IETF Logo Mail Archive

Re: [Id-event] WG Last Call for draft-ietf-secevent-token-02

Mike Jones <Michael.Jones@microsoft.com> Tue, 24 October 2017 00:04 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EFAC13ADD2 for <id-event@ietfa.amsl.com>; Mon, 23 Oct 2017 17:04:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.009
X-Spam-Level:
X-Spam-Status: No, score=-3.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c5O7ipm2xO8V for <id-event@ietfa.amsl.com>; Mon, 23 Oct 2017 17:04:42 -0700 (PDT)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03on0121.outbound.protection.outlook.com [104.47.41.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFA9513A5BC for <id-event@ietf.org>; Mon, 23 Oct 2017 17:04:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=5ruBRXNqCRhJ8hnBfRj5aNndFUCXAT11OdIz5amoM1o=; b=SEJJtSJtTU9oDkZv88PztaJRtfAKJNKOsdWRumtxGi555jRrNXJSilc1hzg6MXG9TEbSipfdhih65mKy7hkXufMGG5MGSOR6Z0rBDlnUiH52d5mvLICLUZITzi17PpM/QsE4OvTUVQ22o3iy7OEGM7qiDFAefKBR2tTzUnq2UTY=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0759.namprd21.prod.outlook.com (10.173.192.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.197.0; Tue, 24 Oct 2017 00:04:40 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.20.0197.001; Tue, 24 Oct 2017 00:04:40 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "Richard Backman, Annabelle" <richanna@amazon.com>, "M.Lizar@OCG" <m.lizar@openconsentgroup.com>
CC: Yaron Sheffer <yaronf.ietf@gmail.com>, SecEvent <id-event@ietf.org>
Thread-Topic: [Id-event] WG Last Call for draft-ietf-secevent-token-02
Thread-Index: AQHTCj09LrxBWiFA7kmsguwQioPAmaJuaWjQgAFFhACAAbsQgICBJ7wQ
Date: Tue, 24 Oct 2017 00:04:39 +0000
Message-ID: <CY4PR21MB0504E0464CA7C7A3C5267792F5470@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <e6649728-f94a-93f5-9885-c948a5b0ed49@gmail.com> <CY4PR21MB0504DEA69A048EADE122995DF5B20@CY4PR21MB0504.namprd21.prod.outlook.com> <D263DE2D-48F7-4AF5-B96F-B83AAED779F6@openconsentgroup.com> <72B8E7CA-3EB6-4194-BB77-CD46062FDFB7@amazon.com>
In-Reply-To: <72B8E7CA-3EB6-4194-BB77-CD46062FDFB7@amazon.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Ref=https://api.informationprotection.azure.com/api/72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=mbj@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2017-10-23T17:04:38.7846163-07:00; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General
x-originating-ip: [2001:4898:80e8:5::42f]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0759; 6:RQl5ca1+xeN1haMzhaMvlabxLqAtDi7J03MWB1GwDI3FESE9PM/031JxZ+1NxLkp4K+0VOFRXutS7QXk0NJ1C+/J4OOWxm7m/tJyIDJpmeqeQnaPXl2pdQwWpwMHeSY6ARwT5qH5k4pdmhNP9R/UN4m/WNDbCqSamFMXkWwm3QvdDMhZrKYYUT8VxSyvj/deP5WnHa5uIfhP9woMHmrznUabzSd2ZMt6/lO63gU9taGg3Ob60FGUnCOCNqO6wde1Qv2mIayTmuj5R67oY0PjzeAYZt1ry+UbVHNkVsejX8Sr5KTW8XYZ5efTTsu+y3NnSFYqUNWrgDwBmBPzyOKNWHhKGoAIU9d/4C+4eF6AVBo=; 5:xwCj2hZxWnfb2mKyap2TTnLq7IJDobS/kwiCVnhWoW4spD1KRBhNJAy0ZB0c5jIpNDZdQHO4A2ElX2HF/K850C7lKOTHAh5IYVkBPatzkhBrTbYEchq0NNbGw1cg5cDKXgO2VQ1XTwiACLppN7KOxq7FXmN7HTeO970VY8GiYeU=; 24:XY835bEpMgNdLu9LcADbivQGH7+1ipuuMcNVjvv86mf3kK3U9eLVYxjhV8UfczDMKPXlfjtMTKiDl+63FpPJJRZE3q+GxPYAlXqji2lTr9w=; 7:N82LMhxMuKiBWqMNTj1IJScTx0jWby6F5sCNvCWp/c8heZ5RC4Qn9EB5tQJlI530Y+hxqoYK+OGJ8D06uziPTBqvBQVm6QO40jquvxlFaDG+O4K9S7CXN2Yg/SLLLLigqoz+NMboUxKv/FStFWMb47wc23GwiF/zZyHCW3CDAcj6HJRiAS1s3a/ER7nxc96KBMHyuP8+ptyJLjTDGbBm0mBGUxqC+/CbqSYaetg94IfNH6C1+ZOyvpRM4/ILPs/S
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 12109166-aeb7-4b41-9adb-08d51a72d26c
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081)(4534020)(4602075)(4627075)(201703031133081)(201702281549075)(2017052603229); SRVR:CY4PR21MB0759;
x-ms-traffictypediagnostic: CY4PR21MB0759:
x-exchange-antispam-report-test: UriScan:(89211679590171)(120809045254105)(192374486261705)(21748063052155)(47284530071512);
x-microsoft-antispam-prvs: <CY4PR21MB0759238A212B858A3B26F079F5470@CY4PR21MB0759.namprd21.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(61425038)(6040450)(2401047)(8121501046)(5005006)(3231020)(3002001)(93006095)(93001095)(100000703101)(100105400095)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123562025)(20161123558100)(20161123555025)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123564025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:CY4PR21MB0759; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:CY4PR21MB0759;
x-forefront-prvs: 047001DADA
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(376002)(39860400002)(47760400005)(51914003)(43784003)(199003)(189002)(24454002)(69224002)(22452003)(189998001)(2906002)(54906003)(110136005)(316002)(3660700001)(6246003)(93886005)(86612001)(8990500004)(99286003)(101416001)(39060400002)(10090500001)(55016002)(97736004)(54896002)(7696004)(86362001)(33656002)(6306002)(236005)(9686003)(76176999)(8936002)(54356999)(50986999)(8676002)(230783001)(14454004)(2950100002)(790700001)(2900100001)(6506006)(102836003)(6116002)(53936002)(4326008)(229853002)(77096006)(74316002)(7736002)(478600001)(72206003)(966005)(68736007)(25786009)(3280700002)(5660300001)(10290500003)(53546010)(606006)(81166006)(105586002)(81156014)(6436002)(106356001)(491001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0759; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB0504E0464CA7C7A3C5267792F5470CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 12109166-aeb7-4b41-9adb-08d51a72d26c
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Oct 2017 00:04:40.0368 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0759
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/3vY8Llx6_b1lj9aQXkjdbEJNtHk>
Subject: Re: [Id-event] WG Last Call for draft-ietf-secevent-token-02
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Oct 2017 00:04:45 -0000

