<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Menlo;
panose-1:2 11 6 9 3 8 4 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.xmsonormal, li.xmsonormal, div.xmsonormal
{mso-style-name:x_msonormal;
margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:162933089;
mso-list-type:hybrid;
mso-list-template-ids:1991296416 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1
{mso-list-id:569074325;
mso-list-template-ids:-2097224246;}
@list l1:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2
{mso-list-id:1424375886;
mso-list-type:hybrid;
mso-list-template-ids:293112182 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l2:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l2:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l2:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l3
{mso-list-id:1636637627;
mso-list-template-ids:-106498248;}
@list l4
{mso-list-id:1650397780;
mso-list-template-ids:-1888704430;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Annabelle, thanks for your input on ‘credential compromise’ during the meeting. I see your point about potential interoperability issue with the first use case below. For the people who were not able to join today, your argument was that
some IdPs could be ‘trigger happy’ and send the ‘credential compromise’ event too often versus other IdPs that are conservative.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The receiving party will be the one to decide how to implement it. The vulnerability and other security systems allow to weigh/prioritize alerts. In the actual implementation, the receiving party can dial up or down the alerts from a given
IdP based on the history with that IdP.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Additional point that Tim raised, is that the IdP is the authoritative party. When an IdP blocks, ask for a step-up authn or something else, the receiving party does not question or ask for clarification.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">In terms of interoperability, the ‘credential compromise’ seem to be similar to the ‘session revoked’ event. In the latter event, the session is revoked based on the heuristics of the ‘admin’ (as per the event description). Most common
reasons for session revoked include compromised accounts, employee termination, and other insider threats. Those are not strictly defined in our spec and an ‘admin’ or IdP could terminate a session based on heuristics.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I see three paths forward:<o:p></o:p></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l2 level1 lfo7">Define the criteria for a credential to be compromised and for a session to be revoked.<o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l2 level1 lfo7">Drop the two use cases #1 and #3 below and just keep use case #2.<o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l2 level1 lfo7">Do nothing. Include the ‘credential-compromise’ as is and leave it the SE to determine how to treat the events by each IdP.<o:p></o:p></li></ol>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Let me know what you think.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Stan<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:12.0pt;color:black">From:
</span></b><span style="font-size:12.0pt;color:black">Openid-specs-risc <openid-specs-risc-bounces@lists.openid.net> on behalf of Stan Bounev via Openid-specs-risc <openid-specs-risc@lists.openid.net><br>
<b>Date: </b>Tuesday, March 9, 2021 at 9:43 AM<br>
<b>To: </b>Tim Cappalli <Tim.Cappalli@microsoft.com>, atultulshi@google.com <atultulshi@google.com>, openid-specs-risc@lists.openid.net <openid-specs-risc@lists.openid.net><br>
<b>Subject: </b>Re: [Openid-specs-risc] "Credential compromise" event discussion tomorrow<o:p></o:p></span></p>
</div>
<p class="MsoNormal">Atul, thanks for putting this at the beginning of the meeting.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">This event is similar to the ‘credential change’ event and the others we have in the spec. There are three main uses cases for the ‘credential-compromise’ event (not in order of importance):
<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo3">IdP considers an account as compromised based on policies – e.g. user logs in from two US and China within two min; anomaly detection tools also acknowledge compromise or any other
way. In this case, IdP sends ‘credential compromise’ event to admin of that domain. Our VeriClouds are hosed by O365. O365 will send notification to the user trying to log in, but I’d like also get information in my security tools.<o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo3">Third party credential monitoring service (CMS) or threat intel service finds compromised credentials for a client of theirs. The CMS sends ‘compromised credential’ event to the client.
