IETF Logo Mail Archive

Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens

Marius Scurtescu <mscurtescu@google.com> Wed, 01 March 2017 23:55 UTC

Return-Path: <mscurtescu@google.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A488112940E for <id-event@ietfa.amsl.com>; Wed, 1 Mar 2017 15:55:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ju1vtq5IS19J for <id-event@ietfa.amsl.com>; Wed, 1 Mar 2017 15:55:18 -0800 (PST)
Received: from mail-io0-x22d.google.com (mail-io0-x22d.google.com [IPv6:2607:f8b0:4001:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E652D128DF6 for <id-event@ietf.org>; Wed, 1 Mar 2017 15:55:17 -0800 (PST)
Received: by mail-io0-x22d.google.com with SMTP id l7so42692888ioe.3 for <id-event@ietf.org>; Wed, 01 Mar 2017 15:55:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=OZ++xkOJFIPmee2LKwEY/QkI7pFHZGx12D/vFtQXvkE=; b=QMTTPPI/R2YaG4CDj387FewTOR8gEc/KbLWvMz0Act9RrJioQv/qW74LtBm0Fcg9u4 n97wmRaK1UqF2foy7/JNCi3a61XDuPQAVWzZQKeINf5TDNKwrrRkI4//TePzPjpRbM2F 2+e8FyXJ+Z5nxkRx40r8Ts69XPhn/cQbpX7muwS1OI2fdR/Yk2ZAHOtJ1dJ0SfHZ6Iip HxPUFxifao+T5GngKAbgKhtbET4nzxi3m4Zl7BwnoL0TaBQ3pnTs6Ce0hAyazJfQZU78 tJRH7YVN3jULCIjorGOE+s4rG+RYWCxbd6t5gtZ+mVu6v6pHJ7wUyVJH0jU2Wr19hUFv 6MyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=OZ++xkOJFIPmee2LKwEY/QkI7pFHZGx12D/vFtQXvkE=; b=Y5Ti1YSF9ifOL/h7sMk6iFZKOPgSXxaf1ivIFlpYIiSxwocncEYyFYexXKC0YMTYve ef3MLaaMInH/CKONqV9o4TdM+Ck/UdZemu8D3RhhiwUrqznAwlGbr7CVkj/aWeeT4BlT 4G+vNuAul30OB2lJPVbnQQrA5v787EIrlbcyDognH2AnhXQFzshd71TdP6N9II6rvBEH ZpEEIstu/9nhTK32Xs9a51z2pfHx7u4x19Xz3DXv1HLgxwRQ2u3WgsdXeT35+rEjZD0j Xg+iy+/A1WsbKIgitT0tA8aIx939HTDHEttqMK92p387FcL/nC08merjits7vb17jkke 5dTQ==
X-Gm-Message-State: AMke39npy+I9qJ6oiSdq9FxC5d4fKZ3HuWduPuNXGCc14tJ+xJqebbDPOdB6dHHgBB6uPoF1P1k+gyAQck+qm2vy
X-Received: by 10.107.34.10 with SMTP id i10mr10846637ioi.41.1488412517027; Wed, 01 Mar 2017 15:55:17 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.166.141 with HTTP; Wed, 1 Mar 2017 15:54:56 -0800 (PST)
In-Reply-To: <CAAP42hANJNA62Zkhpv96snpk7O8-cUfwMtooCuhyN242vEMkfA@mail.gmail.com>
References: <4611E3C8-9772-44EA-940D-077E1EA6247F@oracle.com> <CAAP42hAPZOHn-37wYrOy7OcvNuqWdXtSSMHxb_AoW7kXeAy4wA@mail.gmail.com> <CY4PR21MB050423CEEA9AB0CC64F0973FF5290@CY4PR21MB0504.namprd21.prod.outlook.com> <CAAP42hD8FbZSKWiorKSZHqiidak4Gf071xKTD2d9EvZa13mt5g@mail.gmail.com> <CY4PR21MB05047835E14B3D375C0538F6F5290@CY4PR21MB0504.namprd21.prod.outlook.com> <CAAP42hB63GC9=7nqiayjnD9i5RG7Yu7CJVCtDZpNWTgLMrDJ8w@mail.gmail.com> <0D17E1B4-D8C1-4241-8D11-8C0C700DD1D5@oracle.com> <CAAP42hANJNA62Zkhpv96snpk7O8-cUfwMtooCuhyN242vEMkfA@mail.gmail.com>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Wed, 01 Mar 2017 15:54:56 -0800
Message-ID: <CAGdjJpLEX06CsLFH4u4YicP1qbW1Q8yjFhZjSovFRJzQv7B1bQ@mail.gmail.com>
To: William Denniss <wdenniss@google.com>
Content-Type: multipart/alternative; boundary="001a1140ec685ba81b0549b40b09"
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/Alv0-UpG3d_Uo-qEcAIMNO6P2Sg>
Cc: Mike Jones <Michael.Jones@microsoft.com>, ID Events Mailing List <id-event@ietf.org>, "Phil Hunt (IDM)" <phil.hunt@oracle.com>
Subject: Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Mar 2017 23:55:19 -0000

We also talked about adding another claim that defines the type or purpose
of the JWT ("access token", "SET", etc). In a way it is the only sane
option, but it is not addressing existing implementations. Asking
implementors to "be careful" is asking for trouble IMO, especially because
systems evolve by incrementally adding functionality.

Marius

On Wed, Mar 1, 2017 at 12:44 PM, William Denniss <wdenniss@google.com>
wrote:

> OK so perhaps the "URI" thing is overly restrictive.
>
> I guess the security consideration I'm recommending here is that you
> shouldn't have multiple systems that issue JWTs with the same iss/aud
> tuple, except when those systems are tightly coupled (as is the case with
> Connect & Logout).
>
> If a shared issuer is used, then URI-based namespacing is *one* way to
> avoid this, but there are others.
>
> I'm trying to avoid the need for SET to "break" possible use in access
> tokens (one of the stated goals in the original post) – I think having
> advice like this can avoid normative language that changes, and overly
> complicates SET.
>
> _______________________________________________
> Id-event mailing list
> Id-event@ietf.org
> https://www.ietf.org/mailman/listinfo/id-event
>
>

v2.23.0 | Report a Bug | By Email