<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Helvetica Neue";
panose-1:2 0 5 3 0 0 0 2 0 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:621695550;
mso-list-template-ids:-1822631620;}
@list l1
{mso-list-id:1110246361;
mso-list-type:hybrid;
mso-list-template-ids:-919075696 1765962112 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:Calibri;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Couple of points:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l1 level1 lfo1">I wasn’t able to do the PR as I didn’t have the right permission and Marius was kind enough to add it.<o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l1 level1 lfo1">I agree this is related to RISC. My understanding is that RISC gets merged with SSE. If not, I will continue working towards adding it to RISC spec.<o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l1 level1 lfo1">I didn’t provide the event details as we still haven’t discussed the use case. I can give you just very early draft thoughts about the event below. Will be happy to modify based on
feedback.<o:p></o:p></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:black">Here is more detail that also provides some of the main points that will be included in a potential ‘compromised’ event.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoNormal" style="color:black;mso-list:l0 level1 lfo2">Transmitter finds compromised credential with the RP domain<o:p></o:p></li><li class="MsoNormal" style="color:black;mso-list:l0 level1 lfo2">Transmitter sends the compromised event that includes the identifier<o:p></o:p></li><li class="MsoNormal" style="color:black;mso-list:l0 level1 lfo2">RP acknowledges this is or it is not a valid identifier (user ID/email address).<o:p></o:p></li><li class="MsoNormal" style="color:black;mso-list:l0 level1 lfo2">RP either makes a to request to transmitter to get an identifier’s attribute (password) or not to do that<o:p></o:p></li><li class="MsoNormal" style="color:black;mso-list:l0 level1 lfo2">If RP makes a request, the transmitter sends: a)identifier; b) credential type, e.g. ‘password;’ c) credential hash; d) hash method.<o:p></o:p></li></ol>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> Event Type URI:<br>
<a href="https://schemas.openid.net/secevent/risc/event-type/credential-compromised">https://schemas.openid.net/secevent/risc/event-type/credential-compromised</a><br>
<br>
Credential Compromised signals that a given credential for the account identified<o:p></o:p></p>
<p class="MsoNormal"> by the Transmitter was compromised. If the exact same credential is used by the same<o:p></o:p></p>
<p class="MsoNormal"> account then the Receiver should take action.<br>
<br>
Attributes:<o:p></o:p></p>
<p class="MsoNormal"> + credential identifier:<o:p></o:p></p>
<p class="MsoNormal"> - user ID<o:p></o:p></p>
<p class="MsoNormal"> - email<o:p></o:p></p>
<p class="MsoNormal"> - phone<o:p></o:p></p>
<p class="MsoNormal"> - ...<o:p></o:p></p>
<p class="MsoNormal">+ credential type<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l1 level1 lfo1">password<o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l1 level1 lfo1">…<o:p></o:p></li></ul>
<p class="MsoNormal">+ identifier attribute:<o:p></o:p></p>
<p class="MsoNormal"> - credential-hash (password hash)<o:p></o:p></p>
<p class="MsoNormal">+ hash-method:<o:p></o:p></p>
<p class="MsoNormal"> - SHA-256<o:p></o:p></p>
<p class="MsoNormal"> - ...<br>
<br>
Let me know what you think.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Stan<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">Jordan Wright <jwright@duo.com><br>
<b>Date: </b>Wednesday, June 3, 2020 at 3:53 PM<br>
<b>To: </b>Atul Tulshibagwale <atultulshi@google.com><br>
<b>Cc: </b>Stan <stanb@vericlouds.com>, Openid-specs-risc <openid-specs-risc@lists.openid.net><br>
<b>Subject: </b>Re: [Openid-specs-risc] draft agenda<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I think a compromised credential event is very solidly in the RISC area of the spec, not CAEP. I'd be happy to discuss it during the workshop though.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I was looking around for the proposed event structure and couldn't find it. Stan, do you have a copy of the event details you're proposing? I see the use case, which I agree with and appreciate that it's high-level based on my previous
feedback, but I'd be curious to read more about the details.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Jordan<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Wed, Jun 3, 2020 at 5:43 PM Atul Tulshibagwale via Openid-specs-risc <<a href="mailto:openid-specs-risc@lists.openid.net" target="_blank">openid-specs-risc@lists.openid.net</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal">Also, I looked at your PR, it is modifying the wrong file. There's another file which is the CAEP use cases, we should add your use case there. Please talk to Asad Ali (copied) about that.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Atul<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Wed, Jun 3, 2020 at 3:37 PM Atul Tulshibagwale <<a href="mailto:atultulshi@google.com" target="_blank">atultulshi@google.com</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class="MsoNormal">Hi Stan,<o:p></o:p></p>
<div>
