<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">

<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>

</head>

<body dir="ltr">

<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

Atul - let's put this on the top of the list for next Tuesday since we keep running out of time.</div>

<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

tim</div>

<div id="appendonsend"></div>

<hr style="display:inline-block;width:98%" tabindex="-1">

<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Openid-specs-risc <openid-specs-risc-bounces@lists.openid.net> on behalf of Stan Bounev via Openid-specs-risc <openid-specs-risc@lists.openid.net><br>

<b>Sent:</b> Tuesday, March 2, 2021 02:29<br>

<b>To:</b> Atul Tulshibagwale <atultulshi@google.com>; Openid-specs-risc <openid-specs-risc@lists.openid.net><br>

<b>Subject:</b> Re: [Openid-specs-risc] "Credential compromise" event discussion tomorrow</font>

<div> </div>

</div>

<style>

<!--

@font-face

        {font-family:"Cambria Math"}

@font-face

        {font-family:Calibri}

p.x_MsoNormal, li.x_MsoNormal, div.x_MsoNormal

        {margin:0in;

        font-size:11.0pt;

        font-family:"Calibri",sans-serif}

a:link, span.x_MsoHyperlink

        {color:blue;

        text-decoration:underline}

span.x_EmailStyle19

        {font-family:"Calibri",sans-serif;

        color:windowtext}

.x_MsoChpDefault

        {font-size:10.0pt}

@page WordSection1

        {margin:1.0in 1.0in 1.0in 1.0in}

div.x_WordSection1

        {}

ol

        {margin-bottom:0in}

ul

        {margin-bottom:0in}

-->

</style>

<div lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">

<div class="x_WordSection1">

<p class="x_MsoNormal">Hi all,</p>

<p class="x_MsoNormal"> </p>

<p class="x_MsoNormal">I’d like to add for discussion tomorrow the “credential compromise” event. I’d like to get feedback. See below.</p>

<p class="x_MsoNormal"> </p>

<p class="x_MsoNormal">Thanks,</p>

<p class="x_MsoNormal">Stan</p>

<p class="x_MsoNormal"> </p>

<p class="x_MsoNormal"> </p>

<p class="x_MsoNormal"> </p>

<p class="x_MsoNormal"><section anchor="credential-compromise-examples" title="Examples"></p>

<p class="x_MsoNormal"> </p>

<p class="x_MsoNormal"><t>NOTE: The event type URI is wrapped, the backslash is the continuation character.</t></p>

<p class="x_MsoNormal"><t>Credential Compromised signals that the identifier specified in the subject was found to be compromised. The subject type MUST be either <spanx style="verb">email</spanx> or <spanx style="verb">phone</spanx>.</t></p>

<p class="x_MsoNormal"> </p>

<p class="x_MsoNormal"><figure title="Example: Compromised credential found" anchor="credential-compromise-example"><artwork type="json"><![CDATA[</p>

<p class="x_MsoNormal">     </p>

<p class="x_MsoNormal">   {</p>

<p class="x_MsoNormal">     "iss": "https://idp.example.com/3456790/",</p>

<p class="x_MsoNormal">     "jti": "756E69717565206964656E746966696572",</p>

<p class="x_MsoNormal">     "iat": 1508184845,</p>

<p class="x_MsoNormal">     "aud": "https://sp.example2.net/caep",</p>

<p class="x_MsoNormal">     "events": {</p>

<p class="x_MsoNormal">       "https://schemas.openid.net/secevent/risc/event-type/credential-compromise": {</p>

<p class="x_MsoNormal">         "subject": {</p>

<p class="x_MsoNormal">           "subject_type": "iss-sub",</p>

<p class="x_MsoNormal">           "iss": "https://idp.example.com/3456790/",</p>

<p class="x_MsoNormal">           "sub": "joe.smith@example.com"</p>

<p class="x_MsoNormal">         },</p>

<p class="x_MsoNormal">         "credential-compromise-id": "email", “phone”</p>

<p class="x_MsoNormal"> </p>

<p class="x_MsoNormal">       }</p>

<p class="x_MsoNormal">     }</p>

<p class="x_MsoNormal">   }</p>

<p class="x_MsoNormal"> </p>

<p class="x_MsoNormal">-</sourcecode></p>

<p class="x_MsoNormal">-</figure></p>

<p class="x_MsoNormal">+]]></artwork></figure></p>

<p class="x_MsoNormal">+</p>

<p class="x_MsoNormal"></section></p>

<p class="x_MsoNormal"> </p>

<div style="border:none; border-top:solid #B5C4DF 1.0pt; padding:3.0pt 0in 0in 0in">

<p class="x_MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:12.0pt; color:black">From:

</span></b><span style="font-size:12.0pt; color:black">Openid-specs-risc <openid-specs-risc-bounces@lists.openid.net> on behalf of Atul Tulshibagwale via Openid-specs-risc <openid-specs-risc@lists.openid.net><br>

<b>Date: </b>Monday, February 22, 2021 at 5:51 PM<br>

<b>To: </b>Openid-specs-risc <openid-specs-risc@lists.openid.net><br>

<b>Subject: </b>Re: [Openid-specs-risc] "Compound" subject types in SSE</span></p>

</div>

<div>

<p class="x_MsoNormal">Hi all,</p>

<div>

<p class="x_MsoNormal">A quick reminder to please review this proposal and provide your feedback and / or comments. It'll be good to review the feedback in the call on Tuesday next week.</p>

