IETF Logo Mail Archive

Re: [Id-event] "aud" vs. receiver issue raised in WGLC

Mike Jones <Michael.Jones@microsoft.com> Mon, 23 October 2017 18:30 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16235139976 for <id-event@ietfa.amsl.com>; Mon, 23 Oct 2017 11:30:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.02
X-Spam-Level:
X-Spam-Status: No, score=-2.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UbfI7B_rpu1d for <id-event@ietfa.amsl.com>; Mon, 23 Oct 2017 11:30:41 -0700 (PDT)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0110.outbound.protection.outlook.com [104.47.40.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34D76137C4A for <id-event@ietf.org>; Mon, 23 Oct 2017 11:30:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Oq5B6dCpQhFMBmhhhn/zVRMfxV8vAPjG4c5rRi8jNUM=; b=W5SMPNcV/liD6cpLT6MaZpNoNJVMN2QIfNdnWVZ8CieAVHl1gok9wVgIDPsgTz5hbhAvfmsUBg2h2evYnL9HvdbSGS1dJAg2DO6Aj0gWnZyx70es4MvghCYzLWE6F9FltTa1cdJZCJT0TGYJr/dEfgSHEzEdgUPeOrG9A0cCoHs=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0502.namprd21.prod.outlook.com (10.172.122.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.197.0; Mon, 23 Oct 2017 18:30:39 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.20.0197.001; Mon, 23 Oct 2017 18:30:39 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Phil Hunt <phil.hunt@oracle.com>, ID Events Mailing List <id-event@ietf.org>
Thread-Topic: [Id-event] "aud" vs. receiver issue raised in WGLC
Thread-Index: AQHTTCh6o4xBjT/YGEGMZ+isMbHIYaLxwXhg
Date: Mon, 23 Oct 2017 18:30:38 +0000
Message-ID: <CY4PR21MB05045C2303E540EF078D8706F5460@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <e6649728-f94a-93f5-9885-c948a5b0ed49@gmail.com> <CAGdjJpJtfV9q2iaL-uao1b7XpQjx5uJrX=fnoM36POXLFYrqow@mail.gmail.com> <fa06137b-516f-4a57-8ed5-08cd2cc63af6@sit.fraunhofer.de> <71FA69AE-F8F6-45AB-9550-36BC9395DE32@gmail.com> <684D9C6F-C59A-4850-9A1B-24A026278A62@oracle.com>
In-Reply-To: <684D9C6F-C59A-4850-9A1B-24A026278A62@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Ref=https://api.informationprotection.azure.com/api/72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=mbj@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2017-10-23T11:30:14.3878882-07:00; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General
x-originating-ip: [2001:4898:80e8:2::42f]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0502; 6:Sv8EHrpG07zYfqH+R+tttxjH1YJofGWjS5KAjJi0ZoNPJtHhFG+LUuxOhbDNGdMZ2/I3BoTuSBMWEtxA0aIjHUtgXCI1L5xyEu2zjngYyG8HOjzsjig9JuHIb3S1p7qbSYalsi3E+42k8pP0RBLEhdWQqN93XegLLkCBXa5ojovyG7ho+oKI9ie/mdZi4cdaafu8/nQ/QaFGdvR9lD1bzl69PpxqcyosDUWj4X3n5YrqQu/HQRI3p3A35GQO0UtNAKX+9uceW6oa53Ijq8g5lh7eGbXZFakDb2wxD80BElROV+tJ7EPXwCH9V0jOJCPqVtt8aFfLjkd+X6GdzYMlynSV26qvS/W6AkZEtOGSPoU=; 