Shared Signals and Events WG
Implementer’s Drafts Approved
The Implementer’s Drafts for the Shared Signals and Events Framework Specification and the Continuous Access Evaluation Profile Specification are now approved.
What is Shared Signals and Events WG?
The goal of the Shared Signals and Events Working Group is to enable the sharing of security events, state changes, and other signals between related and/or dependent systems in order to:
- Manage access to resources and enforce access control restrictions across distributed services operating in a dynamic environment.
- Prevent malicious actors from leveraging compromises of accounts, devices, services, endpoints, or other principals or resources to gain unauthorized access to additional systems or resources.
- Enable users, administrators, and service providers to coordinate in order to detect and respond to incidents.
Why Should I Care?
Continuous Access Evaluation Protocol (CAEP)
Federated systems are a common way of enforcing access control. Widely used federated identity standard protocols such as SAML and OpenID Connect enable identity providers to assert the validity of access at the time of user login. Modern environments afford users the ability to keep their login sessions over long durations of time, often several weeks. The properties asserted at the time of the login session may have changed during this period, so relying on old information creates security issues due to unauthorized access that is provided based on the old information. Therefore, a standards-based approach to communicating changes to access properties is proposed through this working group. CAEP was first proposed in a blog post by Google. A number of companies have contributed to its development and its independent standardization effort was merged into this working group of the OpenID Foundation.
Mitigating Catastrophic Account Compromise (RISC)
Attackers often target multiple accounts across service providers for a single individual, knowing that users normally register for all their internet services with just a few email addresses. For example, a victim’s social networking account may send password recovery information to their email account, or they might log into her photo sharing account using their social network credentials. When criminals exploit these linkages, a single weak link can create a cascade of account takeovers.
The Risk & Incident Sharing and Collaboration (RISC) initiative aims to develop standards designed to enable providers to prevent attackers from compromising linked accounts across multiple providers and coordinate in restoring accounts in the event of compromise.
Why are These Two Distinct Concerns Combined in One Working Group?
There are multiple reasons why a single working group is needed to address these two separate, but related concerns together
- Both concerns are ultimately about determining access to online resources, while CAEP provides finer-grained routine information, RISC enables taking drastic action swiftly in response to account compromise.
- Both protocols are proposed to use similar asynchronous publish-and-subscribe mechanisms and can leverage the same set of underlying principles and standards.
- Systems that implement these protocols are likely to overlap, and can benefit from uniformity in formats and features.
Annabelle Richard (Amazon)
Atul Tulshibagwale (SGNL)
Tim Cappalli (Microsoft)
List of Specifications
Working copies of the specification can be found in the group’s repository.
The easiest way to participate is to join the mailing list at https://lists.openid.net/mailman/listinfo/openid-specs-risc.
Please note that while anyone can join the mailing list as a read-only recipient, posting to the mailing list or actively contributing to the specification itself requires the submission of an IPR Agreement. More information is available at http://openid.net/intellectual-property. Make sure to specify the working group as “Shared Signals and Events”.
- When: Tuesdays 5pm UTC
- Where: https://global.gotomeeting.com/join/576653581
- Meeting Notes: https://bitbucket.org/openid/risc/wiki/Home
- GoToMeeting software is available on Mac, PC, iPhone, and Android Phone.
- Using VoIP option of GoToMeeting is preferred. If you have to absolutely use plain old telephone for some reason, here is the US phone number: +1 (312) 878-3080. International Numbers:
- Australia: +61 2 8355 1034
- Canada: +1 (647) 497-9376
- France: +33 (0) 170 950 586
- Germany: +49 (0) 811 8899 6931
- Spain: +34 932 20 0506
- United Kingdom: +44 (0) 330 221 0098
- Use your microphone and speakers (VoIP) – a headset is recommended. Or, call in using your telephone.
- Meeting ID: 576-653-581
- Audio PIN: Shown after joining the meeting
- When: Tuesdays 5pm UTC