Thanks for the detailed review, Annabelle, and for sitting down with me in person last week to go over it.  Proposed resolutions follow in-line.

From: Richard Backman, Annabelle [mailto:richanna@amazon.com]
Sent: Wednesday, August 2, 2017 11:43 AM
To: M.Lizar@OCG <m.lizar@openconsentgroup.com>; Mike Jones <Michael.Jones@microsoft.com>
Cc: Yaron Sheffer <yaronf.ietf@gmail.com>; SecEvent <id-event@ietf.org>
Subject: Re: [Id-event] WG Last Call for draft-ietf-secevent-token-02

Thanks for all the work on this! It was my understanding that there was an open item from Prague regarding whether to explicitly declare the events’ profiling specification in the SET. Has this been discussed further, or do we still need to close on it?

I have several comments/questions on the current draft:


  1.  “Profile Specification” vs. “Profiling Specification”
There are a handful of instances of the former that need to be changed to the latter, to match the term as defined in section 1.2:
     *   In the “sub” definition in section 1.2
     *   In section 3
     *   In section 4.2

I think we should uniformly go with the term “Profiling Specification”, as you suggest.


  1.  Note regarding Subject Issuer vs. SET Issuer
The note regarding the potential for Subject and SET Issuer mismatch (in the “iss” definition in section 1.2) is I think more prescriptive than intended. As written, it mandates placing the Subject’s Issuer in an “iss” value within the event payload, but does not define a format or structure for this value. The logical format – that of the “iss” JWT claim – may or may not be appropriate, depending on the nature of the event and its Subject. I suggest removing this note and covering this concern elsewhere (see #4 below, re: Subject Identification).
(You were actually referring to Section 2.1.)  As we discussed, if the logical issuer for the SET doesn’t fit the JWT “iss” string syntax, it’s perfectly reasonable to define a different claim and its syntax that meets the application’s needs.  The “Note” part also doesn’t dictate that the “sub” claim name be used.  We could add the parenthetical remark “(either using the “iss” member name or another name)” before the first comma in the note, to make this point clear, if you think that would address your concern.

