Re: [Id-event] [UNVERIFIED SENDER] Re: Subject Identifiers - Working Group Last Call
Yaron Sheffer <yaronf.ietf@gmail.com> Sun, 13 June 2021 12:56 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 728FB3A19B3 for <id-event@ietfa.amsl.com>; Sun, 13 Jun 2021 05:56:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, MALFORMED_FREEMAIL=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zSSdAppJudxO for <id-event@ietfa.amsl.com>; Sun, 13 Jun 2021 05:56:28 -0700 (PDT)
Received: from mail-wr1-x42f.google.com (mail-wr1-x42f.google.com [IPv6:2a00:1450:4864:20::42f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4982B3A19B0 for <id-event@ietf.org>; Sun, 13 Jun 2021 05:56:28 -0700 (PDT)
Received: by mail-wr1-x42f.google.com with SMTP id l2so11335687wrw.6 for <id-event@ietf.org>; Sun, 13 Jun 2021 05:56:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :references:in-reply-to:mime-version; bh=n62ETktwO20RlQtnQ3rxatm2a8a/3gnHDm5uQVGLSgg=; b=XmG3Ropq3PVqV1OPB7TrG37lhvd0g7XnHpIGPv7MT8ScCGure4is4xHG+KPfTWXsP8 xuk5txYcu4eu/hZQ5V1+3e4UjvV2ptxe6/TfDKDj097XV4uiDvcaDSEoP2yCodXDR8Eo jcrs3RynPVEIUXNW8eW+XbqNwy0tLBQc9hBuxgG2ihvo4eY+Ea6vsZErQO5JqF56O0x6 /oIKelHQJDEHnRqCH5ZkjzBj3+kGugush9fXgDPr2B24PV1ybIRGxCdIEP0QF9HyfbP1 9LsJtJ/KYahVVNIzrwG8NFM9YjrQ+VsCzw+dJef/moDXuz4goEToGUCqu96UzMtZUQoX 3Xog==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version; bh=n62ETktwO20RlQtnQ3rxatm2a8a/3gnHDm5uQVGLSgg=; b=nRL45izHHqSrSr/wXthnYT3YUCBa4msRKNcwQUKpBM4FRoHUBXEwmtcFxhJIEEKWCJ TAJIFOHn/t2gxI9EUrF4CUTDHkUM4jj6AE5tRMOv5Jb15Ayp6v13Q8I5Ym7IeMdvU/fR Ke1wc39udcBKAEW6n2+ZgEWxgcINcPnGTd+hxX0w9AfL0BnYq++cDJCmbqoPY9wa4Gx5 wW2njT5kcIAk5uSJ99qJAaRVG4hDRfokcdEJ8IuB9p17KhvpspX+KpF88ZdjC6AWwvRP GQ7dVh8hewkPTZkmFDMpLPIxU3bdUzrtJ+nWp1nyoP5GwA56aKIsPCHIue7UdN4/ToaS tQ/A==
X-Gm-Message-State: AOAM532hITQv2Q8AqJNnZNQEymg7iCvZ0HTmPbhveDbIwX9+a990KEfN nHgRcVO7Yn3ozGOj5FuFlMw=
X-Google-Smtp-Source: ABdhPJz/A7dQ9n/VJPsPGBq50+eiKkHR4iO53reeR7ud6ZbSAUNK7V6nPXXExM9nj3Ha3zaSoUGSxg==
X-Received: by 2002:a5d:65cf:: with SMTP id e15mr14172505wrw.310.1623588986062; Sun, 13 Jun 2021 05:56:26 -0700 (PDT)
Received: from [172.22.110.18] (pub-corp-42-8.intuit.com. [91.102.42.8]) by smtp.gmail.com with ESMTPSA id v132sm18584710wmb.14.2021.06.13.05.56.24 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 13 Jun 2021 05:56:25 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/16.49.21050901
Date: Sun, 13 Jun 2021 15:56:24 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: "Richard Backman, Annabelle" <richanna@amazon.com>
CC: Dick Hardt <dick.hardt@gmail.com>, SecEvent <id-event@ietf.org>, Roman Danyliw <rdd@cert.org>, Marius Scurtescu <marius.scurtescu@coinbase.com>
Message-ID: <B74CF773-7D33-4E78-86B9-9CD03E1E84F5@gmail.com>
Thread-Topic: [UNVERIFIED SENDER] Re: Subject Identifiers - Working Group Last Call
References: <CAD9ie-uSbNHq=Mt3ohA=URf5rv2hz7YUdUMhOf80C_f=XBrGLA@mail.gmail.com> <36D66A89-D178-6047-B270-73AD540E7FAD@hxcore.ol> <9D6C9473-5C24-41E0-89EA-2C1E0D616876@amazon.com>
In-Reply-To: <9D6C9473-5C24-41E0-89EA-2C1E0D616876@amazon.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3706444585_283030779"
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/4vl35rwRYBg6P-kPXczRMVqsJSQ>
Subject: Re: [Id-event] [UNVERIFIED SENDER] Re: Subject Identifiers - Working Group Last Call
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Jun 2021 12:56:34 -0000
Hi Annabelle, I totally accept your two examples, and I suggest you consider including them in the text. But Fig. 14 (quoted below in full) does not clarify this intent IMO. Existing Fig. 14: { "iss": "issuer.example.com", "sub": "user@example.com", "sub_id": { "format": "email", "email": "elizabeth@example.com" } } Maybe change the “sub” to “liz@example.com” so that readers will understand this is the same person? Thanks, Yaron From: "Richard Backman, Annabelle" <richanna@amazon.com> Date: Saturday, June 12, 2021 at 01:26 To: Yaron Sheffer <yaronf.ietf@gmail.com> Cc: Dick Hardt <dick.hardt@gmail.com>, SecEvent <id-event@ietf.org>, Roman Danyliw <rdd@cert.org>, Marius Scurtescu <marius.scurtescu@coinbase.com> Subject: Re: [UNVERIFIED SENDER] Re: Subject