<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><![if !supportAnnotations]><style id="dynCom" type="text/css"><!-- --></style><script language="JavaScript"><!--
function msoCommentShow(anchor_id, com_id)
{
if(msoBrowserCheck())
{
c = document.all(com_id);
a = document.all(anchor_id);
if (null != c && null == c.length && null != a && null == a.length)
{
var cw = c.offsetWidth;
var ch = c.offsetHeight;
var aw = a.offsetWidth;
var ah = a.offsetHeight;
var x = a.offsetLeft;
var y = a.offsetTop;
var el = a;
while (el.tagName != "BODY")
{
el = el.offsetParent;
x = x + el.offsetLeft;
y = y + el.offsetTop;
}
var bw = document.body.clientWidth;
var bh = document.body.clientHeight;
var bsl = document.body.scrollLeft;
var bst = document.body.scrollTop;
if (x + cw + ah / 2 > bw + bsl && x + aw - ah / 2 - cw >= bsl )
{ c.style.left = x + aw - ah / 2 - cw; }
else
{ c.style.left = x + ah / 2; }
if (y + ch + ah / 2 > bh + bst && y + ah / 2 - ch >= bst )
{ c.style.top = y + ah / 2 - ch; }
else
{ c.style.top = y + ah / 2; }
c.style.visibility = "visible";
} } }
function msoCommentHide(com_id)
{
if(msoBrowserCheck())
{
c = document.all(com_id);
if (null != c && null == c.length)
{
c.style.visibility = "hidden";
c.style.left = -1000;
c.style.top = -1000;
} }
}
function msoBrowserCheck()
{
ms = navigator.appVersion.indexOf("MSIE");
vers = navigator.appVersion.substring(ms + 5, ms + 6);
ie4 = (ms > 0) && (parseInt(vers) >= 4);
return ie4;
}
if (msoBrowserCheck())
{
document.styleSheets.dynCom.addRule(".msocomanchor","background: infobackground");
document.styleSheets.dynCom.addRule(".msocomoff","display: none");
document.styleSheets.dynCom.addRule(".msocomtxt","visibility: hidden");
document.styleSheets.dynCom.addRule(".msocomtxt","position: absolute");
document.styleSheets.dynCom.addRule(".msocomtxt","top: -1000");
document.styleSheets.dynCom.addRule(".msocomtxt","left: -1000");
document.styleSheets.dynCom.addRule(".msocomtxt","width: 33%");
document.styleSheets.dynCom.addRule(".msocomtxt","background: infobackground");
document.styleSheets.dynCom.addRule(".msocomtxt","color: infotext");
document.styleSheets.dynCom.addRule(".msocomtxt","border-top: 1pt solid threedlightshadow");
document.styleSheets.dynCom.addRule(".msocomtxt","border-right: 2pt solid threedshadow");
document.styleSheets.dynCom.addRule(".msocomtxt","border-bottom: 2pt solid threedshadow");
document.styleSheets.dynCom.addRule(".msocomtxt","border-left: 1pt solid threedlightshadow");
document.styleSheets.dynCom.addRule(".msocomtxt","padding: 3pt 3pt 3pt 3pt");
document.styleSheets.dynCom.addRule(".msocomtxt","z-index: 100");
}
// --></script><![endif]><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;
panose-1:2 11 0 4 2 2 2 2 2 4;}
@font-face
{font-family:"Times New Roman \(Body CS\)";
panose-1:2 11 6 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Arial",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">Hi!<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">CAEP and RISC are effectively just event dictionaries.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">SSF is not designed to communicate runtime state as part of an authentication flow. It is designed to be an async way to share signals between parties when changes occur. This
could be "raw contextual signals", such as device compliance information or assurance level changes, or a more opinionated, policy driven signal like "session revoked".<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">In your example, the IdP and device management service can have an SSF relationship independent of active sessions, and share context between each other as needed.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">Hope that helps.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">tim<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<div id="mail-editor-reference-message-container">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:12.0pt;color:black">From:
</span></b><span style="font-size:12.0pt;color:black">Openid-specs-risc <openid-specs-risc-bounces@lists.openid.net> on behalf of Peter Bjork via Openid-specs-risc <openid-specs-risc@lists.openid.net><br>
<b>Date: </b>Monday, June 19, 2023 at 05:22<br>
<b>To: </b>openid-specs-risc@lists.openid.net <openid-specs-risc@lists.openid.net><br>
<b>Subject: </b>[Openid-specs-risc] Initial status check is not part of the OpenID SSF CAEP or RISC protocols<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-ligatures:standardcontextual">Hi all</span><span style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-ligatures:standardcontextual"> </span><span style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-ligatures:standardcontextual">I’ve not been very active on the OpenID SSF working group meetings, but I have stayed very close to OpenID SSF and followed the development. With that I would like to propose
a topic for discussion. </span><span style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-ligatures:standardcontextual"> </span><span style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#212121;mso-fareast-language:EN-GB">My understanding of the protocols (CAEP & RISC) is that they are mostly focusing on communicating changes that has happened. But what about the initial state check?
E.g. a user requests access to a target without an access token, user is sent to an IdP. Now the IdP performs user AuthN and checks if the device is compliant before the IdP issues an assertion. In this flow, for example checking the device compliance, would
the IdP and device MGMT system use CAEP/RISC?</span><span style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#212121;mso-fareast-language:EN-GB">My understanding, so far, has been that this initial flow would use something (not CAEP/RISC), but if the IdP learned about a change in device compliance the IdP would
then send a CAEP/RISC signal to the target.</span><span style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#212121;mso-fareast-language:EN-GB"> </span><span style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#212121;mso-fareast-language:EN-GB">Here’s a picture I hope visualizes the gap.</span><span style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:black;mso-fareast-language:EN-GB"><img width="936" height="266" style="width:9.75in;height:2.7708in" id="Picture_x0020_1" src="cid:image001.jpg@01D9A29F.4E3C1340" alt="A diagram of a target
Description automatically generated with medium confidence"></span><span style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-ligatures:standardcontextual"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-ligatures:standardcontextual"> </span><span style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-ligatures:standardcontextual">Obviously, this initial status check can be regarding anything, e.g. user risk level. In above example device compliance status is just an example.</span><span style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-ligatures:standardcontextual"> </span><span style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-ligatures:standardcontextual"> <o:p></o:p></span></p>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:11.0pt;color:black;mso-fareast-language:EN-GB">Peter Björk</span></b><span style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:black;mso-fareast-language:EN-GB">Product Manager, Workspace ONE Access</span><span style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-ligatures:standardcontextual"><a href="mailto:pbjork@vmware.com" title="mailto:pbjork@vmware.com"><span lang="EN-GB" style="color:#954F72;mso-ligatures:none;mso-fareast-language:EN-GB">pbjork@vmware.com</span></a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:black;mso-fareast-language:EN-GB">Twitter: @thepeb</span><span style="font-size:11.0pt;mso-ligatures:standardcontextual"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-ligatures:standardcontextual"> <o:p></o:p></span></p>
</div>
</div>
</div>
</body>
</html>