<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

</head>

<body dir="auto">

We need to be very careful if we’re going to include credentials or artifacts derived from credentials in events. A plain hash of the password is vulnerable to rainbow tables and cracking rigs. A hash of a PIN is especially vulnerable, given the reduced search

 space.<br>

<br>

<div dir="ltr">Sent from my iPad</div>

<div dir="ltr"><br>

<blockquote type="cite">On Dec 20, 2019, at 8:13 PM, Marius Scurtescu via Openid-specs-risc <openid-specs-risc@lists.openid.net> wrote:<br>

<br>

</blockquote>

</div>

<blockquote type="cite">

<div dir="ltr">

<div dir="ltr">A new RISC event type came up while looking at clearing house use cases, see meeting notes for December 10.

<div><br>

</div>

<div>   Event Type URI:<br>

   <a href="https://schemas.openid.net/secevent/risc/event-type/credential-compromised">https://schemas.openid.net/secevent/risc/event-type/credential-compromised</a><br>

<br>

   Credential Compromised signals that a given credential for the account identified</div>

<div>   by the subject was compromised. If the exact same credential is used by the same</div>

<div>   account then the Receiver should take action.<br>

<br>

   Attributes:</div>

<div>     - credential-type:</div>

<div>       - password</div>

<div>       - PIN</div>

<div>       - ...</div>

<div>     - credential-hash</div>

<div>     - hash-method:</div>

<div>       - SHA-256</div>

<div>       - ...<br>

<br>

   {<br>

     "iss": "<a href="https://idp.example.com/">https://idp.example.com/</a>",<br>

     "jti": "756E69717565206964656E746966696572",<br>

     "iat": 1508184845,<br>

     "aud": "636C69656E745F6964",<br>

     "events": {<br>

       "<a href="https://schemas.openid.net/secevent/risc/event-type/credential-compromised">https://schemas.openid.net/secevent/risc/event-type/credential-compromised</a>": {<br>

         "subject": {<br>

           "subject_type": "iss-sub",<br>

           "iss": "<a href="https://idp.example.com/">https://idp.example.com/</a>",<br>

           "sub": "7375626A656374",<br>

         },</div>

<div>         "credential-type": "password",</div>

<div>         "credential-hash": "41ef4bb0b23661e66301aac36066912dac037827b4ae63a7b1165a5aa93ed4eb",</div>

<div>         "hash-method": "SHA-256",<br>

       }<br>

     }<br>

   }<br>

</div>

<div><br>

</div>

<div><br>

</div>

<div>Keep in mind that an event like this is useful not only for a clearing house use case but for all implicit and pseudo implicit use cases, see sections 3.3, 3.4 and 3.5:</div>

<div><a href="https://tools.ietf.org/html/draft-scurtescu-secevent-risc-use-cases">https://tools.ietf.org/html/draft-scurtescu-secevent-risc-use-cases</a><br>

</div>

<div><br>

</div>

<div><br>

</div>

</div>

<span>_______________________________________________</span><br>

<span>Openid-specs-risc mailing list</span><br>

<span>Openid-specs-risc@lists.openid.net</span><br>

<span>http://lists.openid.net/mailman/listinfo/openid-specs-risc</span><br>

</div>

</blockquote>

</body>

</html>