<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:870460327;
mso-list-template-ids:-1350246630;}
@list l0:level1
{mso-level-start-at:2;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l1
{mso-list-id:1313633911;
mso-list-template-ids:-246794872;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l2
{mso-list-id:1683900327;
mso-list-type:hybrid;
mso-list-template-ids:1353772538 67698703 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l2:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7 ;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7 ;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7 ;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7 ;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7 ;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l3
{mso-list-id:1797596941;
mso-list-type:hybrid;
mso-list-template-ids:1353772538 67698703 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l3:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7 ;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l3:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7 ;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l3:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7 ;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l3:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7 ;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l3:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7 ;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l4
{mso-list-id:1982494603;
mso-list-type:hybrid;
mso-list-template-ids:1353772538 67698703 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l4:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l4:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7 ;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l4:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7 ;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l4:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l4:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7 ;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l4:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7 ;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l4:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l4:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7 ;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style>
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Hi Martin,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks for the feedback. I will give you my take on your questions below.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<ol style="margin-top:0in" start="1" type="1">
<ul style="margin-top:0in" type="circle">
<li class="MsoListParagraph" style="color:#1F497D;margin-left:0in;mso-list:l2 level2 lfo3">
Does “credential” in this context mean that the subject’s email account was compromised?<o:p></o:p></li></ul>
</ol>
<p class="MsoNormal">[Stan] The choice of “credential” is to be able to account for ‘email,’ or ‘phone’. I will add ‘phone’ to the next update.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<ol style="margin-top:0in" start="1" type="1">
<ul style="margin-top:0in" type="circle">
<li class="MsoListParagraph" style="color:#1F497D;margin-left:0in;mso-list:l2 level2 lfo3">
…considering expanding the event to other subject types trigger similar questions (e.g. what would be the credential related to a session found to be compromised? If thinking about device-level authn certificates, shouldn’t the certificate be the subject compromised
credential instead of the device?)<o:p></o:p></li></ul>
</ol>
<p class="MsoNormal">[Stan] ‘Session’ compromise will probably fall under some of the other events from the SSE spec. However, authN certificates could also be added to ‘credential compromise.’ I will pose this question to the group next time.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<ol style="margin-top:0in" start="1" type="1">
<ul style="margin-top:0in" type="circle">
<li class="MsoListParagraph" style="color:#1F497D;margin-left:0in;mso-list:l2 level2 lfo3">
For the event to be actionable, I think it would be important to carry some meaning of timing.<o:p></o:p></li></ul>
</ol>
<p class="MsoNormal">[Stan] Agreed. We will have two optional dates – date of exposure (when the credential was compromised) and date when the exposure was identified – i.e. when the credential was leaked.<o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Stan<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:12.0pt;color:black">From:
</span></b><span style="font-size:12.0pt;color:black">Martin Gallo <mgallo@secureauth.com><br>
<b>Date: </b>Thursday, May 6, 2021 at 5:03 AM<br>
<b>To: </b>openid-specs-risc@lists.openid.net <openid-specs-risc@lists.openid.net>, Stan Bounev <stanb@vericlouds.com>, Atul Tulshibagwale <atultulshi@google.com><br>
