<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Marius, thanks for sending. Such event can unlock a lot of additional value from this WG. I agree with Annabelle’s points. I suggest we collect feedback from the rest of the group and then address all of it at the same time.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Stan<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">Openid-specs-risc <openid-specs-risc-bounces@lists.openid.net> on behalf of "Richard Backman, Annabelle via Openid-specs-risc" <openid-specs-risc@lists.openid.net><br>
<b>Reply-To: </b>"Richard Backman, Annabelle" <richanna@amazon.com><br>
<b>Date: </b>Saturday, December 21, 2019 at 10:37 PM<br>
<b>To: </b>Marius Scurtescu <marius.scurtescu@coinbase.com><br>
<b>Cc: </b>"openid-specs-risc@lists.openid.net" <openid-specs-risc@lists.openid.net><br>
<b>Subject: </b>Re: [Openid-specs-risc] event proposal: credential-compromised<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">We need to be very careful if we’re going to include credentials or artifacts derived from credentials in events. A plain hash of the password is vulnerable to rainbow tables and cracking rigs. A hash of a PIN
is especially vulnerable, given the reduced search space.<o:p></o:p></p>
<div>
<p class="MsoNormal">Sent from my iPad<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt">On Dec 20, 2019, at 8:13 PM, Marius Scurtescu via Openid-specs-risc <openid-specs-risc@lists.openid.net> wrote:<o:p></o:p></p>
</blockquote>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal">A new RISC event type came up while looking at clearing house use cases, see meeting notes for December 10.
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"> Event Type URI:<br>
<a href="https://schemas.openid.net/secevent/risc/event-type/credential-compromised">https://schemas.openid.net/secevent/risc/event-type/credential-compromised</a><br>
<br>
Credential Compromised signals that a given credential for the account identified<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> by the subject was compromised. If the exact same credential is used by the same<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> account then the Receiver should take action.<br>
<br>
Attributes:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> - credential-type:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> - password<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> - PIN<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> - ...<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> - credential-hash<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> - hash-method:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> - SHA-256<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> - ...<br>
<br>
{<br>
"iss": "<a href="https://idp.example.com/">https://idp.example.com/</a>",<br>
"jti": "756E69717565206964656E746966696572",<br>
"iat": 1508184845,<br>
"aud": "636C69656E745F6964",<br>
"events": {<br>
"<a href="https://schemas.openid.net/secevent/risc/event-type/credential-compromised">https://schemas.openid.net/secevent/risc/event-type/credential-compromised</a>": {<br>
"subject": {<br>
"subject_type": "iss-sub",<br>
"iss": "<a href="https://idp.example.com/">https://idp.example.com/</a>",<br>
"sub": "7375626A656374",<br>
},<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> "credential-type": "password",<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> "credential-hash": "41ef4bb0b23661e66301aac36066912dac037827b4ae63a7b1165a5aa93ed4eb",<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> "hash-method": "SHA-256",<br>
}<br>
}<br>
}<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Keep in mind that an event like this is useful not only for a clearing house use case but for all implicit and pseudo implicit use cases, see sections 3.3, 3.4 and 3.5:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><a href="https://tools.ietf.org/html/draft-scurtescu-secevent-risc-use-cases">https://tools.ietf.org/html/draft-scurtescu-secevent-risc-use-cases</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
Openid-specs-risc mailing list<br>
Openid-specs-risc@lists.openid.net<br>
http://lists.openid.net/mailman/listinfo/openid-specs-risc<o:p></o:p></p>
</div>
</blockquote>
</div>
</body>
</html>