<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:-webkit-standard;
panose-1:2 11 6 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:23134835;
mso-list-template-ids:1392790882;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:924606071;
mso-list-template-ids:-1938123536;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2
{mso-list-id:950287587;
mso-list-template-ids:616185836;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3
{mso-list-id:1778016856;
mso-list-template-ids:888546800;}
@list l3:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Hello everyone,<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I want to share with you the background information we had so far about this event. See attached a high-level use case. Below I’ve added some points Annabelle raised below in the past, plus a sample event
code Marius suggested.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt">Feedback from Annabelle:<o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:27.0pt;text-indent:-.25in;mso-list:l2 level1 lfo4;vertical-align:middle">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol;color:black"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="color:black">A hash of a partial password is not really useful on its own. There are ways to make it useful, but a lot of them are likely to decrease overall security of the recipient system in non-obvious ways. The
safer ways to use this information aren’t obvious and are harder to implement. We need to be careful that we do not inadvertently promote anti-patterns. I’m not saying we that can’t define this event, we have to be careful about it, and make sure we provide
the right guidance.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:27.0pt;text-indent:-.25in;mso-list:l2 level1 lfo4;vertical-align:middle">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol;color:black"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="color:black">Are you thinking at all about “batch” cases, e.g., a big password file gets dumped on pastebin?<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:27.0pt;text-indent:-.25in;mso-list:l3 level1 lfo5;vertical-align:middle">
<![if !supportLists]><span style="font-size:10.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>We need to be very careful if we’re going to include credentials or artifacts derived from credentials in events. A plain hash of the password is vulnerable to rainbow tables and cracking rigs. A hash of a PIN is especially vulnerable,
given the reduced search space.<o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> <o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> <o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> <o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-family:"-webkit-standard",serif;color:black">On Dec 20, 2019, at 8:13 PM, Marius Scurtescu via Openid-specs-risc <</span><span style="font-family:"-webkit-standard",serif"><a href="mailto:openid-specs-risc@lists.openid.net">openid-specs-risc@lists.openid.net</a><span style="color:black">>
wrote:</span><o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt"> <o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt">A new RISC event type came up while looking at clearing house use cases, see meeting notes for December 10.<o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> Event Type URI:<o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> <a href="https://schemas.openid.net/secevent/risc/event-type/credential-compromised">https://schemas.openid.net/secevent/risc/event-type/credential-compromised</a><o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> <o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> Credential Compromised signals that a given credential for the account identified<o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> by the subject was compromised. If the exact same credential is used by the same<o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> account then the Receiver should take action.<o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> <o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> Attributes:<o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> - credential-type:<o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> - password<o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> - PIN<o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> - ...<o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> - credential-hash<o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> - hash-method:<o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> - SHA-256<o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> - ...<o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> <o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> {<o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> "iss": "<a href="https://idp.example.com/">https://idp.example.com/</a>",<o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> "jti": "756E69717565206964656E746966696572",<o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> "iat": 1508184845,<o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> "aud": "636C69656E745F6964",<o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> "events": {<o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> "<a href="https://schemas.openid.net/secevent/risc/event-type/credential-compromised">https://schemas.openid.net/secevent/risc/event-type/credential-compromised</a>": {<o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> "subject": {<o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> "subject_type": "iss-sub",<o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> "iss": "<a href="https://idp.example.com/">https://idp.example.com/</a>",<o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> "sub": "7375626A656374",<o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> },<o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> "credential-type": "password",<o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> "credential-hash": "41ef4bb0b23661e66301aac36066912dac037827b4ae63a7b1165a5aa93ed4eb",<o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> "hash-method": "SHA-256",<o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> }<o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> }<o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> }<o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> <o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"> <o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt">Keep in mind that an event like this is useful not only for a clearing house use case but for all implicit and pseudo implicit use cases, see sections 3.3, 3.4 and 3.5:<o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"><a href="https://tools.ietf.org/html/draft-scurtescu-secevent-risc-use-cases">https://tools.ietf.org/html/draft-scurtescu-secevent-risc-use-cases</a><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
</div>
</body>
</html>