IETF Logo Mail Archive

Re: [Id-event] Options regarding SPAGs

Atul Tulshibagwale <atultulshi@google.com> Tue, 15 December 2020 23:42 UTC

Return-Path: <atultulshi@google.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05EFE3A08D9 for <id-event@ietfa.amsl.com>; Tue, 15 Dec 2020 15:42:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.598
X-Spam-Level:
X-Spam-Status: No, score=-17.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t42tl76NpEeS for <id-event@ietfa.amsl.com>; Tue, 15 Dec 2020 15:42:06 -0800 (PST)
Received: from mail-yb1-xb31.google.com (mail-yb1-xb31.google.com [IPv6:2607:f8b0:4864:20::b31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 518E53A08D5 for <id-event@ietf.org>; Tue, 15 Dec 2020 15:42:06 -0800 (PST)
Received: by mail-yb1-xb31.google.com with SMTP id y128so956841ybf.10 for <id-event@ietf.org>; Tue, 15 Dec 2020 15:42:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jEbQYyP6BgAuw8xGnRZCM6/4vllOz1pKvCPi8P60JEk=; b=hplxGo0cPdE+Q3uoMzaUG3Te6T+Dh/0NwOG+PHltHPQPEy6Cbn0fFWqcIswtOOfOvY H8P6pSJs05n6UvNLJhcL2lcnsVe6peHhLsqM+WI9PP4xRZLa6wJ8vTaANOQxelhlQu6W cIHVT2ps1CStyfWEpgEBgO0mF8uTB6DgZ9a0eVxeGbMGd5tZUakNp2RlidDM4whWUv0M 0O7rLVZcZHWu/fWjEJEjJMzoBToDMXpISiLGDNrOMTeNNgGgkk++BVEs+KzHueeeIRUN /svS2VJKphxz7kBu7UJZZM6VSLaTOvswD6Uv+nlKNUAmYUXWcPTq3xOiSWiXCp2DX6ow SsEA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jEbQYyP6BgAuw8xGnRZCM6/4vllOz1pKvCPi8P60JEk=; b=Y04EFaE5ZUavZLewYkSN3LU7eMeM/hsmW9kMupOa5ilGQZ7nCgCKQ8twwxysPV/Mv0 PicMZvBzzqbQCJ5GhelSvHLnutL2xDxFO9ObV/6exn5tNmvCUrW8x/3+eaqH0mIIf67J NLoRqKyA62hC5L4Dz4dVBvNFyg4Z2mQrXAwBKOHPuLh0JZFo/OAZaijld/UPcYZ2NAKV 0+Lm+mmahYE62FaH5jbgY5YH/NeRIr4zGBeHn3N0DhKIRA0pu9K7iPXgqFRZfGG+i8fe zQOVAYSYCmTv6THrPoIROoVN77iEb/fzKE4uBXJtxmti4j1EDMT31kN3wXTAXuH9hPw2 0S3w==
X-Gm-Message-State: AOAM53201QAThbzw4vq/E3eX7YZsCn286Vv+6IZ4T5VFWLhKlipHGDAp wIL4v3N6AOWQy/r3vAg8Q3D/bS+xFK3w6PPl+UeGcA==
X-Google-Smtp-Source: ABdhPJzuEq4ymGYjBsRwFPv+ZbdTQozx2MeL1s3c8MC07yY3q4Wt3vQU5dFCg+B261bH4p4vbB3+NKw4E8mFyFu3iHs=
X-Received: by 2002:a25:ed7:: with SMTP id 206mr43745381ybo.136.1608075725196; Tue, 15 Dec 2020 15:42:05 -0800 (PST)
MIME-Version: 1.0
References: <CAMCkG5vAnEyUeRjjRuyuk_mRQEXX2ZdZffGamzGg2+AzjMp9kQ@mail.gmail.com> <CAD9ie-tk53ztCTA8U2bNmaB9dd9x0bK6JNyN=kOU+=RJ8zEUCw@mail.gmail.com> <CAMCkG5v3FTnNz878Fg85hV1vYpVo1QO=AF49yvDOacw9bLw-vQ@mail.gmail.com> <CAD9ie-uzYxw=+5jzPAWL7L4iOBqVmZ2O5v8qhJQkFbHA-S9UFg@mail.gmail.com>
In-Reply-To: <CAD9ie-uzYxw=+5jzPAWL7L4iOBqVmZ2O5v8qhJQkFbHA-S9UFg@mail.gmail.com>
From: Atul Tulshibagwale <atultulshi@google.com>
Date: Tue, 15 Dec 2020 15:41:53 -0800
Message-ID: <CAMCkG5uaVQu6nYtXqYTDv_ZTPxhR7ghu1NfPq7dZJD8y+i9v=Q@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Cc: SecEvent <id-event@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005fc12605b6894e14"
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/AYD5V-PoFdfK-a0t423yGsUFSYc>
Subject: Re: [Id-event] Options regarding SPAGs
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Dec 2020 23:42:09 -0000

Hi Dick,
Ideally, we would be able to discuss the complexity of SecEvent tokens and
whether SPAG belongs in a subject-identifier separately. However in this
case they seem somewhat intertwined. Nevertheless, I'm limiting my response
with the assumption that there is only one subject claim in a SecEvent.