<o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo3">App authenticating uses finds an account as compromised based on policies – e.g. user logs in from two US and China within two min; anomaly detection tools also acknowledge compromise
or any other way. The App sends the ‘credential compromise’ event to the admin (or security tools) of user domain. For example, Box.com determines a Quickbooks.com credential as compromised. Box.com sends ‘credential compromise’ event to Quickbooks. Quickbooks
investigates recent activity. The difference with the first use case is that Box.com is not an IdP.<o:p></o:p></li></ol>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Below is the revised event. Tim, thanks for the input.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Menlo;color:#2A2A2A;background:white">{</span><o:p></o:p></p>
<p class="MsoNormal" style="background:white"><span style="font-size:9.0pt;font-family:Menlo;color:#2A2A2A"> <span class="apple-converted-space"> </span></span><span style="font-size:9.0pt;font-family:Menlo;color:#014163">"iss"</span><span style="font-size:9.0pt;font-family:Menlo;color:#2A2A2A">:<span class="apple-converted-space"> </span></span><span style="font-size:9.0pt;font-family:Menlo;color:#884B31">"<a href="https://idp.example.com/3456790/"><span style="color:#00006A">https://idp.example.com/3456790/</span></a>"</span><span style="font-size:9.0pt;font-family:Menlo;color:#2A2A2A">,</span><o:p></o:p></p>
<p class="MsoNormal" style="background:white"><span style="font-size:9.0pt;font-family:Menlo;color:#2A2A2A"> <span class="apple-converted-space"> </span></span><span style="font-size:9.0pt;font-family:Menlo;color:#014163">"jti"</span><span style="font-size:9.0pt;font-family:Menlo;color:#2A2A2A">:<span class="apple-converted-space"> </span></span><span style="font-size:9.0pt;font-family:Menlo;color:#884B31">"756E69717565206964656E746966696572"</span><span style="font-size:9.0pt;font-family:Menlo;color:#2A2A2A">,</span><o:p></o:p></p>
<p class="MsoNormal" style="background:white"><span style="font-size:9.0pt;font-family:Menlo;color:#2A2A2A"> <span class="apple-converted-space"> </span></span><span style="font-size:9.0pt;font-family:Menlo;color:#014163">"iat"</span><span style="font-size:9.0pt;font-family:Menlo;color:#2A2A2A">:<span class="apple-converted-space"> </span></span><span style="font-size:9.0pt;font-family:Menlo;color:#3F5731">1508184845</span><span style="font-size:9.0pt;font-family:Menlo;color:#2A2A2A">,</span><o:p></o:p></p>
<p class="MsoNormal" style="background:white"><span style="font-size:9.0pt;font-family:Menlo;color:#2A2A2A"> <span class="apple-converted-space"> </span></span><span style="font-size:9.0pt;font-family:Menlo;color:#014163">"aud"</span><span style="font-size:9.0pt;font-family:Menlo;color:#2A2A2A">:<span class="apple-converted-space"> </span></span><span style="font-size:9.0pt;font-family:Menlo;color:#884B31">"<a href="https://sp.example2.net/risc"><span style="color:#00006A">https://sp.example2.net/risc</span></a>"</span><span style="font-size:9.0pt;font-family:Menlo;color:#2A2A2A">,</span><o:p></o:p></p>
<p class="MsoNormal" style="background:white"><span style="font-size:9.0pt;font-family:Menlo;color:#2A2A2A"> <span class="apple-converted-space"> </span></span><span style="font-size:9.0pt;font-family:Menlo;color:#014163">"events"</span><span style="font-size:9.0pt;font-family:Menlo;color:#2A2A2A">:
{</span><o:p></o:p></p>
<p class="MsoNormal" style="background:white"><span style="font-size:9.0pt;font-family:Menlo;color:#2A2A2A"> <span class="apple-converted-space"> </span></span><span style="font-size:9.0pt;font-family:Menlo;color:#014163">"<a href="https://schemas.openid.net/secevent/risc/event-type/credential-compromise" title="https://schemas.openid.net/secevent/risc/event-type/credential-compromise"><span style="color:#00006A">https://schemas.openid.net/secevent/risc/event-type/credential-compromise</span></a>"</span><span style="font-size:9.0pt;font-family:Menlo;color:#2A2A2A">:
