<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:monospace;
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:Calibri;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">I’m not super keen on having second layer of information about an event as it adds complexity, and this seems like the only place we want to do it. (I do think you proposed one other place)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri">An alternative way of providing the additional information is to append chars to the string. For example<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><a href="http://schemas.openid.net/risc/event-type/account_disabled">http://schemas.openid.net/risc/event-type/account_disabled</a><o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:Calibri"><a href="http://schemas.openid.net/risc/event-type/account_disabled">http://schemas.openid.net/risc/event-type/account_disabled</a>_bot<o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:Calibri"><a href="http://schemas.openid.net/risc/event-type/account_disabled">http://schemas.openid.net/risc/event-type/account_disabled</a>_hijacking<o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:Calibri"><a href="http://schemas.openid.net/risc/event-type/account_enabled">http://schemas.openid.net/risc/event-type/account_enabled</a><o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:Calibri">This lets developers that only care about
<a href="http://schemas.openid.net/risc/event-type/account_disabled">http://schemas.openid.net/risc/event-type/account_disabled</a> to look at events that start with that, rather than it being a JSON object.<o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:Calibri">/Dick<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<div>
<div>
<p class="MsoNormal" style="margin-left:.5in">On 5/17/17, 5:23 PM, someone claiming to be "Openid-specs-risc on behalf of Marius Scurtescu" <<a href="mailto:openid-specs-risc-bounces@lists.openid.net">openid-specs-risc-bounces@lists.openid.net</a> on behalf
of <a href="mailto:mscurtescu@google.com">mscurtescu@google.com</a>> wrote:<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">At the face-to-face a couple of weeks ago and also on Monday during our call we talked about RISC events that reflect an account state change between disabled and enabled. For example, account hijacked / recovered,
account deleted / undeleted, etc. <o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">On one hand there are privacy concerns, and for example if a user violated ToS with a provider then that fact should not be disclosed (I think we have agreement here).<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">On the other had at least with some of the event we do want to be very specific so abuse systems get a quality signal.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">So far the agreement was that hijacking and accounts created by bots need a distinct signal, everything else can use a generic one.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">I am proposing the following format:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">1. All of these events will use these two event type URIs:<o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-left:.5in"><a href="http://schemas.openid.net/risc/event-type/account_disabled">http://schemas.openid.net/risc/event-type/account_disabled</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><a href="http://schemas.openid.net/risc/event-type/account_enabled">http://schemas.openid.net/risc/event-type/account_enabled</a><o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">2. For hijacking and bot created the transmitter should add a nested attribute called "reason" with values like "hijacking" and "bot"<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">An example:<o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-family:"monospace","serif"">{</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-family:"monospace","serif""> "iss": "<a href="https://server.example.com">https://server.example.com</a>",</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-family:"monospace","serif""> "sub": "248289761001",</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-family:"monospace","serif""> "aud": "s6BhdRkqt3",</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-family:"monospace","serif""> "iat": 1471566154,</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-family:"monospace","serif""> "jti": "bWJq",</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-family:"monospace","serif""> "events": {</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-family:"monospace","serif""> "<a href="http://schemas.openid.net/risc/event-type/account_disabled">http://schemas.openid.net/risc/event-type/account_disabled</a>": </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-family:"monospace","serif""> {</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-family:"monospace","serif""> "reason": "hijacking",</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-family:"monospace","serif""> }</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-family:"monospace","serif""> }</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-family:"monospace","serif"">}</span><o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">We can define more values for "reason" and transmitter could chose to provide them. The more distinct events are provided the easier it is to identify the ToS cases through elimination, so there should be a good
reason to be specific (if ToS privacy is a concern).<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">Sounds good? Thoughts?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in">There are other ways to capture these requirements (distinct URIs for hijacking and bot or multiple URIs), but this is the most concise and the safest for developers who are only interested in account state (so
they don't have to deal with event URIs they don't fully understand or care about).<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal" style="margin-left:.5in">Marius<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</body>
</html>