IETF Logo Mail Archive

Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens

Mike Jones <Michael.Jones@microsoft.com> Thu, 02 March 2017 00:03 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C55601279EB for <id-event@ietfa.amsl.com>; Wed, 1 Mar 2017 16:03:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.02
X-Spam-Level:
X-Spam-Status: No, score=-2.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u3SM2YZIPQ-d for <id-event@ietfa.amsl.com>; Wed, 1 Mar 2017 16:03:36 -0800 (PST)
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-bn3nam01on0115.outbound.protection.outlook.com [104.47.33.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B10A3128DF6 for <id-event@ietf.org>; Wed, 1 Mar 2017 16:03:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=3H/Ki9BDRjN73eOjdORq0eOwfV3MPrARUVPBBUJxHyg=; b=IDzNRfU0msr9WVNQgf5lzQ8QNLh6VHThOrgw+j2ThYbYX1PSPv1L5HVk4FSilv0n4Mf/YnXsQirQrBep7OLTZEpyTbPd11NVHCPeRH1mEzf8vzH05RVlFR8vEJgozvXODbz3hGl8aKnocPUDEhtrd7yaRiN/cNXj92h/0pycTOY=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0502.namprd21.prod.outlook.com (10.172.122.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.947.0; Thu, 2 Mar 2017 00:03:32 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.0947.007; Thu, 2 Mar 2017 00:03:32 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Marius Scurtescu <mscurtescu@google.com>, William Denniss <wdenniss@google.com>
Thread-Topic: [Id-event] Thread: Clarifying use of sub and iss in SET tokens
Thread-Index: AQHSkrmW5tqPJIY8NEisvT0PLETCCaGAXGUAgAABMRCAAAuGgIAAAFNAgAABeACAAAR5AIAABIYAgAA1GwCAAABmAA==
Date: Thu, 02 Mar 2017 00:03:32 +0000
Message-ID: <CY4PR21MB05040BE765943CD72F545E15F5280@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <4611E3C8-9772-44EA-940D-077E1EA6247F@oracle.com> <CAAP42hAPZOHn-37wYrOy7OcvNuqWdXtSSMHxb_AoW7kXeAy4wA@mail.gmail.com> <CY4PR21MB050423CEEA9AB0CC64F0973FF5290@CY4PR21MB0504.namprd21.prod.outlook.com> <CAAP42hD8FbZSKWiorKSZHqiidak4Gf071xKTD2d9EvZa13mt5g@mail.gmail.com> <CY4PR21MB05047835E14B3D375C0538F6F5290@CY4PR21MB0504.namprd21.prod.outlook.com> <CAAP42hB63GC9=7nqiayjnD9i5RG7Yu7CJVCtDZpNWTgLMrDJ8w@mail.gmail.com> <0D17E1B4-D8C1-4241-8D11-8C0C700DD1D5@oracle.com> <CAAP42hANJNA62Zkhpv96snpk7O8-cUfwMtooCuhyN242vEMkfA@mail.gmail.com> <CAGdjJpLEX06CsLFH4u4YicP1qbW1Q8yjFhZjSovFRJzQv7B1bQ@mail.gmail.com>
In-Reply-To: <CAGdjJpLEX06CsLFH4u4YicP1qbW1Q8yjFhZjSovFRJzQv7B1bQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: google.com; dkim=none (message not signed) header.d=none;google.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:e::36]
x-ms-office365-filtering-correlation-id: 717bb8d3-5b48-47cc-cf7d-08d460ff90a0
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:CY4PR21MB0502;
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0502; 7:4laeZIDuVT/12fQwynCSogFn017g2vtWNMoTYxfDo/MVzovSq+ltDvlr7y+lAdexcgo4nibClzClgoBvC7OYQL9mdpCtxIya+XIVnADjT/kYIru88Eqmb2D//cYUBh//2xpHs+61KYht+xT9dJLtv8bb3j6NlfZEiL/ciHZtm6NY1OuRrJJQa8kqtyXQSEOXY58rpvWCnIObKHaIh6BgsOVw0GB75yba290qK5RO6Q0foMfsNjANUVpOp7yERx6PSee3TBP+9W4HM4Evvy0vexokcUVgnMRyaYoJXetdToVNmKoWankU9snQtsJgsRb4pKRr1CtfT9letARIGkw/1e9IvvleI8wi+XpfxScOBwk=
x-microsoft-antispam-prvs: <CY4PR21MB0502BA6C01DA66CF7457E5F5F5280@CY4PR21MB0502.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(278428928389397)(192374486261705)(211936372134217)(21748063052155)(21532816269658)(146099531331640);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123562025)(20161123564025)(20161123560025)(20161123555025)(20161123558025)(6072148); SRVR:CY4PR21MB0502; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0502;
x-forefront-prvs: 023495660C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(39450400003)(39840400002)(39850400002)(39410400002)(377454003)(24454002)(25786008)(229853002)(6436002)(606005)(10290500002)(790700001)(8676002)(6116002)(102836003)(53546006)(5660300001)(19609705001)(5005710100001)(10090500001)(53936002)(6246003)(77096006)(33656002)(4326008)(81166006)(8936002)(86362001)(3280700002)(2906002)(38730400002)(3660700001)(2900100001)(106116001)(7906003)(122556002)(6506006)(50986999)(54356999)(76176999)(236005)(74316002)(93886004)(6306002)(99286003)(54906002)(9686003)(7736002)(189998001)(55016002)(7696004)(92566002)(2950100002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0502; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB05040BE765943CD72F545E15F5280CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Mar 2017 00:03:32.4396 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0502
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/4EMjGzgtjIJP5cWr13dT3z8KGw0>
Cc: ID Events Mailing List <id-event@ietf.org>, "Phil Hunt (IDM)" <phil.hunt@oracle.com>
Subject: Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2017 00:03:39 -0000

