<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
h1
{mso-style-priority:9;
mso-style-link:"Heading 1 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:24.0pt;
font-family:"Calibri",sans-serif;}
h2
{mso-style-priority:9;
mso-style-link:"Heading 2 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:18.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.Heading1Char
{mso-style-name:"Heading 1 Char";
mso-style-priority:9;
mso-style-link:"Heading 1";
font-family:"Calibri Light",sans-serif;
color:#2F5496;}
span.Heading2Char
{mso-style-name:"Heading 2 Char";
mso-style-priority:9;
mso-style-link:"Heading 2";
font-family:"Calibri Light",sans-serif;
color:#2F5496;}
span.EmailStyle22
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:118647689;
mso-list-template-ids:1976873754;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:533006517;
mso-list-type:hybrid;
mso-list-template-ids:-1835898736 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l2
{mso-list-id:1321614160;
mso-list-template-ids:1915525328;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3
{mso-list-id:1709791902;
mso-list-template-ids:755499776;}
@list l3:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l3:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Hello everyone,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">I left some specific comments and suggestions in the shared document, but wanted to share more general feedback regarding this discussion, a very good and important one in my opinion.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="color:#1F497D;margin-left:0in;mso-list:l1 level1 lfo1">
Besides the challenges and problems mentioned in the document, I think it’s important to consider the availability, quality and primarily trustworthiness of the data to be shared. The following are some recent papers/reports that illustrate some of this challenges:
[1] [2].<o:p></o:p></li><ul style="margin-top:0in" type="circle">
<li class="MsoListParagraph" style="color:#1F497D;margin-left:0in;mso-list:l1 level2 lfo1">
What are the right incentives for sharing identity-related threat information, and how to apply those across the ecosystem? How to establish trust between parties? What are the privacy, security and adversary considerations that need to be taken care of? What
are the mechanism to classify the data, and honor/enforce that classification?<o:p></o:p></li></ul>
<li class="MsoListParagraph" style="color:#1F497D;margin-left:0in;mso-list:l1 level1 lfo1">
One of the more important items I guess would be to define at what level do we think SSE can have a play when it comes to share data.<o:p></o:p></li><ul style="margin-top:0in" type="circle">
<li class="MsoListParagraph" style="color:#1F497D;margin-left:0in;mso-list:l1 level2 lfo1">
Do we want to use SSE to exchange <i>Threat Information</i> or machine-readable <i>
Threat Intelligence</i>? Do we want to use SSE to exchange events and signals, or other type of information as well?<o:p></o:p></li></ul>
<li class="MsoListParagraph" style="color:#1F497D;margin-left:0in;mso-list:l1 level1 lfo1">
I’d guess that following that, we’ll need to identify and expand on a couple of use cases that we think are of interest, and where using SSE might make more sense to apply than the current standards.<o:p></o:p></li><ul style="margin-top:0in" type="circle">
<li class="MsoListParagraph" style="color:#1F497D;margin-left:0in;mso-list:l1 level2 lfo1">
What’s the added value? What can be done with SSE that’s currently not possible or less efficient/convenient/effective with other standards?<o:p></o:p></li></ul>
<li class="MsoListParagraph" style="color:#1F497D;margin-left:0in;mso-list:l1 level1 lfo1">
I made a first try at adding some potential reasons not to propose the use of SSE, as discussed during the meeting.<o:p></o:p></li><li class="MsoListParagraph" style="color:#1F497D;margin-left:0in;mso-list:l1 level1 lfo1">
The cybersecurity space already has a couple of well-established standards for exchanging threat information and threat intelligence. Some of those are STIX and TAXII, OpenOIC, etc. I’ve added a brief overview matrix of some of the main standards/specs currently
in use for sharing threat information, feel free to add any missing one or any feedback.<o:p></o:p></li></ul>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">An interesting thought exercise might be exploring a very simple “threat event”, breaking it down on the different steps/phases and trying to identify the information that can be potentially exchanged. I’m just
making up an example that can be find attached, happy to move it to another format or as a new section in the shared document if you prefer.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Where do you see SSE potentially contributing?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Bests,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Martín.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">[1] <a href="https://blog.pulsedive.com/cti-networking-report/">