Right now, restricting a SecEvent to be about one SPAG can work for the
events we have real use-cases for in SSE. We will still need SPAG as a
subject type of its own for control plane SecEvents, but we can define that
in the SSE spec if it is too specialized of a use case for the general
SecEvents Subject Identifiers spec.

That said, I'd like us to focus on what it means to have a "spag_id" claim
within a subject identifier. The way I see it, SPAGs basically capture the
namespace separation for referring to subjects that may otherwise be
ambiguous.

If we do not allow for adding SPAGs to the spec, we are basically saying to
multi-tenanted hosts that need such separation to always use the "iss-sub"
subject_type and form their own pseudo-standard of how to differentiate
between subject principals that belong to different SPAGs. I can think of
transmitters defining a URL pattern for the "iss" claim that can be parsed
to figure out the sub-organization that the "sub" is about. It'll work, but
the opportunity to standardize something that many transmitters and
receivers need is lost.

So, even if we do not think we should add SPAGs to the spec right now, I
feel we should not preclude higher-level specs from adding such common
claims as SPAGs (i.e. the option #2 in my first email).

Thanks,
Atul

On Thu, Dec 10, 2020 at 3:47 PM Dick Hardt <dick.hardt@gmail.com> wrote:

> Hi Atul
>
> I echo Phil's concerns wrt. multi subject SecEvents.
>
> FYI: I am more interested in understanding the use cases so that we can
> explore the various solutions than review your proposed changes. A SAML
> subject type makes sense to me as it is another subject identifier that is
> commonly used.
>
> wrt. SPAG -- another option would be to wrap the secevent object in a SPAG
> object -- this would also enable binding multiple secevents together.
>
> Given what I understand of the use case, where one channel is being used
> to exchange SecEvents that belong to different transmitters and senders,
> wrapping the SecEvent preserves the semantics of a SecEvent, and the SPAG
> wrapper identifiers the SPAG on the channel. Would that not work?
>
> /Dick
> ᐧ
>
> On Fri, Dec 4, 2020 at 4:41 PM Atul Tulshibagwale <atultulshi@google.com>
> wrote:
>
>> Hi Dick,
>> #4 may not always be an option if the event has more than one subject
>> claim (e.g. for an event like "device transfer").
>>
>> Regarding other additions:
>> *Subject Categories*:
>> Earlier, I had proposed that a subject identifier of any subject_type
>> have an optional common claim named "subject_category", which could
>> identify the type of subject principal the subject identifier refers to.
>> However, since the future of this request in the Subject Identifiers spec
>> wasn't clear, we decided to add a new "subject_type" in the SSE spec,
>> called "user-device-session". The SSE spec draft defines the algorithm to
>> figure out the category of the subject principal based on the content of
>> this subject identifier.
>>
>> As a result of this new subject type definition in the SSE spec draft,
>> "subject_category" is no longer a requirement for the SSE work. However,
>> since the SSE spec is still being drafted, if the Subject Identifiers spec
>> has the ability to add a subject category claim to any subject_type, then
>> we can possibly change the SSE spec to make use of it.
>>
>> *SAML Subject Type*:
>> I had proposed that a SAML subject type be introduced in the Subject
>> Identifiers. This will help us send and receive events relating to a
>> specific SAML-based federated session. I thought this would be a common
>> subject type of interest to the Subject Identifiers spec. However, we have
>> now added it as a subject type in the SSE draft spec. If the Subject
>> Identifiers draft were to include this, it would be very easy for us to
>> remove this from the SSE draft spec.
>>
>> BTW a good way to look at all my proposed changes to the Subject
>> Identifiers draft is by reviewing my pull request here:
>> https://github.com/richanna/secevent/pull/1
>>
>> Thanks,
>> Atul
>>
>>
>> On Thu, Dec 3, 2020 at 5:43 PM Dick Hardt <dick.hardt@gmail.com> wrote:
>>
>>> I think there is also a fourth option:
>>>
>>> 4. a SPAG identifier can be placed in a separate top level object or top
>>> level property
>>>