5:5axB0+M1cdouflInQeBKt1TUNH4xhkR6BL3y4Y3awrzuQ+oBsKgesr16qj5ESjsjYjGxaaNYVf9YemLiFVhOBXPaLzMnoXiH4Uks+9JD5VfE//l6HJAv3pM6Ae6J9XZ9eWtq9BjM5lDt03hLYcuoOXllOT3u0wLsFjzVAWQjkh4=; 24:0zXVdzJorDgtevH4KG0keIgWvHjTZa4b+/fPv1fbD4PTqcefKXxdIcO9BIx4nENRqxHRAegE67B/+16BRB6HA9tubIE20wVY7p/aPw0TqnY=; 7:n+y794W/b8mFVqoy2TWSzjz2/wZUy41AnaO+7F9NqFqDuwqJRl10kX1obTrz3ECYyae/N7P9WtFbqSlp0ilPAJCr6Goaq1EoCaYoSgik4uff/tfQgA+Cj43NWvwfHTM84W4m/KH0ESxkCvx+b1/q79TQ3yPdGFmikH/LkOdMcg1luf3bvjeFitsMa5EIzNky3CTw3Wz6xjFTRrEpdFeRuIX9TQSEAEWkag1iYQy62YLLqGRGEVyum4M7cmnslqAV
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 1b0e0581-a47d-4919-d0d4-08d51a442905
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081)(4534020)(4602075)(4627075)(201703031133081)(201702281549075)(2017052603229); SRVR:CY4PR21MB0502;
x-ms-traffictypediagnostic: CY4PR21MB0502:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-exchange-antispam-report-test: UriScan:(10436049006162)(192374486261705)(21748063052155);
x-microsoft-antispam-prvs: <CY4PR21MB05025CDA5A08777955DF5FE4F5460@CY4PR21MB0502.namprd21.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(61425038)(6040450)(2401047)(5005006)(8121501046)(3231020)(3002001)(10201501046)(93006095)(93001095)(100000703101)(100105400095)(6055026)(61426038)(61427038)(6041248)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123558100)(20161123555025)(20161123564025)(20161123560025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:CY4PR21MB0502; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:CY4PR21MB0502;
x-forefront-prvs: 046985391D
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(346002)(376002)(47760400005)(24454002)(199003)(189002)(53546010)(8936002)(966005)(606006)(478600001)(72206003)(14454004)(68736007)(54356999)(10290500003)(53936002)(9686003)(99286003)(54896002)(55016002)(236005)(6306002)(74316002)(6246003)(561944003)(8676002)(105586002)(101416001)(110136005)(76176999)(10090500001)(81166006)(50986999)(7736002)(106356001)(81156014)(22452003)(316002)(93886005)(77096006)(6436002)(6506006)(229853002)(189998001)(8990500004)(25786009)(33656002)(6116002)(86362001)(97736004)(790700001)(102836003)(2950100002)(86612001)(575784001)(19609705001)(2900100001)(3660700001)(2906002)(5660300001)(7696004)(3280700002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0502; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB05045C2303E540EF078D8706F5460CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1b0e0581-a47d-4919-d0d4-08d51a442905
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Oct 2017 18:30:38.9967 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0502
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/7_AFIOwt4frObLYuPjygn0LioKg>
Subject: Re: [Id-event] "aud" vs. receiver issue raised in WGLC
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Oct 2017 18:30:45 -0000

