">JBm5biRrKugCH0FkITSeGJxPEivzjW<wbr class="">wlNKe4C_lLIGk&m=<wbr class="">I457x4aQqCx7MBVL6ZjO_<wbr class="">SlwfA4PpSO72h__VrpGxBA&s=<wbr class="">YQvshO69_<wbr class="">ITj0EEukIKbIHcSEKZUY9z-<wbr class="">gG7kKzIx8eo&e=</a><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important" class=""><span class="m_2539120173074416954Apple-converted-space"> </span></span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px" class=""></div></blockquote></div><br class=""></div></div></blockquote></div><br class=""></div></div>
</div></blockquote></div><br class=""></div></body></html>