Is Sharing Caring? A report on current cyber threat intelligence networking practices, results, and attitudes</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">[2] <a href="https://www.usenix.org/conference/usenixsecurity22/presentation/bouwman">
Helping hands: Measuring the impact of a large threat intelligence sharing community</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Openid-specs-risc <openid-specs-risc-bounces@lists.openid.net>
<b>On Behalf Of </b>Atul Tulshibagwale via Openid-specs-risc<br>
<b>Sent:</b> Tuesday, March 15, 2022 3:14 PM<br>
<b>To:</b> Openid-specs-risc <openid-specs-risc@lists.openid.net><br>
<b>Subject:</b> [Openid-specs-risc] Call notes<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Hi all,<o:p></o:p></p>
<div>
<p class="MsoNormal">Here are the notes of the out-of-turn WG meeting that focused on exploring whether it makes sense for the SSE Framework to be used in cybersecurity applications. The notes are also stored
<a href="https://github.com/openid/sse/wiki/WG_Meeting-2022-03-15">here</a>.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<h1 style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in">
<span style="font-family:"Segoe UI",sans-serif;color:#24292F">Out-of-turn meeting for Cybersecurity applications<o:p></o:p></span></h1>
<h2 style="mso-margin-top-alt:.25in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;box-sizing:border-box">
<span style="font-family:"Segoe UI",sans-serif;color:#24292F">Attendees<o:p></o:p></span></h2>
<ul type="disc">
<li class="MsoNormal" style="color:#24292F;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo2;box-sizing:border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">Atul Tulshibagwale (SGNL)<o:p></o:p></span></li><li class="MsoNormal" style="color:#24292F;margin-top:3.0pt;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo2;box-sizing:border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">Stefan Duernberger (Cisco)<o:p></o:p></span></li><li class="MsoNormal" style="color:#24292F;margin-top:3.0pt;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo2;box-sizing:border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">Jason Garbis (Appgate)<o:p></o:p></span></li><li class="MsoNormal" style="color:#24292F;margin-top:3.0pt;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo2;box-sizing:border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">Tim Cappalli (Microsoft)<o:p></o:p></span></li><li class="MsoNormal" style="color:#24292F;margin-top:3.0pt;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo2;box-sizing:border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">Nancy Cam Winget (Cisco)<o:p></o:p></span></li><li class="MsoNormal" style="color:#24292F;margin-top:3.0pt;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo2;box-sizing:border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">Martin Gallo (SecureAuth)<o:p></o:p></span></li><li class="MsoNormal" style="color:#24292F;margin-top:3.0pt;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo2;box-sizing:border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">Tom Sato (VeriClouds)<o:p></o:p></span></li><li class="MsoNormal" style="color:#24292F;margin-top:3.0pt;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo2;box-sizing:border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">Lee Tschetter (Okta)<o:p></o:p></span></li><li class="MsoNormal" style="color:#24292F;margin-top:3.0pt;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo2;box-sizing:border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">Gail Hodges (OpenID Foundation)<o:p></o:p></span></li></ul>
<h2 style="mso-margin-top-alt:.25in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;box-sizing:border-box">
<span style="font-family:"Segoe UI",sans-serif;color:#24292F">Agenda<o:p></o:p></span></h2>
<ul type="disc">
<li class="MsoNormal" style="color:#24292F;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo3;box-sizing:border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">Review </span><a href="https://docs.google.com/document/d/1tmMqiXNB-lW9HXIzrivOvaFSts23zAzKLWPcSD740kE/edit?usp=sharing"><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">Sharing
Cybersecurity Signals</span></a><span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif"> doc<o:p></o:p></span></li></ul>
<h2 style="mso-margin-top-alt:.25in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;box-sizing:border-box">
<span style="font-family:"Segoe UI",sans-serif;color:#24292F">Notes<o:p></o:p></span></h2>
<ul type="disc">
<li class="MsoNormal" style="color:#24292F;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo4;box-sizing:border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">Wasn't SSE always meant to be for Cybersecurity? What is specifically being proposed here? Is it an effort to broaden the scope of SSE? Is this a means of sharing intelligence? Perhaps before
getting into the details, we should discuss the goals. There are a lot of efforts in terms of trying to share data, so how is this different?<o:p></o:p></span></li></ul>
<ul type="disc">
<ul type="circle">