I am also happy with the current audience semantics.

From: Id-event [mailto:id-event-bounces@ietf.org] On Behalf Of Phil Hunt
Sent: Monday, October 23, 2017 10:58 AM
To: ID Events Mailing List <id-event@ietf.org>
Subject: [Id-event] "aud" vs. receiver issue raised in WGLC


All,

I am reviewing the previous feedback from WGLC and will be bringing up any unresolved issues for quick discussion/confirmation…

Following up on Marius and Henk’s comment, I am concerned that “aud” has a very specific meaning and is often tied to a security domain definition. We should not necessarily say this is the receiver though it often turns out to be. For example a RP (“aud”) has outsourced events processing to a third party (the so called receiver).

I am happy with the current claim set, but maybe some text explaining that a receiver does not have to be the aud is appropriate?  I don’t see any benefit to having a receiver claim as this could complicate processing more than its worth.

There are a few other comments in this thread, but this one seemed the most unresolved.

Phil


On Aug 3, 2017, at 8:03 AM, Henk Birkholz <henk.birkholz@sit.fraunhofer.de<mailto:henk.birkholz@sit.fraunhofer.de>> wrote:

Hello,

to me, the "audience" claim seems to be a good choice here.

Viele Grüße,

Henk

On 08/02/2017 11:45 PM, Marius Scurtescu wrote:

The abstract mentions "issuer" and "receiver" in the last sentence. "receiver" does not sound right (that should be used in the context of a transmitter), but I don't have a better suggestion. Audience?
The last paragraph of section 1 mentions "subscriber". I think it should be either "receiver" or "audience".
The explanation for figure 1 states that the issuer denotes the transmitter. If the issuer and the transmitter are assumed to be the same entity, then the transmitter definition in section 1.2 should make that clear.
Figure 3, I think the "sub" claim should be nested in the event, next to the issuer that provides the correct context. The "iss" and "sub" definitions in 2.1 also touch on this, providing conflicting advice.
Section 2,1, definition of "nbf". The definition says that this is the event time. I see two problems:
- the name suggest "not before", not exactly the same as event time
- there can be multiple events
maybe this claim should be dropped?
Section 2.1, definition of "exp". Omitting this claim is the short term solution to the confusion issue. Why not mention that and that it SHOULD NOT be used?
Section 2.1, definition of "events". It states that all events must refer to the same logical event. Lately in discussions we reached the conclusion that all events in a SET should be defined in the same profile, which is a stronger requirement. I think this definition should mention that.
Regarding events and profiles. There was a proposal to add a new claim to uniquely identify the profile. I think we need to discuss that.
Figure 5. Maybe a signed example would be better, especially that the next paragraph mentions that signatures or encryption should be used.
Section 4.5, second paragraph. Mentions that "nonce" is also required, but that is not actually true. Id Tokens issued at the token endpoint for example will not have it. I suggest we drop the whole paragraph.
Marius
On Mon, Jul 31, 2017 at 1:40 PM, Yaron Sheffer <yaronf.ietf@gmail.com<mailto:yaronf.ietf@gmail.com> <mailto:yaronf.ietf@gmail.com>> wrote:
   This is to announce working group last call on this draft
   (https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Dietf-2Dsecevent-2Dtoken_&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=UUydIFEV9SQ_lw_LNE4lvS7pQLXEZEWA2F1i7bfAuUY&s=9SIT98RlAb1C9Md1W54IRl6cxjlKfjqT99u5-Ojw4Fw&e=     <https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Dietf-2Dsecevent-2Dtoken_&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=UUydIFEV9SQ_lw_LNE4lvS7pQLXEZEWA2F1i7bfAuUY&s=9SIT98RlAb1C9Md1W54IRl6cxjlKfjqT99u5-Ojw4Fw&e= >).
   Please send your comments to the list. Even if you are perfectly
   happy with the draft, please let us know that you support its
   publication as-is by posting to the list.
   Because of the summer holidays, this last call is open for 3 weeks,
   until Aug. 21.
   Thanks,
        Dick and Yaron
   _______________________________________________
   Id-event mailing list
   Id-event@ietf.org<mailto:Id-event@ietf.org> <mailto:Id-event@ietf.org>
   https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_id-2Devent&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=UUydIFEV9SQ_lw_LNE4lvS7pQLXEZEWA2F1i7bfAuUY&s=jX1QgcFI8umtt8pEkthXa3uL_TsJINLVTXORUpSDnvA&e=     <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_id-2Devent&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=UUydIFEV9SQ_lw_LNE4lvS7pQLXEZEWA2F1i7bfAuUY&s=jX1QgcFI8umtt8pEkthXa3uL_TsJINLVTXORUpSDnvA&e= >
_______________________________________________
Id-event mailing list
Id-event@ietf.org<mailto:Id-event@ietf.org>
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_id-2Devent&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=UUydIFEV9SQ_lw_LNE4lvS7pQLXEZEWA2F1i7bfAuUY&s=jX1QgcFI8umtt8pEkthXa3uL_TsJINLVTXORUpSDnvA&e=

_______________________________________________
Id-event mailing list
Id-event@ietf.org<mailto:Id-event@ietf.org>
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_id-2Devent&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=UUydIFEV9SQ_lw_LNE4lvS7pQLXEZEWA2F1i7bfAuUY&s=jX1QgcFI8umtt8pEkthXa3uL_TsJINLVTXORUpSDnvA&e=

v2.23.0 | Report a Bug | By Email