{</span><o:p></o:p></p>
<p class="MsoNormal" style="background:white"><span style="font-size:9.0pt;font-family:Menlo;color:#2A2A2A"> <span class="apple-converted-space"> </span></span><span style="font-size:9.0pt;font-family:Menlo;color:#014163">"subject"</span><span style="font-size:9.0pt;font-family:Menlo;color:#2A2A2A">:
{</span><o:p></o:p></p>
<p class="MsoNormal" style="background:white"><span style="font-size:9.0pt;font-family:Menlo;color:#2A2A2A"> <span class="apple-converted-space"> </span></span><span style="font-size:9.0pt;font-family:Menlo;color:#014163">"subject_type"</span><span style="font-size:9.0pt;font-family:Menlo;color:#2A2A2A">:<span class="apple-converted-space"> </span></span><span style="font-size:9.0pt;font-family:Menlo;color:#884B31">"email"</span><span style="font-size:9.0pt;font-family:Menlo;color:#2A2A2A">,</span><o:p></o:p></p>
<p class="MsoNormal" style="background:white"><span style="font-size:9.0pt;font-family:Menlo;color:#2A2A2A"> <span class="apple-converted-space"> </span></span><span style="font-size:9.0pt;font-family:Menlo;color:#014163">"sub"</span><span style="font-size:9.0pt;font-family:Menlo;color:#2A2A2A">:<span class="apple-converted-space"> </span></span><span style="font-size:9.0pt;font-family:Menlo;color:#884B31">"<a href="mailto:joe.smith@example.com"><span style="color:#00006A">joe.smith@example.com</span></a>"</span><o:p></o:p></p>
<p class="MsoNormal" style="background:white"><span style="font-size:9.0pt;font-family:Menlo;color:#2A2A2A"> },</span><o:p></o:p></p>
<p class="MsoNormal" style="background:white"><span style="font-size:9.0pt;font-family:Menlo;color:#2A2A2A"> <span class="apple-converted-space"> </span></span><span style="font-size:9.0pt;font-family:Menlo;color:#014163">"reason_admin"</span><span style="font-size:9.0pt;font-family:Menlo;color:#2A2A2A">:<span class="apple-converted-space"> </span></span><span style="font-size:9.0pt;font-family:Menlo;color:#884B31">"Email
found as compromised."</span><span style="font-size:9.0pt;font-family:Menlo;color:#2A2A2A">,</span><o:p></o:p></p>
<p class="MsoNormal" style="background:white"><span style="font-size:9.0pt;font-family:Menlo;color:#2A2A2A"> <span class="apple-converted-space"> </span></span><span style="font-size:9.0pt;font-family:Menlo;color:#014163">"reason_user"</span><span style="font-size:9.0pt;font-family:Menlo;color:#2A2A2A">:<span class="apple-converted-space"> </span></span><span style="font-size:9.0pt;font-family:Menlo;color:#884B31">"The
credential associated with this account has been compromised."</span><o:p></o:p></p>
<p class="MsoNormal" style="background:white"><span style="font-size:9.0pt;font-family:Menlo;color:#2A2A2A"> }</span><o:p></o:p></p>
<p class="MsoNormal" style="background:white"><span style="font-size:9.0pt;font-family:Menlo;color:#2A2A2A"> }</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Menlo;color:#2A2A2A;background:white">}</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:12.0pt;color:black">From:
</span></b><span style="font-size:12.0pt;color:black">Tim Cappalli <Tim.Cappalli@microsoft.com><br>
<b>Date: </b>Tuesday, March 2, 2021 at 11:22 AM<br>
<b>To: </b>atultulshi@google.com <atultulshi@google.com>, openid-specs-risc@lists.openid.net <openid-specs-risc@lists.openid.net>, Stan Bounev <stanb@vericlouds.com><br>
<b>Subject: </b>Re: [Openid-specs-risc] "Credential compromise" event discussion tomorrow</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">Atul - let's put this on the top of the list for next Tuesday since we keep running out of time.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Arial",sans-serif;color:black">tim</span><o:p></o:p></p>
</div>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="0" width="83%" align="center">
</div>
<div id="divRplyFwdMsg">
<p class="MsoNormal"><b><span style="color:black">From:</span></b><span style="color:black"> Openid-specs-risc <openid-specs-risc-bounces@lists.openid.net> on behalf of Stan Bounev via Openid-specs-risc <openid-specs-risc@lists.openid.net><br>