<li class="MsoNormal" style="color:#24292F;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level2 lfo4;box-sizing:border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">There could be more applications of the SSE Framework than offered by CAEP and RISC, so there could be other types of "profiles"<o:p></o:p></span></li><li class="MsoNormal" style="color:#24292F;margin-top:3.0pt;mso-margin-bottom-alt:auto;mso-list:l3 level2 lfo4;box-sizing:border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">Some text in the doc highlights that there is the SSE Framework, which could be used in different ways<o:p></o:p></span></li><li class="MsoNormal" style="color:#24292F;margin-top:3.0pt;mso-margin-bottom-alt:auto;mso-list:l3 level2 lfo4;box-sizing:border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">Cybersecurity is a very broad area<o:p></o:p></span></li><li class="MsoNormal" style="color:#24292F;margin-top:3.0pt;mso-margin-bottom-alt:auto;mso-list:l3 level2 lfo4;box-sizing:border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">We are trying to bridge existing efforts in the IETF<o:p></o:p></span></li><li class="MsoNormal" style="color:#24292F;margin-top:3.0pt;mso-margin-bottom-alt:auto;mso-list:l3 level2 lfo4;box-sizing:border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">Alternative take: Can SSE do this? Yes. But should we? For example, Subject Identifiers are in the core SSE spec, and we end up "blowing up" the core spec<o:p></o:p></span></li><li class="MsoNormal" style="color:#24292F;margin-top:3.0pt;mso-margin-bottom-alt:auto;mso-list:l3 level2 lfo4;box-sizing:border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">It could be much much deeper than just adding a profile<o:p></o:p></span></li><li class="MsoNormal" style="color:#24292F;margin-top:3.0pt;mso-margin-bottom-alt:auto;mso-list:l3 level2 lfo4;box-sizing:border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">Since we are still struggling to get adoption, so we should not distract from that<o:p></o:p></span></li><li class="MsoNormal" style="color:#24292F;margin-top:3.0pt;mso-margin-bottom-alt:auto;mso-list:l3 level2 lfo4;box-sizing:border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">A value that SSE provides is that it is a standard for sharing signals, but specific to account, identity and session information<o:p></o:p></span></li><li class="MsoNormal" style="color:#24292F;margin-top:3.0pt;mso-margin-bottom-alt:auto;mso-list:l3 level2 lfo4;box-sizing:border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">The specific identity-centric use cases of SSE is appealing to some companies (such as SecureAuth)<o:p></o:p></span></li><li class="MsoNormal" style="color:#24292F;margin-top:3.0pt;mso-margin-bottom-alt:auto;mso-list:l3 level2 lfo4;box-sizing:border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">If we broaden the scope too much, we might lose the value that SSE brings to tackling the specific identity / account / session problems.<o:p></o:p></span></li><li class="MsoNormal" style="color:#24292F;margin-top:3.0pt;mso-margin-bottom-alt:auto;mso-list:l3 level2 lfo4;box-sizing:border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">We should make sure we do not put too broad requirements on the SSE Framework in order to support new applications such as cybersecurity<o:p></o:p></span></li></ul>
</ul>
<ul style="margin-top:0in" type="disc">
<li class="MsoNormal" style="color:#24292F;margin-top:3.0pt;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo4;box-sizing:border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">We should add a section that gives reason why we should not do this<o:p></o:p></span></li><li class="MsoNormal" style="color:#24292F;margin-top:3.0pt;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo4;box-sizing:border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">If we can arrive at a structural role that is not fulfilled today, only then we should proceed<o:p></o:p></span></li><li class="MsoNormal" style="color:#24292F;margin-top:3.0pt;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo4;box-sizing:border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">We should address the question: "Why is SSE special?" and only then move forward<o:p></o:p></span></li><li class="MsoNormal" style="color:#24292F;margin-top:3.0pt;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo4;box-sizing:border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">The biggest contribution that the SSE WG can do is bring the RISC draft into the OpenID foundation<o:p></o:p></span></li><li class="MsoNormal" style="color:#24292F;margin-top:3.0pt;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo4;box-sizing:border-box">
<span style="font-size:12.0pt;font-family:"Segoe UI",sans-serif">We should try to arrive at a matrix that differentiates SSE and existing efforts (e.g. TAXII)<o:p></o:p></span></li></ul>
</div>
<div style="margin-top:24.0pt;box-sizing:border-box" id="gmail-wiki-footer">
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"Segoe UI",sans-serif"><o:p> </o:p></span></p>
</div>
</div>
</div>
</div>
</body>
</html>