>>> Atul: in the other thread, you mentioned that there were other additions
>>> that the OpenID Shared Signals and Events WG is interested in. Would you
>>> enumerate them as well so that we can address all potential issues?
>>>
>>>
>>> ᐧ
>>>
>>> On Thu, Dec 3, 2020 at 3:04 PM Atul Tulshibagwale <atultulshi=
>>> 40google.com@dmarc.ietf.org> wrote:
>>>
>>>> Hi all,
>>>> Based on Dick's request, I'd like to summarize the situation with SPAGs
>>>> here.
>>>>
>>>> *Background*:
>>>> The present Subject Identifiers draft
>>>> <https://github.com/richanna/secevent/blob/1fd045d251ff3c6be9a500c6a78d895be3c6b2bf/draft-ietf-secevent-subject-identifiers.txt>
>>>> forbids a subject identifier of a specific subject_type from having any
>>>> claims that are not described in the subject_type. This prevents
>>>> higher-level specs from proposing any additional claims to be included in
>>>> subject identifiers of subject types that are defined in the Subject
>>>> Identifier spec.
>>>>
>>>> *SPAGs*:
>>>> Subject Principal Administrative Groupings or SPAGs are an addition to
>>>> the OpenID "Shared Signals and Events Profile of SETs"
>>>> <https://bitbucket.org/openid/risc/src/caep-draft-01/openid-sse-profile-2_0.txt>,
>>>> which is a revision of the "RISC Profile of SETs
>>>> <https://bitbucket.org/openid/risc/src/master/openid-risc-profile-1_0.txt>".
>>>> The present draft of the SecEvents Subject Identifiers spec is derived from
>>>> a section in this RISC Profile. The SSE Profile now refers to the SecEvents
>>>> Subject Identifiers draft.
>>>>
>>>> SPAGs are required to address the following needs:
>>>>
>>>>    1. Disambiguate a subject identifier if it belongs to more than one
>>>>    sub-organizations. For example, if the subject claim in an event is of the
>>>>    subject type "email", then a SPAG may be used to specify the
>>>>    sub-organization the specified email should be scoped down to. A dynamic
>>>>    organization may have the same email in multiple sub-organizations, and the
>>>>    event may apply to only one such sub organization.
>>>>    2. Provide a lighter weight mechanism to start and stop event
>>>>    streams for sub-organizations. These could be OUs or dynamic groups within
>>>>    an organization, or separate tenants in a multi-tenanted transmitter or
>>>>    receiver.
>>>>
>>>> *Requirements from Subject Identifiers*:
>>>>
>>>>    1. A SPAG may be specified as an additional attribute of a subject
>>>>    identifier with any subject type, in order to disambiguate and scope the
>>>>    event with that subject identifier.
>>>>    2. A SPAG may be a new subject type of its own when it is used in
>>>>    an event that specifies the starting or stopping of a stream.
>>>>
>>>> *Options*:
>>>> The following options are possible to address this requirement.
>>>>
>>>>    1. *Minimal Change to the present Subject Identifiers draft*:
>>>>    Remove the words "or not described" on line 247
>>>>    <https://github.com/richanna/secevent/blob/1fd045d251ff3c6be9a500c6a78d895be3c6b2bf/draft-ietf-secevent-subject-identifiers.txt#L247>.
>>>>    This way a higher-level spec that needs to add additional attributes to all
>>>>    subject identifiers used in that spec can add them and specify the
>>>>    additional attributes' optional or required nature. In this option, SPAGs
>>>>    will be defined in the SSE profile spec.
>>>>    2. *Include SPAGs in the Subject Identifiers spec*: Include
>>>>    language for SPAGs proposed earlier in this list, so that:
>>>>       1. Subject Principals and SPAGs are defined in the Subject
>>>>       Identifiers spec
>>>>       2. An additional attribute named "spag_id" is added as an
>>>>       optional attribute of any subject_type.
>>>>       3. An additional subject_type "spag" is defined (this is used
>>>>       primarily for "control plane" events.)
>>>>    3. *Do both 1. and 2*: With this, we will address the issue that
>>>>    higher-level specs cannot insert additional attributes in predefined
>>>>    subject types, and define SPAGs within the Subject Identifiers spec.
>>>>
>>>> Thanks,
>>>> Atul
>>>>
>>>> _______________________________________________
>>>> Id-event mailing list
>>>> Id-event@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/id-event
>>>>
>>>

v2.23.0 | Report a Bug | By Email