<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body>
<div dir="auto"><span style="font-family: -apple-system, HelveticaNeue; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; float: none; display: inline !important; color: rgb(33, 33, 33);">The
 versions without draft numbers, such as </span><a rel="noreferrer noopener" href="https://openid.net/specs/openid-sharedsignals-framework-1_0.html" data-linkindex="0" style="font-family: -apple-system, HelveticaNeue; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; color: rgb(0, 120, 212);">https://openid.net/specs/openid-sharedsignals-framework-1_0.html</a><span style="font-family: -apple-system, HelveticaNeue; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; float: none; display: inline !important; color: rgb(33, 33, 33);"> still
 need to be published.</span><br>
</div>
<div dir="auto"><span style="font-family: -apple-system, HelveticaNeue; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; float: none; display: inline !important; color: rgb(33, 33, 33);"><br>
</span></div>
<div dir="auto"><span style="font-family: -apple-system, HelveticaNeue; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; float: none; display: inline !important; color: rgb(33, 33, 33);">Please
 do not start the review until the published drafts are self consistent.</span></div>
<div dir="auto"><span style="font-family: -apple-system, HelveticaNeue; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; float: none; display: inline !important; color: rgb(33, 33, 33);"><br>
</span></div>
<div dir="auto"><span style="font-family: -apple-system, HelveticaNeue; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; float: none; display: inline !important; color: rgb(33, 33, 33);">--
 Mike</span></div>
<div dir="auto"><span style="font-family: -apple-system, HelveticaNeue; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; float: none; display: inline !important; color: rgb(33, 33, 33);"><br>
</span></div>
<div><br>
</div>
<div id="ms-outlook-mobile-signature" dir="auto"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Openid-specs-risc <openid-specs-risc-bounces@lists.openid.net> on behalf of Atul Tulshibagwale via Openid-specs-risc <openid-specs-risc@lists.openid.net><br>
<b>Sent:</b> Tuesday, June 18, 2024 11:25:43 AM<br>
<b>To:</b> OpenID RISC List <openid-specs-risc@lists.openid.net><br>
<b>Subject:</b> [Openid-specs-risc] Update on new drafts, and call notes</font>
<div> </div>
</div>
<div>
<div dir="ltr">Hi all,<br>
<div>FYI, I have sent the new drafts to the OIDF secretary for starting the review period on three specs:</div>
<div>
<ul>
<li><a href="https://openid.net/specs/openid-sharedsignals-framework-1_0-03.html" originalsrc="https://openid.net/specs/openid-sharedsignals-framework-1_0-03.html" shash="ln7gbdVQZcAmAXD1yGg/lcBYwHdChsYX0Eh0BtAob3Pbg/2WSzK1Ji6soqNDVh4ZEmyqoHA9/KXyyYsP65CEZ90O2/+rKDG0Atld8if/RTbI7KmsLgKoGE+PJzqp3VcmgIi16WyjXD9QnjEG0F1PR6kzBX/ZOA4VhFUan1esj7o=">Shared
 Signals Framework Draft 03</a></li><li><a href="https://openid.net/specs/openid-caep-1_0-04.html" originalsrc="https://openid.net/specs/openid-caep-1_0-04.html" shash="OSr8P2k4/YL5r2uLs1BWzjJiK3phAA0KpInK1/fh5P4mWBurJ3IApddEKXdJndEV8uSl36I1bfxIctK3GuSo+trHff2xLQIVlsgix5nPwuY1Wrb+lKzjLJ7nSmF0dPKAeWeu5xRQNoMNpXMqpKidCRFbyzjGrcnUVjlnnmW95RE=">CAEP
 Draft 04</a></li><li><a href="https://openid.net/specs/openid-caep-interoperability-profile-1_0-01.html" originalsrc="https://openid.net/specs/openid-caep-interoperability-profile-1_0-01.html" shash="Dyx1S5CkFKYYgfl9HbjqW4XT7ykUUJP+8WQW6cZp8pbvgoZo3aChR2XAUHNIZ+3Ohpa/5dmgUUHuG+0QDXO5RoLLi/iQF0UghV1vZgXsXHe1Aj2FGq7h2XiNSNfcvMKrCpaHWdzAtug3XCDT+MkUeeVm4OOGxVUyKxZGpH15V/Y=">CAEP
 Interoperability Profile Draft 01</a></li></ul>