<p class="MsoNormal">Happy to discuss the use case during the workshop. Should we schedule some time for it on Thursday (tomorrow)?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Atul<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Wed, Jun 3, 2020 at 2:51 PM Stan Bounev <<a href="mailto:stanb@vericlouds.com" target="_blank">stanb@vericlouds.com</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Hi Atul,<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I would like to also have the ‘compromised’ use case also considered for the SSE spec - after it gets feedback from the group and have an event created for it (assuming it passes
the review). I sent an email with a request for feedback to the group on 5/26 (see attached). So far I haven’t gotten received any feedback. Do you think we can discuss the use case as part of the SSE Virtual Workshop, either on day 1 or on day 2?<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Thanks,<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Stan<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:12.0pt;color:black">From:
</span></b><span style="font-size:12.0pt;color:black">Openid-specs-risc <<a href="mailto:openid-specs-risc-bounces@lists.openid.net" target="_blank">openid-specs-risc-bounces@lists.openid.net</a>> on behalf of Atul Tulshibagwale via Openid-specs-risc <<a href="mailto:openid-specs-risc@lists.openid.net" target="_blank">openid-specs-risc@lists.openid.net</a>><br>
<b>Reply-To: </b>Atul Tulshibagwale <<a href="mailto:atultulshi@google.com" target="_blank">atultulshi@google.com</a>><br>
<b>Date: </b>Wednesday, June 3, 2020 at 9:55 AM<br>
<b>To: </b>Openid-specs-risc <<a href="mailto:openid-specs-risc@lists.openid.net" target="_blank">openid-specs-risc@lists.openid.net</a>><br>
<b>Subject: </b>[Openid-specs-risc] draft agenda</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Hi all,<o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I've put together a proposed
<a href="https://docs.google.com/document/d/1ar7BCG7lXsCjaYN8yIeYQ4xf9Uj6W7euhViVmaCR31g/edit?usp=sharing" target="_blank">
agenda</a>. Please feel free to suggest changes.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Thanks,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Atul<o:p></o:p></p>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
<p class="MsoNormal">_______________________________________________<br>
Openid-specs-risc mailing list<br>
<a href="mailto:Openid-specs-risc@lists.openid.net" target="_blank">Openid-specs-risc@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-risc" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-risc</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><br clear="all">
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">-- <o:p></o:p></p>
<div>
<div>
<div>
<div>
<div>
<div>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" style="border-collapse:collapse;border-spacing:0px;max-width:100%">
<tbody>
<tr>
<td width="50" style="width:37.5pt;padding:0in 0in 0in 0in">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:#333333;border:solid windowtext 1.0pt;padding:0in"><img border="0" width="50" height="50" style="width:.5208in;height:.5208in" id="_x0000_i1027" src="cid:~WRD0000.jpg" alt="Image removed by sender."></span><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:#333333"><o:p></o:p></span></p>
</td>
<td width="10" style="width:7.5pt;padding:0in 0in 0in 0in">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:#333333;border:solid windowtext 1.0pt;padding:0in"><img border="0" width="10" height="50" style="width:.1041in;height:.5208in" id="_x0000_i1026" src="cid:~WRD0000.jpg" alt="Image removed by sender."></span><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:#333333"><o:p></o:p></span></p>
</td>
<td style="padding:0in 0in 0in 0in">
<div>
<p class="MsoNormal"><strong><span style="font-size:9.0pt;font-family:Helvetica;color:#333333">Jordan Wright</span></strong><span style="font-size:9.0pt;font-family:Helvetica;color:#333333"> <o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Helvetica;color:#999999">/</span><span style="font-size:9.0pt;font-family:Helvetica;color:#333333"> Principal R&D Engineer<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Helvetica;color:#333333"> <o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Helvetica;color:#333333"><br>
<a href="mailto:jwright@duo.com" target="_blank"><span style="color:#63B246;text-decoration:none">jwright@duo.com</span></a><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Helvetica;color:#333333"> <o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Helvetica;color:#333333"><br>
<a href="https://duo.com/" target="_blank"><span style="color:#63B246;text-decoration:none">Duo.com</span></a><o:p></o:p></span></p>
</div>
</div>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:#333333;border:solid windowtext 1.0pt;padding:0in"><img border="0" width="1" height="50" style="width:.0104in;height:.5208in" id="_x0000_i1025" src="cid:~WRD0000.jpg" alt="Image removed by sender."></span><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:#333333"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td colspan="4" style="padding:0in 0in 0in 0in">
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica Neue";color:#333333"><br>
----------<br>
The Most Loved Company in Security<o:p></o:p></span></p>
</div>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>