Skip to content

WG_Meeting 2022 03 15

Jump to bottom
Atul Tulshibagwale edited this page Mar 15, 2022 · 6 revisions

Out-of-turn meeting for Cybersecurity applications

Attendees

  • Atul Tulshibagwale (SGNL)
  • Stefan Duernberger (Cisco)
  • Jason Garbis (Appgate)
  • Tim Cappalli (Microsoft)
  • Nancy Cam Winget (Cisco)
  • Martin Gallo (SecureAuth)
  • Tom Sato (VeriClouds)
  • Lee Tschetter (Okta)
  • Gail Hodges (OpenID Foundation)

Agenda

Notes

  • Wasn't SSE always meant to be for Cybersecurity? What is specifically being proposed here? Is it an effort to broaden the scope of SSE? Is this a means of sharing intelligence? Perhaps before getting into the details, we should discuss the goals. There are a lot of efforts in terms of trying to share data, so how is this different?
    • There could be more applications of the SSE Framework than offered by CAEP and RISC, so there could be other types of "profiles"
    • Some text in the doc highlights that there is the SSE Framework, which could be used in different ways
    • Cybersecurity is a very broad area
    • We are trying to bridge existing efforts in the IETF
    • Alternative take: Can SSE do this? Yes. But should we? For example, Subject Identifiers are in the core SSE spec, and we end up "blowing up" the core spec
    • It could be much much deeper than just adding a profile
    • Since we are still struggling to get adoption, so we should not distract from that
    • A value that SSE provides is that it is a standard for sharing signals, but specific to account, identity and session information
    • The specific identity-centric use cases of SSE is appealing to some companies (such as SecureAuth)
    • If we broaden the scope too much, we might lose the value that SSE brings to tackling the specific identity / account / session problems.
    • We should make sure we do not put too broad requirements on the SSE Framework in order to support new applications such as cybersecurity
  • We should add a section that gives reason why we should not do this
  • If we can arrive at a structural role that is not fulfilled today, only then we should proceed
  • We should address the question: "Why is SSE special?" and only then move forward
  • The biggest contribution that the SSE WG can do is bring the RISC draft into the OpenID foundation
  • We should try to arrive at a matrix that differentiates SSE and existing efforts (e.g. TAXII)

Home

Meetings

Clone this wiki locally