<div>We will be changing the call frequency back to biweekly, and the next call will be on July 2nd. I will ask Mike Leczcz to send out new invites to reflect this schedule.</div>
<div><br>
</div>
<div>The notes from today's call are below. They are also stored <a href="https://hackmd.io/@oidf-wg-sse/wg-meeting-20240618" originalsrc="https://hackmd.io/@oidf-wg-sse/wg-meeting-20240618" shash="zxFmMhD1wQFMFZL4ebsq7ACEH/bGWNQqMvWjHXtengHPO461WmgyWoqR/vEYdEr2cm8dtnI0kMWPyk+MyQfV6+U65J5J5mVELucg1B0s0nW2v+RhurAL88HLyIAVTTHN/l33wkP2WRDqgkXpsD7Cgr1caV90uSE2KrswjMzHyLA=">
here</a>.</div>
</div>
<div><br>
</div>
<div>Atul</div>
<div><br>
</div>
<div><span class="x_gmail_signature_prefix">--</span><br>
<div dir="ltr" class="x_gmail_signature">
<div dir="ltr">
<div dir="ltr" align="left" style="margin-left:0pt">
<table style="border:none; border-collapse:collapse">
<colgroup><col width="165"><col width="160"></colgroup>
<tbody>
<tr style="height:74.5pt">
<td style="vertical-align:middle; padding:5pt; overflow:hidden">
<p dir="ltr" style="line-height:1.44; margin-top:0pt; margin-bottom:0pt"><span style="font-size:11pt; font-family:Arial,sans-serif; color:rgb(0,0,0); background-color:transparent; vertical-align:baseline"><span style="border:none; display:inline-block; overflow:hidden; width:137px; height:68px"><img src="https://lh7-us.googleusercontent.com/OubMXEaSzW6cz-Rt9RyUGsuX2z_G2pbaWOSLNAI_1YuZEk9lVaehxLoZgJt6AbxshlaXTZ4HHvQjpxPRVTWVxlwCl-fPKhGsbSTcgVVvejMX1rS_DaeeX4yOVQyvp2y3cFkC6XMBihqiTrDY3qBYwq8" width="137" height="68" style="margin-left:0px; margin-top:0px"></span></span></p>
</td>
<td style="vertical-align:top; padding:5pt; overflow:hidden">
<p dir="ltr" style="line-height:1.38; margin-top:0pt; margin-bottom:0pt"><span style="font-size:11pt; font-family:Poppins,sans-serif; color:rgb(0,0,0); background-color:transparent; vertical-align:baseline"> Atul Tulshibagwale</span></p>
<p dir="ltr" style="line-height:1.5; margin-top:0pt; margin-bottom:0pt"><span style="font-size:11pt; font-family:Poppins,sans-serif; color:rgb(102,102,102); background-color:transparent; vertical-align:baseline"> CTO</span></p>
<p dir="ltr" style="line-height:1.44; margin-top:0pt; margin-bottom:0pt"><span style="font-size:11pt; font-family:Arial,sans-serif; color:rgb(136,136,136); background-color:transparent; vertical-align:baseline"> </span><a href="https://www.linkedin.com/in/tulshi/" originalsrc="https://www.linkedin.com/in/tulshi/" shash="EXbl7f1/s1vXBhfiarUpOqou7PuCxIensxL0jynjv0D7k5cqFgK9G5nF4Ks68Qy67IYT/IGEuM0F6bAcVTI5Wfq47xUWVWAlmVMrs9yNN8GbZ5HHCfFxpi83mn0kjUyUqOyEdq2b/f4ig9BIIqL97ZBT3SkNrr1LD9UnqdD72gQ=" target="_blank"><span style="font-size:11pt; font-family:Arial,sans-serif; background-color:transparent; vertical-align:baseline"><span style="border:none; display:inline-block; overflow:hidden; width:24px; height:24px"><img src="https://lh7-us.googleusercontent.com/nf4RO594hvFNyujzHdKSn1RCJcOIC1-Mk2-_S2GLH4LUi6Prxj4bL0tyguJ-6XH50k_fHPq6nynNBdkJwAzgGdYlImXDDKv07yQuj5PcskVaBqf9vL1Z2esDwZsb5Z9J4tvDcPiiZdQSuyzywRbH3Fs" width="24" height="24" style="margin-left:0px; margin-top:0px"></span></span></a><a href="mailto:atul@sgnl.ai" target="_blank"><span style="font-size:11pt; font-family:Arial,sans-serif; background-color:transparent; vertical-align:baseline"><span style="border:none; display:inline-block; overflow:hidden; width:24px; height:24px"><img src="https://lh7-us.googleusercontent.com/jy9xWqMUZyDKsa5W_-BxVILzsnbgKHSkJVzdCeCWVVSvhJbGal-I_Ja-qTTnA1SpYE65RrEcWMMLNPfbrp9HXjBOKdeXNIVuhOBg-vZe-Ed8e0rCV8BMjih-COWlyljD_Hfqg2SzCuqKASIsPk1O6_w" width="24" height="24" style="margin-left:0px; margin-top:0px"></span></span></a><a