SlideShare ist ein Scribd-Unternehmen logo
1 von 29
Downloaden Sie, um offline zu lesen
RISC Status Report
Marius Scurtescu, Adam Dawes
April 2, 2018
OpenID Foundation Workshop at Oracle
Overview
● Introduction
● IETF secevent Status
● RISC Specs
○ RISC Events
○ OAuth Events
○ RISC Profile
● Implementation Status
● Legal & Next Steps
● Q&A
Introduction
An exploit at one service often leads to
hacks elsewhere
● Attackers use account recovery mechanism to
gain access to other accounts
● As largest email provider, Gmail hacks are
especially valuable to gain access to other
Internet services
● Compromise results in privacy breach, financial
loss, data loss
How Apple and Amazon
Security Flaws Led to My
Epic Hacking
SSO doesn’t close the loop on user safety
Users can’t evict an attacker from a session bootstrapped with SSO
● There is no “password change” feature to kill sessions when using SSO
● How can we “kill passwords on the Internet” if SSO has weaknesses?
Single Sign Out Not Desirable
● Abrupt logouts for RP and IDP
● Lots of chattery state checks which don’t scale for IDP
The solution...
Sharing important security events
across providers
Risk and Incident Sharing and Coordination WG
How is information shared with others?
RISC signals are sent only to the
apps the user is using
How do we know the user’s apps?
Explicit relationship
via OAuth
Implicit relationship
registered via API
Request RISC for
alice@gmail.com
Contract
Required
For any app For any major app where
users benefit
IETF
secevent
Status
Security Event Token
"...defines the Security Event Token (SET) data structure. A SET describes a
statement of fact from the perspective of an issuer about the state of a security
subject, which is intended to be shared with one or more recipients."
● https://tools.ietf.org/html/draft-ietf-secevent-token
● several minor changes
● last call, under review
● no (major) open issues
Delivery
"...defines how a series of security event tokens (SETs) may be delivered to a
previously registered receiver using HTTP POST over TLS initiated as a push to the
receiver, or as a poll by the receiver."
● https://tools.ietf.org/html/draft-ietf-secevent-delivery
● several minor changes
● working group approved splitting into two drafts: push and poll
Management API
"...defines an HTTP API for a basic control plane that event transmitters can
implement and event receivers may use to manage the flow of events from one to
the other."
● moved into RISC Profile
Subject Identifiers
"...defines a structure called a Subject Identifier: a JSON object containing a set of
claims that collectively uniquely identify a subject, according to a simple schema
called a Subject Identifier Type."
● currently part of RISC Profile
● to be extracted as standalone draft and moved to IETF secevent
RISC Specs
RISC Specs
● OIDF bitbucket: https://bitbucket.org/openid/risc/
● three specs:
○ RISC profile of IETF Security Events (risc-secevent)
○ RISC Event Types (risc-event-types)
○ OAuth Event Types (oauth-event-types)
RISC Events
● account-credential-change-required
● account-purged (was -deleted)
● account-disabled
○ attribute: reason (hijacking, bulk_account)
● account-enabled
● identifier-changed
○ attribute: new-value
● identifier-recycled
● recovery-activated
● recovery-information-changed
● sessions-revoked
● opt-in
● opt-out-initiated
● opt-out-cancelled
● opt-out-effective
Base URI: http://schemas.openid.net/secevent/risc/event-type/
OAuth Events
Base URI: http://schemas.openid.net/secevent/oauth/event-type/
● token-revoked
● tokens-revoked
● client-disabled
● client-enabled
● client-credential-changed
RISC Profile: Subject Identifiers
● to be extracted as an IETF secevent draft
{
"iss": "https://idp.example.com/",
"jti": "756E69717565206964656E746966696572",
"iat": 1520364019,
"aud": "636C69656E745F6964",
"events": {
"http://schemas.openid.net/secevent/risc/event-type/account-enabled": {
"subject": {
"subject_type": "iss-sub",
"iss": "https://issuer.example.com/",
"sub": "abc1234",
}
}
}
}
RISC Profile: Transmitter Discovery
/.well-known/risc-configuration
{
"issuer": "https://tr.example.com",
"jwks_uri": "https://tr.example.com/jwks.json",
"delivery_methods_supported": [
"http://schemas.openid.net/secevent/risc/delivery-method/push",
"http://schemas.openid.net/secevent/risc/delivery-method/poll"],
"configuration_endpoint": "https://tr.example.com/risc/mgmt/stream",
"status_endpoint": "https://tr.example.com/risc/mgmt/status",
"add_subject_endpoint": "https://tr.example.com/risc/mgmt/subject:add",
"remove_subject_endpoint": "https://tr.example.com/risc/mgmt/subject:remove",
"verification_endpoint": "https://tr.example.com/risc/mgmt/verification",
}
RISC Profile: Management API
● Stream Config (Get/Create/Update)
● Stream Status
● Add Subject
● Remove Subject
● Verification
○ Verification Event
RISC Profile: Authorization
● generic authorization recommendation
● not OAuth 2 or OIDC specific
RISC Profile: secevent profiling
● SET Profile
○ signature key resolution
○ subject at event level
○ explicit typing
○ 'exp' and 'aud' clarifications
○ single event, aliases OK
● Distribution Profile
○ configuration meta
● Security Considerations
Implementation
Status
Implementations (no changes)
● Google
○ Live: transmitter with explicit use case
○ implicit use case: in progress
● Amazon
○ in progress
● PayPal
○ in progress
Legal &
Next Steps
Legal Agreements
● Google drafted initial bi-lateral agreement and shared with number of parties
● 10 companies got together in January to agree on generalized “open source”
agreement based on Google’s initial draft.
● Google and Amazon working together to revise draft and contribute it to RISC
WG for further input by other companies
● Goal is to provide standardized contract that can be executed bi-laterally
across different parties.
Next Steps
● April 5: Face-to-Face at Google, Mountain View
● April 20: Face-to-Face at TBD, Seattle area
● April: NO official launch at RSA Conference 2018
● July: IETF 102 Montreal
Q&A

