Wasn't SSE always meant to be for Cybersecurity? What is specifically being proposed here? Is it an effort to broaden the scope of SSE? Is this a means of sharing intelligence? Perhaps before getting into the details, we should discuss the goals. There are a lot of efforts in terms of trying to share data, so how is this different?
There could be more applications of the SSE Framework than offered by CAEP and RISC, so there could be other types of "profiles"
Some text in the doc highlights that there is the SSE Framework, which could be used in different ways
Cybersecurity is a very broad area
We are trying to bridge existing efforts in the IETF
Alternative take: Can SSE do this? Yes. But should we? For example, Subject Identifiers are in the core SSE spec, and we end up "blowing up" the core spec
It could be much much deeper than just adding a profile
Since we are still struggling to get adoption, so we should not distract from that
A value that SSE provides is that it is a standard for sharing signals, but specific to account, identity and session information
The specific identity-centric use cases of SSE is appealing to some companies (such as SecureAuth)
If we broaden the scope too much, we might lose the value that SSE brings to tackling the specific identity / account / session problems.
We should make sure we do not put too broad requirements on the SSE Framework in order to support new applications such as cybersecurity
We should add a section that gives reason why we should not do this
If we can arrive at a structural role that is not fulfilled today, only then we should proceed
We should address the question: "Why is SSE special?" and only then move forward
The biggest contribution that the SSE WG can do is bring the RISC draft into the OpenID foundation
We should try to arrive at a matrix that differentiates SSE and existing efforts (e.g. TAXII)