href="https://x.com/zirotrust" originalsrc="https://x.com/zirotrust" shash="NWCUzTXcCrhJvNYY78Z+6vm5FW/QuJk6gMrPLJB0jZDslpwES+BH/hrfj3KCJQFotQw8JCLv19FpOi27rUsSN+iRM1ae4sOUEepg/bfW2TYZaEt5GI/dqfMZAap7owemTzpHt9J1QWO11HPAs32VOScgyN9LFTJC+W85nqaaY/Y=" target="_blank"><span style="font-size:11pt; font-family:Arial,sans-serif; background-color:transparent; vertical-align:baseline"><span style="border:none; display:inline-block; overflow:hidden; width:24px; height:24px"><img src="https://lh7-us.googleusercontent.com/N98NNhPOiQxQunuxKbv5L50QKM2TRayIDZDsOkFpZBpnxX7DATMDAj6a1zNXbjWfqluWTHt6BLNE9WbRSEYForDpaWWxtEd63NkpNqVY_9xAKyidyaSrYvOdHmKaijtXcPetATtR_eUKqs21wuYLq5w" width="24" height="24" style="margin-left:0px; margin-top:0px"></span></span></a></p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
<div><br>
</div>
<div>---</div>
<div><br>
</div>
<div>WG Meeting: 2024-06-18<br>
Agenda<br>
Risk score in Session Presented event<br>
Call schedule<br>
Blog draft feedback<br>
Attendees<br>
Sean O'Dell (Disney)<br>
Shayne Miel (Cisco)<br>
Atul Tulshibagwale (SGNL)<br>
Nick Wooler (Cisco Webex)<br>
Notes<br>
Risk Score<br>
(Sean) A risk indicator could be added to more events<br>
It's a behavioral indicator, which could apply to a lot of things<br>
This can map to something Shayne talked about, which is a "risk score changed" event<br>
You could give the reason within the "Session Presented" event, but not the score itself<br>
(Atul) I'm a bit concerned about a "confidence score" in general transmitter events<br>
(Sean) It's not a confidence score<br>
(Shayne) What is the value of putting it in the session presented event<br>
(Atul) Risk score is always associated with the session presence<br>
(Shayne) That's not true - a risk score could change due to other activity, e.g. 3 other people got hacked, so this could also be hacked<br>
(Shayne) You could send two events: "session presented" and "risk score changed", and tie them with the same txn value<br>
(Sean) Thinking it through from a race condition: If the ITDR system is doing its job, then you should not see a "session presented" event, you should just be OK with a "risk score changed" event<br>
(Atul) There are two independent vectors here. Unusual activity within an app, and unusual activity across different apps, where each individual app doesn't see anything unusual<br>
(Sean) Now I think the risk score is needed in both places - "session presented" and "risk score changed"<br>
(Atul) We could revisit whether to put one event in one SET, and add both those events in one SET<br>
(Nick) Are there standard risk indicator levels like SAML?<br>
(Atul) I had proposed 4 levels in the PR<br>
(Sean) The "session presented" event has an interesting consequence: If I have a Fidelity account linked to the Schwab account, if the Fidelity service calls the Schwab service on behalf of a user, without user presence.<br>
(Atul) That could be a separate event, because that represents a token compromise rather than the user doing something unusual<br>
(Shayne)<br>
Biweekly schedule?<br>
(Atul) Should we meet biweekly going forward?<br>
(Shayne and Sean) agree<br>
Blog draft feedback<br>
(Shayne) Should we update the draft? It's an important part of the security review<br>
(Atul) OK by me<br>
(Shayne) What is the proposed new language?<br>
(Sean) The last line in the 3rd paragraph of Section 7 does say that right now<br>
(Atul) 9110 covers bearer authentication in Section 11. The last sentence begins with "This authorization must …", which references that, therefore we are OK.<br>
Action Items<br>
Atul to fix the blog post action and send to Elizabeth<br>
Atul to ask Mike to change the cadence of the meeting to biweekly, so the next meeting will be on July 2nd.<br>
</div>
<div dir="ltr" class="x_gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr"><span><br>
</span></div>
</div>
</div>
</div>
</body>
</html>