  1.  Explicit Typing of SETs
I suggest removing the text “if the SET could be used in an application context in which it could be confused with other kinds of JWTs” from the first paragraph of section 2.2, making the secevent+jwt typ header mandatory to implement for all SETs. This conditional is impossible to evaluate, as new types of JWTs will be introduced over time. Just considering existing JWTs, it is a lot to ask for Profiling Spec authors to fully examine the contents and usage of every existing JWT. Mandating use of typ for SETs takes this load off of Profiling Spec authors and insures that future specs have a consistent, reliable way to defend against JWT type confusion.
As we discussed, I’m reluctant to remove the clause because there is already this strong language at the end of the paragraph: “This MUST be included if the SET could be used in an application context in which it could be confused with other kinds of JWTs.”  So the default behavior is already the one you want.

  1.  Requirements for SET Profiles: Subject Identification
I suggest adding text along the lines of “Profiling Specifications MUST define for each of their events how the Subject is identified in the SET, as well as how to address conflicts the event Subject’s Issuer and the SET Issuer if applicable. It is NOT RECOMMENDED for Profiling Specifications to use the “sub” claim in cases where the Subject is not globally unique and has a different Issuer from the SET itself.”
I’m OK adding something along those lines.

  1.  Guidance for Signing SETs
The text in the last paragraph of section 4.1 is unclear to me. It seems to suggest that it is safe to send unsigned JWTs over a channel that lacks transport-layer security, so long as requests include a bearer token or use Basic Authentication. Am I misreading this? It seems counter to the guidance given earlier in the same section.
Good catch.  In fact the plain reading of the first half of the sentence is self-contradictory.  As we discussed, let’s simplify this to “Unless integrity of the JWT is ensured by other means, it MUST be signed using JWS…”

  1.  Distinguishing SETs from other kinds of JWTs
The last sentence of the first paragraph of section 4.7 seems impossible to me. Profiling Specifications cannot be solely responsible for ensuring incompatibility with all future JWT profiles. They can at best ensure incompatibility with existing JWT profiles and be compatible with a standard mechanism by which future JWT profiles may ensure incompatibility (e.g. the “secevent+jwt” typ header). It may be enough to strike the “(or other)” text from this sentence.
The second paragraph (beginning “The most direct way”) was written before we had explicit typing.  As we discussed, I propose to reorder paragraphs 2 and 3, changing explicit typing to be “The most direct way” and mutually exclusive validation logic to be “Another way”.  That puts the emphasis where it should be, at this juncture in the development of the specification.

--
Annabelle Richard Backman
Identity Services

                                                                Thanks again!
                                                                -- Mike


From: Id-event <id-event-bounces@ietf.org<mailto:id-event-bounces@ietf.org>> on behalf of "M.Lizar@OCG<mailto:M.Lizar@OCG>" <m.lizar@openconsentgroup.com<mailto:m.lizar@openconsentgroup.com>>
Date: Tuesday, August 1, 2017 at 9:17 AM
To: Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>
Cc: Yaron Sheffer <yaronf.ietf@gmail.com<mailto:yaronf.ietf@gmail.com>>, SecEvent <id-event@ietf.org<mailto:id-event@ietf.org>>
Subject: Re: [Id-event] WG Last Call for draft-ietf-secevent-token-02

+1 on existing text .

Agree the document is ready to publish

- Mark

On 31 Jul 2017, at 16:53, Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote:

I believe that the specification is ready to publish as-is.  It already meets the needs of the known use cases and is in production use.

                                                                -- Mike

From: Id-event [mailto:id-event-bounces@ietf.org] On Behalf Of Yaron Sheffer
Sent: Monday, July 31, 2017 1:40 PM
To: SecEvent <id-event@ietf.org<mailto:id-event@ietf.org>>
Subject: [Id-event] WG Last Call for draft-ietf-secevent-token-02

This is to announce working group last call on this draft (https://datatracker.ietf.org/doc/draft-ietf-secevent-token/).

Please send your comments to the list. Even if you are perfectly happy with the draft, please let us know that you support its publication as-is by posting to the list.

Because of the summer holidays, this last call is open for 3 weeks, until Aug. 21.

Thanks,
    Dick and Yaron
_______________________________________________
Id-event mailing list
Id-event@ietf.org<mailto:Id-event@ietf.org>
https://www.ietf.org/mailman/listinfo/id-event

v2.23.0 | Report a Bug | By Email