Yes, adding another general-purpose JWT type claim was discussed on the mailing list.  My sense of that discussion was that people mostly agreed that doing that was new JWT work, and therefore in the scope of the OAuth working group, and not SecEvent-specific work, and so out of scope for the SecEvent working group.

If we write Security Considerations on the topic, they should be likewise scoped to use cases in which SETs are used, and not try to write new Security Considerations that apply to all JWTs.  Thus, it’s fine for the SET spec to say, for instance, that applications in which more than one kind of JWT can be signed by the same issuer, one kind of which is a SET, should take appropriate application-specific measures to ensure that the different kinds of JWTs cannot be confused for one another.  But beyond suggesting that these applications use the “events” claim to distinguish between SETs and other kinds of JWTs, trying to write specific general-purpose JWT guidance is out of scope for this working group.

                                                                -- Mike

From: Marius Scurtescu [mailto:mscurtescu@google.com]
Sent: Wednesday, March 1, 2017 3:55 PM
To: William Denniss <wdenniss@google.com>
Cc: Phil Hunt (IDM) <phil.hunt@oracle.com>; Mike Jones <Michael.Jones@microsoft.com>; ID Events Mailing List <id-event@ietf.org>
Subject: Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens

We also talked about adding another claim that defines the type or purpose of the JWT ("access token", "SET", etc). In a way it is the only sane option, but it is not addressing existing implementations. Asking implementors to "be careful" is asking for trouble IMO, especially because systems evolve by incrementally adding functionality.

Marius

On Wed, Mar 1, 2017 at 12:44 PM, William Denniss <wdenniss@google.com<mailto:wdenniss@google.com>> wrote:
OK so perhaps the "URI" thing is overly restrictive.

I guess the security consideration I'm recommending here is that you shouldn't have multiple systems that issue JWTs with the same iss/aud tuple, except when those systems are tightly coupled (as is the case with Connect & Logout).

If a shared issuer is used, then URI-based namespacing is *one* way to avoid this, but there are others.

I'm trying to avoid the need for SET to "break" possible use in access tokens (one of the stated goals in the original post) – I think having advice like this can avoid normative language that changes, and overly complicates SET.

_______________________________________________
Id-event mailing list
Id-event@ietf.org<mailto:Id-event@ietf.org>
https://www.ietf.org/mailman/listinfo/id-event

v2.23.0 | Report a Bug | By Email