<b>Sent:</b> Tuesday, March 2, 2021 02:29<br>
<b>To:</b> Atul Tulshibagwale <atultulshi@google.com>; Openid-specs-risc <openid-specs-risc@lists.openid.net><br>
<b>Subject:</b> Re: [Openid-specs-risc] "Credential compromise" event discussion tomorrow</span>
<o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="xmsonormal">Hi all,<o:p></o:p></p>
<p class="xmsonormal"> <o:p></o:p></p>
<p class="xmsonormal">I’d like to add for discussion tomorrow the “credential compromise” event. I’d like to get feedback. See below.<o:p></o:p></p>
<p class="xmsonormal"> <o:p></o:p></p>
<p class="xmsonormal">Thanks,<o:p></o:p></p>
<p class="xmsonormal">Stan<o:p></o:p></p>
<p class="xmsonormal"> <o:p></o:p></p>
<p class="xmsonormal"> <o:p></o:p></p>
<p class="xmsonormal"> <o:p></o:p></p>
<p class="xmsonormal"><section anchor="credential-compromise-examples" title="Examples"><o:p></o:p></p>
<p class="xmsonormal"> <o:p></o:p></p>
<p class="xmsonormal"><t>NOTE: The event type URI is wrapped, the backslash is the continuation character.</t><o:p></o:p></p>
<p class="xmsonormal"><t>Credential Compromised signals that the identifier specified in the subject was found to be compromised. The subject type MUST be either <spanx style="verb">email</spanx> or <spanx style="verb">phone</spanx>.</t><o:p></o:p></p>
<p class="xmsonormal"> <o:p></o:p></p>
<p class="xmsonormal"><figure title="Example: Compromised credential found" anchor="credential-compromise-example"><artwork type="json"><![CDATA[<o:p></o:p></p>
<p class="xmsonormal"> <o:p></o:p></p>
<p class="xmsonormal"> {<o:p></o:p></p>
<p class="xmsonormal"> "iss": "https://idp.example.com/3456790/",<o:p></o:p></p>
<p class="xmsonormal"> "jti": "756E69717565206964656E746966696572",<o:p></o:p></p>
<p class="xmsonormal"> "iat": 1508184845,<o:p></o:p></p>
<p class="xmsonormal"> "aud": "https://sp.example2.net/caep",<o:p></o:p></p>
<p class="xmsonormal"> "events": {<o:p></o:p></p>
<p class="xmsonormal"> "https://schemas.openid.net/secevent/risc/event-type/credential-compromise": {<o:p></o:p></p>
<p class="xmsonormal"> "subject": {<o:p></o:p></p>
<p class="xmsonormal"> "subject_type": "iss-sub",<o:p></o:p></p>
<p class="xmsonormal"> "iss": "https://idp.example.com/3456790/",<o:p></o:p></p>
<p class="xmsonormal"> "sub": "joe.smith@example.com"<o:p></o:p></p>
<p class="xmsonormal"> },<o:p></o:p></p>
<p class="xmsonormal"> "credential-compromise-id": "email", “phone”<o:p></o:p></p>
<p class="xmsonormal"> <o:p></o:p></p>
<p class="xmsonormal"> }<o:p></o:p></p>
<p class="xmsonormal"> }<o:p></o:p></p>
<p class="xmsonormal"> }<o:p></o:p></p>
<p class="xmsonormal"> <o:p></o:p></p>
<p class="xmsonormal">-</sourcecode><o:p></o:p></p>
<p class="xmsonormal">-</figure><o:p></o:p></p>
<p class="xmsonormal">+]]></artwork></figure><o:p></o:p></p>
<p class="xmsonormal">+<o:p></o:p></p>
<p class="xmsonormal"></section><o:p></o:p></p>
<p class="xmsonormal"> <o:p></o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="xmsonormal" style="margin-bottom:12.0pt"><b><span style="font-size:12.0pt;color:black">From:
</span></b><span style="font-size:12.0pt;color:black">Openid-specs-risc <openid-specs-risc-bounces@lists.openid.net> on behalf of Atul Tulshibagwale via Openid-specs-risc <openid-specs-risc@lists.openid.net><br>
<b>Date: </b>Monday, February 22, 2021 at 5:51 PM<br>
<b>To: </b>Openid-specs-risc <openid-specs-risc@lists.openid.net><br>
<b>Subject: </b>Re: [Openid-specs-risc] "Compound" subject types in SSE</span><o:p></o:p></p>
</div>
<div>
<p class="xmsonormal">Hi all,<o:p></o:p></p>
<div>
<p class="xmsonormal">A quick reminder to please review this proposal and provide your feedback and / or comments. It'll be good to review the feedback in the call on Tuesday next week.<o:p></o:p></p>
</div>
<div>
<p class="xmsonormal"> <o:p></o:p></p>
</div>
<div>
<p class="xmsonormal">Thanks,<o:p></o:p></p>
</div>
<div>
<p class="xmsonormal">Atul<o:p></o:p></p>
</div>
<div>
<p class="xmsonormal"> <o:p></o:p></p>
</div>
</div>