<b>Subject: </b>RE: RISC spec, Credential Compromised event<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="color:#1F497D">Hello everyone!</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">I was unable to attend Tuesday’s meeting but wanted to provide some feedback, which I think it might be too broad for a comment in the PR.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">For an Identity Provider, the Credential Compromised is an event type that is really interesting as it’s actionable and in my perspective fits with RISC’s scope. I see use cases where we can benefit from having
a standardized profile to represent and exchange those events, and it’s great that it’s being considered. However, I’ve some questions about how it’s currently represented and want to open it up to exchange feedback:</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoListParagraph" style="color:#1F497D;margin-left:0in;mso-list:l3 level1 lfo6">
I’m not completely sure that the definition of “credential” is clear from the event type definition proposed. The definition is that “the event signals that the identifier specified in the subject (an email) was found to be compromised” but we’re calling it
“Credential compromise”.<o:p></o:p></li><ul style="margin-top:0in" type="circle">
<li class="MsoListParagraph" style="color:#1F497D;margin-left:0in;mso-list:l3 level2 lfo6">
Does “credential” in this context mean that the subject’s email account was compromised?<o:p></o:p></li><li class="MsoListParagraph" style="color:#1F497D;margin-left:0in;mso-list:l3 level2 lfo6">
Or was the combination of the subject identifier (email) and a given authentication factor (e.g. a password) found compromised at some point?<o:p></o:p></li></ul>
</ol>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="text-indent:.5in"><span style="color:#1F497D">I’ve seen a couple of cases where “compromised credential” might be interpreted as “compromised account” and not sure if we should be more clear to avoid that. In the same line, considering
expanding the event to other subject types trigger similar questions (e.g. what would be the credential related to a session found to be compromised? If thinking about device-level authn certificates, shouldn’t the certificate be the subject compromised credential
instead of the device?)</span><o:p></o:p></p>
<p class="MsoListParagraph"><span style="color:#1F497D"> </span><o:p></o:p></p>
<ol style="margin-top:0in" start="2" type="1">
<li class="MsoListParagraph" style="color:#1F497D;margin-left:0in;mso-list:l3 level1 lfo6">
For the event to be actionable, I think it would be important to carry some meaning of timing.<o:p></o:p></li><ul style="margin-top:0in" type="circle">
<li class="MsoListParagraph" style="color:#1F497D;margin-left:0in;mso-list:l3 level2 lfo6">
Does it make sense to include date of exposure? (e.g. when the subject’s record was published)<o:p></o:p></li><li class="MsoListParagraph" style="color:#1F497D;margin-left:0in;mso-list:l3 level2 lfo6">
Does it make sense to include date of identification of the exposure? (e.g. when the transmitter identified the subject’s record)<o:p></o:p></li><li class="MsoListParagraph" style="color:#1F497D;margin-left:0in;mso-list:l3 level2 lfo6">
Might make sense to incorporate something like “event_timestamp” as in CAEP events?<o:p></o:p></li></ul>
</ol>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Let me guys know if I’m going too far into the logic of transmitter/receivers..</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Regards,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Martin.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Openid-specs-risc <openid-specs-risc-bounces@lists.openid.net>
<b>On Behalf Of </b>Stan Bounev via Openid-specs-risc<br>
<b>Sent:</b> Monday, May 3, 2021 8:55 PM<br>
<b>To:</b> Atul Tulshibagwale <atultulshi@google.com>; Openid-specs-risc <openid-specs-risc@lists.openid.net><br>
<b>Subject:</b> [Openid-specs-risc] RISC spec, Credential Compromised event<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">Hi All,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">We have a Credential Compromised PR added to the RISC spec. I’d like to ask you for feedback ahead of our meeting tomorrow. Here is the link -
<a href="https://bitbucket.org/openid/risc/pull-requests/11">https://bitbucket.org/openid/risc/pull-requests/11</a><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Stan<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">-----------------------------------------<o:p></o:p></p>
<p class="MsoNormal"><b><span style="color:black">Stan Bounev</span></b><o:p></o:p></p>
<p class="MsoNormal"><span style="color:black">VeriClouds | </span><a href="https://www.vericlouds.com/" target="_blank"><span style="color:#044A91">https://www.vericlouds.com</span></a><o:p></o:p></p>
<p class="MsoNormal"><span style="color:black">1455 NW Leary Way Ste. 400, Seattle, WA 98107</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:black">Direct: </span><a href="tel:650-353-7269" target="_blank"><span style="color:#044A91">650-353-7269</span></a><span style="color:black"> | </span><a href="mailto:stanb@vericlouds.com" target="_blank" title="mailto:stanb@vericlouds.com"><span style="color:#044A91">stanb@vericlouds.com</span></a><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</body>
</html>