Weitere ähnliche Inhalte

Was ist angesagt?

OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Certification Program U...
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Certification Program U...OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Certification Program U...
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Certification Program U...OpenIDFoundation
 
OIDF Workshop at European Identity Conference 2019 -- 5/14/2019 -- OpenID Cer...
OIDF Workshop at European Identity Conference 2019 -- 5/14/2019 -- OpenID Cer...OIDF Workshop at European Identity Conference 2019 -- 5/14/2019 -- OpenID Cer...
OIDF Workshop at European Identity Conference 2019 -- 5/14/2019 -- OpenID Cer...OpenIDFoundation
 
OpenID Foundation Workshop at EIC 2018 - Mobile Driver's License Presentantion
OpenID Foundation Workshop at EIC 2018 - Mobile Driver's License PresentantionOpenID Foundation Workshop at EIC 2018 - Mobile Driver's License Presentantion
OpenID Foundation Workshop at EIC 2018 - Mobile Driver's License PresentantionMikeLeszcz
 
OpenID Foundation Connect Working Group Update - October 22, 2018
OpenID Foundation Connect Working Group Update - October 22, 2018OpenID Foundation Connect Working Group Update - October 22, 2018
OpenID Foundation Connect Working Group Update - October 22, 2018OpenIDFoundation
 
OpenID Foundation Workshop at EIC 2018 - OpenID Connect Working Group Update
OpenID Foundation Workshop at EIC 2018 - OpenID Connect Working Group UpdateOpenID Foundation Workshop at EIC 2018 - OpenID Connect Working Group Update
OpenID Foundation Workshop at EIC 2018 - OpenID Connect Working Group UpdateMikeLeszcz
 
OpenID Certification Program Update - 2017-10-16
OpenID Certification Program Update - 2017-10-16OpenID Certification Program Update - 2017-10-16
OpenID Certification Program Update - 2017-10-16MikeLeszcz
 
OpenID Certification Program Update - 2018-04-02
OpenID Certification Program Update - 2018-04-02OpenID Certification Program Update - 2018-04-02
OpenID Certification Program Update - 2018-04-02MikeLeszcz
 
OpenID Foundation FastFed Working Group Update - 2017-10-16
OpenID Foundation FastFed Working Group Update - 2017-10-16OpenID Foundation FastFed Working Group Update - 2017-10-16
OpenID Foundation FastFed Working Group Update - 2017-10-16MikeLeszcz
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Working Group U...
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Working Group U...OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Working Group U...
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Working Group U...OpenIDFoundation
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...OpenIDFoundation
 
OpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
OpenID Foundation/Open Banking Workshop - OpenID Foundation OverviewOpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
OpenID Foundation/Open Banking Workshop - OpenID Foundation OverviewMikeLeszcz
 
OpenID Foundation Workshop at EIC 2018 - MODRNA Working Group Update
OpenID Foundation Workshop at EIC 2018 - MODRNA Working Group UpdateOpenID Foundation Workshop at EIC 2018 - MODRNA Working Group Update
OpenID Foundation Workshop at EIC 2018 - MODRNA Working Group UpdateMikeLeszcz
 
OpenID Foundation iGov Working Group Update - October 22, 2018
OpenID Foundation iGov Working Group Update - October 22, 2018OpenID Foundation iGov Working Group Update - October 22, 2018
OpenID Foundation iGov Working Group Update - October 22, 2018OpenIDFoundation
 
OIDF Workshop at European Identity Conference 2019 -- 5/14/2019 -- FAPI Certi...
OIDF Workshop at European Identity Conference 2019 -- 5/14/2019 -- FAPI Certi...OIDF Workshop at European Identity Conference 2019 -- 5/14/2019 -- FAPI Certi...
OIDF Workshop at European Identity Conference 2019 -- 5/14/2019 -- FAPI Certi...OpenIDFoundation
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native EraWSO2
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyCheckmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyAdar Weidman
 
OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...
OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...
OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...MikeLeszcz
 
Enterprise Single Sign On
Enterprise Single Sign On Enterprise Single Sign On
Enterprise Single Sign On WSO2
 

Was ist angesagt? (20)

OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Certification Program U...
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Certification Program U...OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Certification Program U...
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Certification Program U...
 
OIDF Workshop at European Identity Conference 2019 -- 5/14/2019 -- OpenID Cer...
OIDF Workshop at European Identity Conference 2019 -- 5/14/2019 -- OpenID Cer...OIDF Workshop at European Identity Conference 2019 -- 5/14/2019 -- OpenID Cer...
OIDF Workshop at European Identity Conference 2019 -- 5/14/2019 -- OpenID Cer...
 
OpenID Foundation Workshop at EIC 2018 - Mobile Driver's License Presentantion
OpenID Foundation Workshop at EIC 2018 - Mobile Driver's License PresentantionOpenID Foundation Workshop at EIC 2018 - Mobile Driver's License Presentantion
OpenID Foundation Workshop at EIC 2018 - Mobile Driver's License Presentantion
 
OpenID Foundation Connect Working Group Update - October 22, 2018
OpenID Foundation Connect Working Group Update - October 22, 2018OpenID Foundation Connect Working Group Update - October 22, 2018
OpenID Foundation Connect Working Group Update - October 22, 2018
 
OpenID Foundation Workshop at EIC 2018 - OpenID Connect Working Group Update
OpenID Foundation Workshop at EIC 2018 - OpenID Connect Working Group UpdateOpenID Foundation Workshop at EIC 2018 - OpenID Connect Working Group Update
OpenID Foundation Workshop at EIC 2018 - OpenID Connect Working Group Update
 
OpenID Certification Program Update - 2017-10-16
OpenID Certification Program Update - 2017-10-16OpenID Certification Program Update - 2017-10-16
OpenID Certification Program Update - 2017-10-16
 
OpenID Certification Program Update - 2018-04-02
OpenID Certification Program Update - 2018-04-02OpenID Certification Program Update - 2018-04-02
OpenID Certification Program Update - 2018-04-02
 
OpenID Foundation FastFed Working Group Update - 2017-10-16
OpenID Foundation FastFed Working Group Update - 2017-10-16OpenID Foundation FastFed Working Group Update - 2017-10-16
OpenID Foundation FastFed Working Group Update - 2017-10-16
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Working Group U...
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Working Group U...OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Working Group U...
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Working Group U...
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...
 
OpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
OpenID Foundation/Open Banking Workshop - OpenID Foundation OverviewOpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
OpenID Foundation/Open Banking Workshop - OpenID Foundation Overview
 
OpenID Foundation Workshop at EIC 2018 - MODRNA Working Group Update
OpenID Foundation Workshop at EIC 2018 - MODRNA Working Group UpdateOpenID Foundation Workshop at EIC 2018 - MODRNA Working Group Update
OpenID Foundation Workshop at EIC 2018 - MODRNA Working Group Update
 
OpenID Foundation iGov Working Group Update - October 22, 2018
OpenID Foundation iGov Working Group Update - October 22, 2018OpenID Foundation iGov Working Group Update - October 22, 2018
OpenID Foundation iGov Working Group Update - October 22, 2018
 
OIDF Workshop at European Identity Conference 2019 -- 5/14/2019 -- FAPI Certi...
OIDF Workshop at European Identity Conference 2019 -- 5/14/2019 -- FAPI Certi...OIDF Workshop at European Identity Conference 2019 -- 5/14/2019 -- FAPI Certi...
OIDF Workshop at European Identity Conference 2019 -- 5/14/2019 -- FAPI Certi...
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native Era
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyCheckmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
 
OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...
OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...
OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...
 
Enterprise Single Sign On
Enterprise Single Sign On Enterprise Single Sign On
Enterprise Single Sign On
 

Ähnlich wie OpenID Foundation RISC WG Update - 2018-04-02

Big Data Security Analytic Solution using Splunk
Big Data Security Analytic Solution using SplunkBig Data Security Analytic Solution using Splunk
Big Data Security Analytic Solution using SplunkIJERA Editor
 
Security Best Practices for Your Ignition System
Security Best Practices for Your Ignition SystemSecurity Best Practices for Your Ignition System
Security Best Practices for Your Ignition SystemInductive Automation
 
25 Million Flows Later – Large-scale Detection of DOM-based XSS
25 Million Flows Later – Large-scale Detection of DOM-based XSS25 Million Flows Later – Large-scale Detection of DOM-based XSS
25 Million Flows Later – Large-scale Detection of DOM-based XSSBen Stock
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 
IoT Agents (With Lightweight M2M)
IoT Agents (With Lightweight M2M)IoT Agents (With Lightweight M2M)
IoT Agents (With Lightweight M2M)dmoranj
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLinkpigorcraveiro
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStackSteve Martinelli
 
OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101Steve Martinelli
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesErick Belluci Tedeschi
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...iMasters
 
Interoperability and APIs in OpenStack
Interoperability and APIs in OpenStackInteroperability and APIs in OpenStack
Interoperability and APIs in OpenStackpiyush_harsh
 
The case for a unified way of speaking to things
The case for a unified way of speaking to thingsThe case for a unified way of speaking to things
The case for a unified way of speaking to thingsRed Hat
 
Sumo Logic Cert Jam - Security Analytics
Sumo Logic Cert Jam - Security AnalyticsSumo Logic Cert Jam - Security Analytics
Sumo Logic Cert Jam - Security AnalyticsSumo Logic
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)Torsten Lodderstedt
 

Ähnlich wie OpenID Foundation RISC WG Update - 2018-04-02 (20)

Big Data Security Analytic Solution using Splunk
Big Data Security Analytic Solution using SplunkBig Data Security Analytic Solution using Splunk
Big Data Security Analytic Solution using Splunk
 
Security Best Practices for Your Ignition System
Security Best Practices for Your Ignition SystemSecurity Best Practices for Your Ignition System
Security Best Practices for Your Ignition System
 
25 Million Flows Later – Large-scale Detection of DOM-based XSS
25 Million Flows Later – Large-scale Detection of DOM-based XSS25 Million Flows Later – Large-scale Detection of DOM-based XSS
25 Million Flows Later – Large-scale Detection of DOM-based XSS
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practices
 
OpenID for SSI
OpenID for SSIOpenID for SSI
OpenID for SSI
 
IoT Agents (With Lightweight M2M)
IoT Agents (With Lightweight M2M)IoT Agents (With Lightweight M2M)
IoT Agents (With Lightweight M2M)
 
The Perimeter Is Dead
The Perimeter Is DeadThe Perimeter Is Dead
The Perimeter Is Dead
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLink
 
Building IAM for OpenStack
Building IAM for OpenStackBuilding IAM for OpenStack
Building IAM for OpenStack
 
OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
 
Interoperability and APIs in OpenStack
Interoperability and APIs in OpenStackInteroperability and APIs in OpenStack
Interoperability and APIs in OpenStack
 