</div>

<div>

<p class="x_MsoNormal"> </p>

</div>

<div>

<p class="x_MsoNormal">Thanks,</p>

</div>

<div>

<p class="x_MsoNormal">Atul</p>

</div>

<div>

<p class="x_MsoNormal"> </p>

</div>

</div>

<p class="x_MsoNormal"> </p>

<div>

<div>

<p class="x_MsoNormal">On Tue, Feb 16, 2021 at 12:22 PM Atul Tulshibagwale <<a href="mailto:atultulshi@google.com">atultulshi@google.com</a>> wrote:</p>

</div>

<blockquote style="border:none; border-left:solid #CCCCCC 1.0pt; padding:0in 0in 0in 6.0pt; margin-left:4.8pt; margin-right:0in">

<div>

<p class="x_MsoNormal">Hi all,</p>

<div>

<p class="x_MsoNormal">We discussed an important topic on the call today, and some of us had separately discussed this earlier. There are a couple of issues with the draft today:</p>

</div>

<div>

<ol start="1" type="1">

<li class="x_MsoNormal" style="">The use of "common claims" e.g. "spag_id" conflicts with the Subject Identifiers draft that specifies claims other than those defined within the "subject_type" definition must not be included in a subject claim of that subject_type.</li><li class="x_MsoNormal" style="">We defined a specific "user-device-session" subject type, but are now discovering use cases that create a multitude of other possibilities. The immediate one that caused this discussion was the use of an "application" principal.

 The use case is where a Transmitter may want to invalidate sessions associated with a specific application on a specific user or device.</li></ol>

<div>

<p class="x_MsoNormal">To address both these issues, Tim Cappalli (Microsoft) and I came up with this proposal to create multi-valued or "compound" subject claims in SSE events. This will not require the use of common claims such as "spag_id", but we can create

 specific new subject_types such as "tenant" or "OU" as needed.</p>

</div>

<div>

<p class="x_MsoNormal"> </p>

</div>

<div>

<p class="x_MsoNormal">Please review the proposal <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.google.com%2Fdocument%2Fd%2F1stTI18cQy8zTw0u0UjC6NLkjBZAYEU1kNCDru7dEdfQ%2Fedit%3Fusp%3Dsharing&data=04%7C01%7Ctim.cappalli%40microsoft.com%7C9c0850397ac343f8ef4708d8dd6a5545%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637502796686207774%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=bdx%2Be4KTrJUFY9U5SXP95v2hH4ZpSEvhCC5YIDYT6ig%3D&reserved=0" originalsrc="https://docs.google.com/document/d/1stTI18cQy8zTw0u0UjC6NLkjBZAYEU1kNCDru7dEdfQ/edit?usp=sharing" shash="xWCsHkRNLU2X4WeMp3n66X3WPLLInA9/qbAQ8FL/1P7eCzfE+4gR3dxkduv7NfKIytoxoLA0POPgV2DPv0SC7+vutJVaSl3oQyHJvKB5JX11/ExnFvaahPXxzTXAFod21zF9Q5JYE738f8GA/ngf2vxrZ0kMngDr1VIX1bbGYTg=" target="_blank">

here</a>. It will be great if you can provide your comments and feedback in the next couple of weeks so that we can have a productive discussion in our next call on March 2nd. If we can make sufficient progress in the call there, we can incorporate the changes

 into the draft.</p>

</div>

<div>

<p class="x_MsoNormal"> </p>

</div>

<div>

<p class="x_MsoNormal">Thanks,</p>

</div>

<div>

<p class="x_MsoNormal">Atul</p>

</div>

<div>

<div>

<div>

<p class="x_MsoNormal"> </p>

<table class="x_MsoNormalTable" border="0" cellspacing="0" cellpadding="0" style="border-collapse:collapse">

<tbody>

<tr style="height:104.25pt">

<td valign="top" style="padding:.75pt .75pt .75pt .75pt; height:104.25pt; overflow:hidden">

<p class="x_MsoNormal"><br>

<span style="border:none windowtext 1.0pt; padding:0in"><img border="0" width="113" height="113" id="x__x0000_i1025" style="width:1.177in; height:1.177in" src="https://lh6.googleusercontent.com/fmoDQ26Qu6nUCxkO3-_idifYd4drGNvt7Ab_LQBqsdPH7EwOjHOqIJRzGXtqFHoor0bKiVZNFnj86FL59uqJJ1_-mSVOlfdsnlvDYTpq0wfcQFDXJr7miiOpLOie6c-pxXWWqpFqRg"></span></p>

</td>

<td valign="top" style="padding:.75pt .75pt .75pt .75pt; height:104.25pt; overflow:hidden">

<p style="margin:0in"> </p>

<p style="margin:0in"><b><span style="font-size:10.0pt; font-family:"Arial",sans-serif">Atul Tulshibagwale</span></b></p>

<p style="margin:0in"><span style="font-size:10.0pt; font-family:"Arial",sans-serif">Software Engineer,</span></p>

<p style="margin:0in"><span style="font-size:10.0pt; font-family:"Arial",sans-serif">Google Workspace</span></p>

<p style="margin:0in"><span style="font-size:10.0pt; font-family:"Arial",sans-serif"><a href="mailto:atultulshi@google.com" target="_blank">atultulshi@google.com</a></span></p>

</td>

</tr>

</tbody>

</table>

<p class="x_MsoNormal"> </p>

</div>

</div>

</div>

</div>

</div>

</blockquote>

</div>

</div>

</div>

</body>

</html>