4. An exploit at one service often leads to
hacks elsewhere
● Attackers use account recovery mechanism to
gain access to other accounts
● As largest email provider, Gmail hacks are
especially valuable to gain access to other
Internet services
● Compromise results in privacy breach, financial
loss, data loss
How Apple and Amazon
Security Flaws Led to My
Epic Hacking
5. SSO doesn’t close the loop on user safety
Users can’t evict an attacker from a session bootstrapped with SSO
● There is no “password change” feature to kill sessions when using SSO
● How can we “kill passwords on the Internet” if SSO has weaknesses?
Single Sign Out Not Desirable
● Abrupt logouts for RP and IDP
● Lots of chattery state checks which don’t scale for IDP
8. How is information shared with others?
RISC signals are sent only to the
apps the user is using
9. How do we know the user’s apps?
Explicit relationship
via OAuth
Implicit relationship
registered via API
Request RISC for
alice@gmail.com
Contract
Required
For any app For any major app where
users benefit
11. Security Event Token
"...defines the Security Event Token (SET) data structure. A SET describes a
statement of fact from the perspective of an issuer about the state of a security
subject, which is intended to be shared with one or more recipients."
● https://tools.ietf.org/html/draft-ietf-secevent-token
● several minor changes
● last call, under review
● no (major) open issues
12. Delivery
"...defines how a series of security event tokens (SETs) may be delivered to a
previously registered receiver using HTTP POST over TLS initiated as a push to the
receiver, or as a poll by the receiver."
● https://tools.ietf.org/html/draft-ietf-secevent-delivery
● several minor changes
● working group approved splitting into two drafts: push and poll
13. Management API
"...defines an HTTP API for a basic control plane that event transmitters can
implement and event receivers may use to manage the flow of events from one to
the other."
● moved into RISC Profile
14. Subject Identifiers
"...defines a structure called a Subject Identifier: a JSON object containing a set of
claims that collectively uniquely identify a subject, according to a simple schema
called a Subject Identifier Type."
● currently part of RISC Profile
● to be extracted as standalone draft and moved to IETF secevent
25. Implementations (no changes)
● Google
○ Live: transmitter with explicit use case
○ implicit use case: in progress
● Amazon
○ in progress
● PayPal
○ in progress
27. Legal Agreements
● Google drafted initial bi-lateral agreement and shared with number of parties
● 10 companies got together in January to agree on generalized “open source”
agreement based on Google’s initial draft.
● Google and Amazon working together to revise draft and contribute it to RISC
WG for further input by other companies
● Goal is to provide standardized contract that can be executed bi-laterally
across different parties.
28. Next Steps
● April 5: Face-to-Face at Google, Mountain View
● April 20: Face-to-Face at TBD, Seattle area
● April: NO official launch at RSA Conference 2018
● July: IETF 102 Montreal