<p class="xmsonormal"> <o:p></o:p></p>
<div>
<div>
<p class="xmsonormal">On Tue, Feb 16, 2021 at 12:22 PM Atul Tulshibagwale <<a href="mailto:atultulshi@google.com">atultulshi@google.com</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<p class="xmsonormal">Hi all,<o:p></o:p></p>
<div>
<p class="xmsonormal">We discussed an important topic on the call today, and some of us had separately discussed this earlier. There are a couple of issues with the draft today:<o:p></o:p></p>
</div>
<div>
<ol style="margin-top:0in" start="1" type="1">
<li class="xmsonormal" style="mso-list:l1 level1 lfo6">The use of "common claims" e.g. "spag_id" conflicts with the Subject Identifiers draft that specifies claims other than those defined within the "subject_type" definition must not be included in a subject
claim of that subject_type.<o:p></o:p></li><li class="xmsonormal" style="mso-list:l1 level1 lfo6">We defined a specific "user-device-session" subject type, but are now discovering use cases that create a multitude of other possibilities. The immediate one that caused this discussion was the use of an
"application" principal. The use case is where a Transmitter may want to invalidate sessions associated with a specific application on a specific user or device.<o:p></o:p></li></ol>
<div>
<p class="xmsonormal">To address both these issues, Tim Cappalli (Microsoft) and I came up with this proposal to create multi-valued or "compound" subject claims in SSE events. This will not require the use of common claims such as "spag_id", but we can create
specific new subject_types such as "tenant" or "OU" as needed.<o:p></o:p></p>
</div>
<div>
<p class="xmsonormal"> <o:p></o:p></p>
</div>
<div>
<p class="xmsonormal">Please review the proposal <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.google.com%2Fdocument%2Fd%2F1stTI18cQy8zTw0u0UjC6NLkjBZAYEU1kNCDru7dEdfQ%2Fedit%3Fusp%3Dsharing&data=04%7C01%7Ctim.cappalli%40microsoft.com%7C9c0850397ac343f8ef4708d8dd6a5545%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637502796686207774%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=bdx%2Be4KTrJUFY9U5SXP95v2hH4ZpSEvhCC5YIDYT6ig%3D&reserved=0" target="_blank">
here</a>. It will be great if you can provide your comments and feedback in the next couple of weeks so that we can have a productive discussion in our next call on March 2nd. If we can make sufficient progress in the call there, we can incorporate the changes
into the draft.<o:p></o:p></p>
</div>
<div>
<p class="xmsonormal"> <o:p></o:p></p>
</div>
<div>
<p class="xmsonormal">Thanks,<o:p></o:p></p>
</div>
<div>
<p class="xmsonormal">Atul<o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class="xmsonormal"> <o:p></o:p></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" style="border-collapse:collapse">
<tbody>
<tr style="height:104.25pt">
<td valign="top" style="padding:.75pt .75pt .75pt .75pt;height:104.25pt;overflow:hidden">
<p class="xmsonormal"><br>
<span style="border:none windowtext 1.0pt;padding:0in"><img border="0" width="113" height="113" style="width:1.177in;height:1.177in" id="x__x005f_x0000_i1025" src="https://lh6.googleusercontent.com/fmoDQ26Qu6nUCxkO3-_idifYd4drGNvt7Ab_LQBqsdPH7EwOjHOqIJRzGXtqFHoor0bKiVZNFnj86FL59uqJJ1_-mSVOlfdsnlvDYTpq0wfcQFDXJr7miiOpLOie6c-pxXWWqpFqRg"></span><o:p></o:p></p>
</td>
<td valign="top" style="padding:.75pt .75pt .75pt .75pt;height:104.25pt;overflow:hidden">
<p> <o:p></o:p></p>
<p><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif">Atul Tulshibagwale</span></b><o:p></o:p></p>
<p><span style="font-size:10.0pt;font-family:"Arial",sans-serif">Software Engineer,</span><o:p></o:p></p>
<p><span style="font-size:10.0pt;font-family:"Arial",sans-serif">Google Workspace</span><o:p></o:p></p>
<p><span style="font-size:10.0pt;font-family:"Arial",sans-serif"><a href="mailto:atultulshi@google.com" target="_blank">atultulshi@google.com</a></span><o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="xmsonormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</body>
</html>