[Id-event] Review of Subject Identifiers for Security Event Tokens
William Denniss <wdenniss@google.com> Mon, 20 July 2020 21:56 UTC
Return-Path: <wdenniss@google.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 759A53A0FE4 for <id-event@ietfa.amsl.com>; Mon, 20 Jul 2020 14:56:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k1MG7DWAyJ6T for <id-event@ietfa.amsl.com>; Mon, 20 Jul 2020 14:56:07 -0700 (PDT)
Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com [IPv6:2a00:1450:4864:20::330]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62AD83A0FE3 for <id-event@ietf.org>; Mon, 20 Jul 2020 14:56:07 -0700 (PDT)
Received: by mail-wm1-x330.google.com with SMTP id o2so941637wmh.2 for <id-event@ietf.org>; Mon, 20 Jul 2020 14:56:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=WXqNYQnABUuzWKwiS71mGpIQOOy+5JZCfBBZJKJZgbM=; b=u5qlCtpsSfrFHYK5ZXyDr+/ityOtNp5kvjbk5arCoA5zhirWkldUoxhP3GmGN/cVTv 4IQsCTUfBmFWv3SzYJl37TFSTg5VVcP1T7/evzeAahHVao60oKTkN5d5+Fi3He2ENWRA XY11wNmv/76WF+MM2R4H9/Me7icv6kSUHBvjgBpg+nzfOSj34nABZyoHpWqubVCm82jP cDN+mrukXZLwhASBYIW7nzopO1IRvgI6ziIOZeXv2sihNh0Y0o2vZuab/p4ZXLqHZEpJ 6272ipkMSs3W3120VuyVBSWUD6zE4/UATXkWi5XrWhHDNSXyurFavJethWn09zHlZeBg 8h9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=WXqNYQnABUuzWKwiS71mGpIQOOy+5JZCfBBZJKJZgbM=; b=cYPzA7LcYUo+LpicddvjniJR3Vw8qt10Mql16pkd5mSHfOmJbJpq/oEcUji6TonRNx YxLT3ao5CzkEiyuZqMUbon907CoI3hUe6uG0wCrpTS+iQHxas0KldM/VW98FPWrRHjPJ FoiyXwY5F7oGSlRcj6CrscZkayCj5w0KRF/h4SsoIdXEvW/R22yQF8M3i0R8b+ByyYHV kJl9WuXXHzO3FkunF8+ChjWGkW1T/Adkx54PWz/F6KcKUoJianLII8q1BBu2kQqMY7IS 3/uvp30gVr3zU99qz69wRjCSwGwt+gVR76JMKaPiOh9aJXbbVExIVlLSpAlrcx7CcHFU aHBg==
X-Gm-Message-State: AOAM531E6WyIJBtXCE+RlFKCcv7eEKM+U/fwIJRagbJ8CK7dPxI7x4Qp dtp2xPYofX9PBQYSOhTnxhI+tcyoigutkAH6qHVt+5GxXAmywg==
X-Google-Smtp-Source: ABdhPJwVYkAlJqLkH45K+Cqj+L7Z49VNmJYujC3KkEBaEXIa72pdFsfEjCH/tqBngxY/UHvnXQqSH4Q5swzWGw2SURE=
X-Received: by 2002:a1c:2109:: with SMTP id h9mr1095804wmh.174.1595282164986; Mon, 20 Jul 2020 14:56:04 -0700 (PDT)
MIME-Version: 1.0
From: William Denniss <wdenniss@google.com>
Date: Mon, 20 Jul 2020 14:55:53 -0700
Message-ID: <CAAP42hA=5xPOOA4JNij5pdjhTD3L__yGETXFK-DNriMxWFpXww@mail.gmail.com>
To: ID Events Mailing List <id-event@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c339bd05aae692d2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/3O9wU2rVPMyYJpB0_V6IndBcMGE>
Subject: [Id-event] Review of Subject Identifiers for Security Event Tokens
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2020 21:56:09 -0000
I reviewed Subject Identifiers for Security Event Tokens v05 ( https://tools.ietf.org/html/draft-ietf-secevent-subject-identifiers-05 <https://tools.ietf.org/html/draft-ietf-secevent-subject-identifiers-05#ref-JWT> ). Summary & Benefits: The draft standardizes a way to represent the subjects when they may be of different types (e.g. some with email, some with ID). It does this in a way that allows the type and the value to be encoded together. JWT by itself doesn't define the type of subjects (it's defined as a case-sensitive string containing a StringOrURI value), leaving this to implementers which works in many situations, but can cause problems for the application of JWTs as security events. Also included is a way to present multiple identifiers for the same subject. Standidizing this is relevant in Security Event Token environments like RISC involving multiple parties where some mapping of identifiers between the systems is needed. For example, when two email systems share SETs to mitigate email recovery related risks, one party might identify users by ID, whereas the other by email address. The one-size-fits-all typeless "sub" can fall short in this situation. Traditional use of JWT is unidirectional, with one issuer and multiple consumers whereby the subject itself can be more or less an opaque index. The SET application of JWT sees multiple issuers who consume each other's tokens and need to identify subjects across identity provider boundaries. Being able to communicate the subject type, as well as potentially multiple subject identifiers for the same subject is useful in this type of environment. Using JWT claims without the subject identifier approach defined in this draft, the issuer may put an opaque value in "sub", and an email address in "email", but without a way to indicate what the type of the sub is, or if it's reasonable to use "email" as the subject rather than just an attribute of the user. This draft allows for multiple subject identifiers to be communicated as such and removes the guesswork by consumers as to what should be considered a subject identifier and what should not. Feedback: Abstract: Nit: I normally see RFC's referred to by number, so rather than "within a [JSON] object", I would expect to see "within a JSON [RFC 7159] object". Same for JWT and SET. I think this style reads better, as it separates the name of the draft from the reference. § 3: One thing that I feel is missing is an example of a full SET or JWT with the subject identifier. I'm a big believer in examples, as it gives the reader an easy way to picture the final application of what is being specified. Like what we did in RFC 8417, Section 2.1.4: https://tools.ietf.org/html/rfc8417#section-2.1.4. There are some non-normative examples in this draft later for non-SET JWTs, which is great, so I think it would be useful to have ones for SET as well. § 3: " A Subject Identifier is a [JSON] object containing a "subject_type" claim" Nit: I'm troubled slightly by the phrase "JSON object containing a claim" here. In JSON terms, these are key/value pairs not "claims" which is a JWT term. I think it's fine for the doc to mostly use "claims", since the context is JWT, but since we're designing a new type here, I'd suggest at first use to say something like "JSON object with multiple key/value pairs representing the subject's claims", after which you can just use "claim". § 4.1: Document defines a "sub_id" JWT claim, but it doesn't really explain why or when to use it. I think the doc would benefit from an introduction in this section that talks about why this is a useful construct, and where we expect it to be used. My understanding is that we expect subject identifiers to be used in SETs (e.g. in RISC) and in non-SET JWTs. It makes sense to me to have a "pure JWT" option here, and I'm sure it was added for good reason (including perhaps some that I enumerated in my benefits summary above), I think it would help to have those reasons listed. § 6: I feel like there are always security considerations :-) Maybe this could document some of the security considerations of sending subject as JWT claims without using this spec (e.g. that maybe someone could rely on a claim more strongly to identify a subject than was intended). § 7: Just a comment: I agree with the choice of "Expert Review" for IANA. "Specification Required" would be too heavyweight here. Best, William
- [Id-event] Review of Subject Identifiers for Secu… William Denniss
- Re: [Id-event] Review of Subject Identifiers for … Richard Backman, Annabelle