WG Meeting: 2022-05-31

# WG Meeting: 2022-05-31 ## Agenda - Intros and Reintros - Updates from recent events (IIW, EIC) - Credential Compromise & sharing deleted passwords by IDPs (Tom Sato VeriClouds) - Status of drafts ## Attendees - Tim Cappalli (Microsoft Identity, co-chair) - Tom Sato (VeriClouds) - Topher Marie (Strata Identity) - Martin Gallo (SecureAuth) - Stan Bounev (VeriClouds) - Andrii Deinega (GlobalLogic) - Nancy Cam-Winget (Cisco) ## Notes ### Intros - Topher Marie, CTO at Strata Identity, interested in CAEP ### Updates from recent events (IIW, EIC) - {Tom} IIW was interesting. Session revoked - {Tim} SSE is likely too heavy for just the 3PC deprecation logout use case. OIDC Backchannel Logout and FedCM are likely the better solution - {Andrii} RP needs to notify the OP that the RP session is no longer active. This is not covered by BC or FC logout specs today. - {Tim} Might be a good topic for Connect working group - {Martin} Similar issues with SAML for logout. SSE might be overkill - {Tim} Recommend to join W3C Federated ID CG to discuss these issues: https://www.w3.org/community/fed-id/ - {Tim} SCIM working group new draft for events: https://datatracker.ietf.org/meeting/113/materials/slides-113-scim-scim-events-02 - {Nancy} published a blog about SSE and OPA - https://blogs.cisco.com/security/revisiting-the-session-the-potential-for-shared-signals - {Tim} Discussed at OSW. Planning to move ahead with complex subject moving into its own spec. - {Tim} Panel session happening at Identiverse: https://identiverse.com/idv2022/session/841471/ ### Credential Compromise & sharing deleted passwords by IDPs {Tom} - Presented at IIW about deleted passwords - Problematic to send actual password - Proposal to use a verification token mechanism that obfuscates the password, both authorized parties can compare - Open questions for IDaaS community - Typically these passwords are encrypted and/or hashed in the database - Talking to governments about whether they'd like to receive these events. - Positive responses so far - Global hub model for organizations to participate in using SSE - road show in June, also Identiverse ## Action Items - Review Shayne's PR on stream configuration (https://github.com/openid/sse/pull/9) - {Tim} Update site with current status of each draft - {Tim} Get Mark Hayne on next cal to talk about complex subject spin out and pending verification use case - {Tim} Follow up on RISC spec ID process