<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:\6E38\30B4\30B7\30C3\30AF;
panose-1:2 11 4 0 0 0 0 0 0 0;}
@font-face
{font-family:"\@\6E38\30B4\30B7\30C3\30AF";
panose-1:2 11 4 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin-top:0mm;
margin-right:0mm;
margin-bottom:8.0pt;
margin-left:0mm;
line-height:106%;
font-size:11.0pt;
font-family:\6E38\30B4\30B7\30C3\30AF;
mso-ligatures:standardcontextual;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#467886;
text-decoration:underline;}
span.17
{mso-style-type:personal-compose;
font-family:\6E38\30B4\30B7\30C3\30AF;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.5pt;}
/* Page Definitions */
@page WordSection1
{size:612.0pt 792.0pt;
margin:99.25pt 30.0mm 30.0mm 30.0mm;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026">
<v:textbox inset="5.85pt,.7pt,5.85pt,.7pt" />
</o:shapedefaults></xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="JA" link="#467886" vlink="#96607D" style="word-wrap:break-word;text-justify-trim:punctuation">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US">Hi<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Having spent some time reviewing the US Government</span>’<span lang="EN-US">s Cyber Safety Review Board</span>’<span lang="EN-US">s report on
</span>“<span lang="EN-US">Review of the Summer 2023 Microsoft Exchange Online Intrusion March 20, 2024</span>”<span lang="EN-US"> I believe SSF WG should discuss adding OAuth 2.0 DPoP to the CAEP Interoperability Profile.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">The Report is published at CISA<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><a href="https://www.cisa.gov/resources-tools/resources/cyber-safety-review-board-releases-report-microsoft-online-exchange-incident-summer-2023">https://www.cisa.gov/resources-tools/resources/cyber-safety-review-board-releases-report-microsoft-online-exchange-incident-summer-2023</a><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">The report specifically recommends that Identity cloud service providers to adopt and implement SSF and OAuthDPoP, and because it also recommends FredRamp to review the current government procurement with respect to cybersecurity,
it is likely that our industry will start the development process, now.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Here is the quote.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">2.1.4 DIGITAL IDENTITY STANDARDS AND GUIDANCE The Board finds that the current ecosystem of Digital Identity standards does not provide the security necessary to counter modern threat actors, and that some CSPs have not
sufficiently prioritized implementing emerging standards that improve the security of digital identity systems. This is both a current problem (the need to implement emerging standards) and a long-term need (upleveling the security bar of digital identity
standards). The Board recommends the following. <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">RECOMMENDATION 11: CSPs should implement emerging standards such as Open Authorization (OAuth) 2 Demonstrating Proof-of-Possession (DPoP) (bound tokens) and OpenID Shared Signals and Events (SSE) (sharing session risk)
that better secure cloud services against credential related attacks. <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">RECOMMENDATION 12: Relevant standards bodies should refine and update these standards to account for a threat model of advanced nation-state attackers targeting core CSP identity systems.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">RECOMMENDATION 13: CSPs and relevant standards bodies, such as OpenID Foundation (OIDF), Organization for the Advancement of Structured Information Standards (OASIS), and The Internet Engineering Task Force (IETF), should
develop or update profiles for core digital identity standards such as OIDC and Security Assertion Markup Language (SAML) to include requirements and/or security considerations around key rotation, stateful credentials, credential linking, and key scope.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">OAuth2.0 DPop<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><a href="https://datatracker.ietf.org/doc/html/rfc9449">https://datatracker.ietf.org/doc/html/rfc9449</a><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Hope this helps.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Tom Sato<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">BoD<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">VeriClouds<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="line-height:106%"><o:p> </o:p></span></p>
</div>
</body>
</html>