The case for a unified way of speaking to things
The case for a unified way of speaking to thingsThe case for a unified way of speaking to things
The case for a unified way of speaking to things
 
Sumo Logic Cert Jam - Security Analytics
Sumo Logic Cert Jam - Security AnalyticsSumo Logic Cert Jam - Security Analytics
Sumo Logic Cert Jam - Security Analytics
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
 
AWS IoT Deep Dive
AWS IoT Deep DiveAWS IoT Deep Dive
AWS IoT Deep Dive
 
OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)OpenID 4 Verifiable Credentials + HAIP (Update)
OpenID 4 Verifiable Credentials + HAIP (Update)
 

Kürzlich hochgeladen

Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...SUHANI PANDEY
 
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...SUHANI PANDEY
 
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune  6297143586  Hot Model With Sexy Bhabi Ready For S...Katraj ( Call Girls ) Pune  6297143586  Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...tanu pandey
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查ydyuyu
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune  (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune  (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...SUHANI PANDEY
 
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...SUHANI PANDEY
 
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts ServiceReal Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts ServiceEscorts Call Girls
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated  Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated  Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Call Girls in Nagpur High Profile
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune  6297143586  Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune  6297143586  Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...tanu pandey
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdfMatthew Sinclair
 
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...roncy bisnoi
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445ruhi
 
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men  🔝mehsana🔝   Escorts...➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men  🔝mehsana🔝   Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...nirzagarg
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting  High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting  High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...singhpriety023
 
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...SUHANI PANDEY
 

Kürzlich hochgeladen (20)

6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
 
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
 
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
Low Sexy Call Girls In Mohali 9053900678 🥵Have Save And Good Place 🥵
 
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
Pirangut | Call Girls Pune Phone No 8005736733 Elite Escort Service Available...
 
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune  6297143586  Hot Model With Sexy Bhabi Ready For S...Katraj ( Call Girls ) Pune  6297143586  Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298  )#  Call Girls in DubaiRussian Call Girls in %(+971524965298  )#  Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
 
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune  (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...Russian Call Girls Pune  (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
 
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Himatnagar 7001035870 Whatsapp Number, 24/07 Booking
 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
 
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts ServiceReal Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated  Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated  Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune  6297143586  Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune  6297143586  Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
 
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men  🔝mehsana🔝   Escorts...➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men  🔝mehsana🔝   Escorts...
➥🔝 7737669865 🔝▻ mehsana Call-girls in Women Seeking Men 🔝mehsana🔝 Escorts...
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting  High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting  High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
 
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
VIP Model Call Girls NIBM ( Pune ) Call ON 8005736733 Starting From 5K to 25K...
 