Identifiers - Working Group Last Call Sorry for the delayed response! Section 4.1 requires that both `sub` and `sub_id` claims identify the same subject. The only way to enforce that programmatically would be to require them to have the same value. Since the existing `sub` claim is unformatted and generally unconstrained, I don't see how we could do that. Here are a couple examples of cases where that breaks down: I have been using phone numbers for `sub`, but have been omitting country codes because I only operate in the US. I want to migrate to `sub_id`, but the "phone_number" format requires me to prefix my identifiers with "+1". I'm a client of an IdP, and use the IdP's subject identifier in JWTs sent back to the IdP. To work around the fact that `sub` is a single scalar string, I concatenate the IdP issuer and subject together with a "#", and use that as the `sub` in my tokens, with my issuer as the `iss`. I want to switch to using `sub_id`, using the `iss_sub` format, so the JWT can have my issuer, but the subject can have the IdP's issuer. — Annabelle Backman (she/her) richanna@amazon.com On May 27, 2021, at 5:46 AM, Yaron Sheffer <yaronf.ietf@gmail.com> wrote: CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. Thank you Dick and the authors. With my co-chair hat off, I support progressing this document. I also have a couple comments: 3.2.2: The text refers twice to "alias" subject IDs, but the format is now named "aliases". Fig. 14 seems to be in conflict with the requirement to have a single subject for the JWT ("a JWT has one and only one JWT Subject"). Yes, maybe Elizabeth has a second email address, but we cannot assume that applications have this kind of logic. Similarly, the subject-related discussion in Sec. 4.2 (which is arguably a bit vague) as well as Fig. 18 seems to allow two different subjects within the JWT. Thanks, Yaron From: Dick Hardt <dick.hardt@gmail.com> Date: Wednesday, May 26, 2021 at 23:22 To: SecEvent <id-event@ietf.org> Cc: Yaron Sheffer <yaronf.ietf@gmail.com>, Richard Backman, Annabelle <richanna=40amazon.com@dmarc.ietf.org>, Roman Danyliw <rdd@cert.org>, Marius Scurtescu <marius.scurtescu@coinbase.com> Subject: Subject Identifiers - Working Group Last Call Hello WG Thanks to Annabelle (and Marius) for the latest update: https://datatracker.ietf.org/doc/html/draft-ietf-secevent-subject-identifiers-08 Yaron and I would like to make another working group last call on this draft. We are hopeful there will be enough feedback on this draft from people that have reviewed it for us to recommend the draft progressing to the next step. Please review and respond if you are supportive of this draft, and if you are not supportive, please clarify your concerns. Dick and Yaron ᐧ
- [Id-event] Subject Identifiers - Working Group La… Dick Hardt
- Re: [Id-event] Subject Identifiers - Working Grou… Yaron Sheffer
- Re: [Id-event] Subject Identifiers - Working Grou… Denis
- Re: [Id-event] Subject Identifiers - Working Grou… Dave Tonge
- Re: [Id-event] Subject Identifiers - Working Grou… Justin Richer
- Re: [Id-event] Subject Identifiers - Working Grou… Richard Backman, Annabelle
- Re: [Id-event] [UNVERIFIED SENDER] Re: Subject Id… Richard Backman, Annabelle
- Re: [Id-event] [UNVERIFIED SENDER] Re: Subject Id… Yaron Sheffer
- Re: [Id-event] [UNVERIFIED SENDER] Re: Subject Id… Richard Backman, Annabelle
- Re: [Id-event] [UNVERIFIED SENDER] Re: Subject Id… Tim Cappalli
- Re: [Id-event] [UNVERIFIED SENDER] Re: Subject Id… Justin Richer
- Re: [Id-event] [UNVERIFIED SENDER] Re: Subject Id… Dick Hardt
- Re: [Id-event] Subject Identifiers - Working Grou… Denis
- Re: [Id-event] Subject Identifiers - Working Grou… Backman, Annabelle
- Re: [Id-event] Subject Identifiers - Working Grou… Denis
- Re: [Id-event] Subject Identifiers - Working Grou… Backman, Annabelle
- Re: [Id-event] Subject Identifiers - Working Grou… Denis
- Re: [Id-event] Subject Identifiers - Working Grou… Backman, Annabelle
- Re: [Id-event] Subject Identifiers - Working Grou… Denis
- Re: [Id-event] Subject Identifiers - Working Grou… Aaron Parecki
- Re: [Id-event] Subject Identifiers - Working Grou… Denis