OpenID Foundation RISC WG Update - 2018-04-02

  • 1. RISC Status Report Marius Scurtescu, Adam Dawes April 2, 2018 OpenID Foundation Workshop at Oracle
  • 2. Overview ● Introduction ● IETF secevent Status ● RISC Specs ○ RISC Events ○ OAuth Events ○ RISC Profile ● Implementation Status ● Legal & Next Steps ● Q&A
  • 4. An exploit at one service often leads to hacks elsewhere ● Attackers use account recovery mechanism to gain access to other accounts ● As largest email provider, Gmail hacks are especially valuable to gain access to other Internet services ● Compromise results in privacy breach, financial loss, data loss How Apple and Amazon Security Flaws Led to My Epic Hacking
  • 5. SSO doesn’t close the loop on user safety Users can’t evict an attacker from a session bootstrapped with SSO ● There is no “password change” feature to kill sessions when using SSO ● How can we “kill passwords on the Internet” if SSO has weaknesses? Single Sign Out Not Desirable ● Abrupt logouts for RP and IDP ● Lots of chattery state checks which don’t scale for IDP
  • 7. Sharing important security events across providers Risk and Incident Sharing and Coordination WG
  • 8. How is information shared with others? RISC signals are sent only to the apps the user is using
  • 9. How do we know the user’s apps? Explicit relationship via OAuth Implicit relationship registered via API Request RISC for alice@gmail.com Contract Required For any app For any major app where users benefit
  • 11. Security Event Token "...defines the Security Event Token (SET) data structure. A SET describes a statement of fact from the perspective of an issuer about the state of a security subject, which is intended to be shared with one or more recipients." ● https://tools.ietf.org/html/draft-ietf-secevent-token ● several minor changes ● last call, under review ● no (major) open issues
  • 12. Delivery "...defines how a series of security event tokens (SETs) may be delivered to a previously registered receiver using HTTP POST over TLS initiated as a push to the receiver, or as a poll by the receiver." ● https://tools.ietf.org/html/draft-ietf-secevent-delivery ● several minor changes ● working group approved splitting into two drafts: push and poll
  • 13. Management API "...defines an HTTP API for a basic control plane that event transmitters can implement and event receivers may use to manage the flow of events from one to the other." ● moved into RISC Profile
  • 14. Subject Identifiers "...defines a structure called a Subject Identifier: a JSON object containing a set of claims that collectively uniquely identify a subject, according to a simple schema called a Subject Identifier Type." ● currently part of RISC Profile ● to be extracted as standalone draft and moved to IETF secevent
  • 16. RISC Specs ● OIDF bitbucket: https://bitbucket.org/openid/risc/ ● three specs: ○ RISC profile of IETF Security Events (risc-secevent) ○ RISC Event Types (risc-event-types) ○ OAuth Event Types (oauth-event-types)
  • 17. RISC Events ● account-credential-change-required ● account-purged (was -deleted) ● account-disabled ○ attribute: reason (hijacking, bulk_account) ● account-enabled ● identifier-changed ○ attribute: new-value ● identifier-recycled ● recovery-activated ● recovery-information-changed ● sessions-revoked ● opt-in ● opt-out-initiated ● opt-out-cancelled ● opt-out-effective Base URI: http://schemas.openid.net/secevent/risc/event-type/
  • 18. OAuth Events Base URI: http://schemas.openid.net/secevent/oauth/event-type/ ● token-revoked ● tokens-revoked ● client-disabled ● client-enabled ● client-credential-changed
  • 19. RISC Profile: Subject Identifiers ● to be extracted as an IETF secevent draft { "iss": "https://idp.example.com/", "jti": "756E69717565206964656E746966696572", "iat": 1520364019, "aud": "636C69656E745F6964", "events": { "http://schemas.openid.net/secevent/risc/event-type/account-enabled": { "subject": { "subject_type": "iss-sub", "iss": "https://issuer.example.com/", "sub": "abc1234", } } } }
  • 20. RISC Profile: Transmitter Discovery /.well-known/risc-configuration { "issuer": "https://tr.example.com", "jwks_uri": "https://tr.example.com/jwks.json", "delivery_methods_supported": [ "http://schemas.openid.net/secevent/risc/delivery-method/push", "http://schemas.openid.net/secevent/risc/delivery-method/poll"], "configuration_endpoint": "https://tr.example.com/risc/mgmt/stream", "status_endpoint": "https://tr.example.com/risc/mgmt/status", "add_subject_endpoint": "https://tr.example.com/risc/mgmt/subject:add", "remove_subject_endpoint": "https://tr.example.com/risc/mgmt/subject:remove", "verification_endpoint": "https://tr.example.com/risc/mgmt/verification", }
  • 21. RISC Profile: Management API ● Stream Config (Get/Create/Update) ● Stream Status ● Add Subject ● Remove Subject ● Verification ○ Verification Event
  • 22. RISC Profile: Authorization ● generic authorization recommendation ● not OAuth 2 or OIDC specific
  • 23. RISC Profile: secevent profiling ● SET Profile ○ signature key resolution ○ subject at event level ○ explicit typing ○ 'exp' and 'aud' clarifications ○ single event, aliases OK ● Distribution Profile ○ configuration meta ● Security Considerations
  • 25. Implementations (no changes) ● Google ○ Live: transmitter with explicit use case ○ implicit use case: in progress ● Amazon ○ in progress ● PayPal ○ in progress
  • 27. Legal Agreements ● Google drafted initial bi-lateral agreement and shared with number of parties ● 10 companies got together in January to agree on generalized “open source” agreement based on Google’s initial draft. ● Google and Amazon working together to revise draft and contribute it to RISC WG for further input by other companies ● Goal is to provide standardized contract that can be executed bi-laterally across different parties.
  • 28. Next Steps ● April 5: Face-to-Face at Google, Mountain View ● April 20: Face-to-Face at TBD, Seattle area ● April: NO official launch at RSA Conference 2018 ● July: IETF 102 Montreal
  • 29. Q&A