IETF Logo Mail Archive

Re: [Id-event] Subject Identifiers - Working Group Last Call

"Richard Backman, Annabelle" <richanna@amazon.com> Fri, 11 June 2021 21:36 UTC

Return-Path: <prvs=789756510=richanna@amazon.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2D803A0C19 for <id-event@ietfa.amsl.com>; Fri, 11 Jun 2021 14:36:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.293
X-Spam-Level:
X-Spam-Status: No, score=-10.293 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 36nL3F_Aswu7 for <id-event@ietfa.amsl.com>; Fri, 11 Jun 2021 14:36:22 -0700 (PDT)
Received: from smtp-fw-33001.amazon.com (smtp-fw-33001.amazon.com [207.171.190.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 218D83A0C1E for <id-event@ietf.org>; Fri, 11 Jun 2021 14:36:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1623447382; x=1654983382; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=ifAOc7A2n0V3pQCtX83GhGUvRQRwHpLude1s43na2Z8=; b=nePNNkWUMl3ZpOUZ5DduBNt4OnDh+IxE0LzQEXathfF/qxWIgx5OVQr4 alFPK+u5axubowRPb2UJe2ErQi32jsRSoaoMp/+OG97CZmVxGs/vlIaBf XMaHL66C+c8DQySKgpItej11z6HKsZ7xCAkEn1iDO+bxQTsV1WezxoR4+ s=;
X-IronPort-AV: E=Sophos;i="5.83,267,1616457600"; d="scan'208,217";a="130564797"
Thread-Topic: [Id-event] Subject Identifiers - Working Group Last Call
Received: from pdx4-co-svc-p1-lb2-vlan2.amazon.com (HELO email-inbound-relay-2a-53356bf6.us-west-2.amazon.com) ([10.25.36.210]) by smtp-border-fw-33001.sea14.amazon.com with ESMTP; 11 Jun 2021 21:36:21 +0000
Received: from EX13MTAUWB001.ant.amazon.com (pdx1-ws-svc-p6-lb9-vlan2.pdx.amazon.com [10.236.137.194]) by email-inbound-relay-2a-53356bf6.us-west-2.amazon.com (Postfix) with ESMTPS id 3B7B2A1F5F; Fri, 11 Jun 2021 21:36:20 +0000 (UTC)
Received: from EX13D11UWC004.ant.amazon.com (10.43.162.101) by EX13MTAUWB001.ant.amazon.com (10.43.161.249) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Fri, 11 Jun 2021 21:36:19 +0000
Received: from EX13D11UWC004.ant.amazon.com (10.43.162.101) by EX13D11UWC004.ant.amazon.com (10.43.162.101) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Fri, 11 Jun 2021 21:36:19 +0000
Received: from EX13D11UWC004.ant.amazon.com ([10.43.162.101]) by EX13D11UWC004.ant.amazon.com ([10.43.162.101]) with mapi id 15.00.1497.018; Fri, 11 Jun 2021 21:36:19 +0000
From: "Richard Backman, Annabelle" <richanna@amazon.com>
To: Denis <denis.ietf@free.fr>
CC: Yaron Sheffer <yaronf.ietf@gmail.com>, Dick Hardt <dick.hardt@gmail.com>, SecEvent <id-event@ietf.org>, Roman Danyliw <rdd@cert.org>, Marius Scurtescu <marius.scurtescu@coinbase.com>
Thread-Index: AQHXUx/i2brOqTwAKE6B5CoUWokk1KsPbWGA
Date: Fri, 11 Jun 2021 21:36:19 +0000
Message-ID: <5C8ED52A-EDB7-4CD3-AA6D-5B609F92EC38@amazon.com>
References: <CAD9ie-uSbNHq=Mt3ohA=URf5rv2hz7YUdUMhOf80C_f=XBrGLA@mail.gmail.com> <36D66A89-D178-6047-B270-73AD540E7FAD@hxcore.ol> <81b58b05-97b6-d910-6b58-4b565ae6ea57@free.fr>
In-Reply-To: <81b58b05-97b6-d910-6b58-4b565ae6ea57@free.fr>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.120.23.2.7)
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.43.161.201]
Content-Type: multipart/alternative; boundary="_000_5C8ED52AEDB74CD3AA6D5B609F92EC38amazoncom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/BAopuLv7jipFq5N2bNsq9WB_DyQ>
Subject: Re: [Id-event] Subject Identifiers - Working Group Last Call
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jun 2021 21:36:27 -0000

Apologies for the delayed response to this! Responses inline.

—
Annabelle Backman (she/her)
richanna@amazon.com<mailto:richanna@amazon.com>




On May 27, 2021, at 10:42 AM, Denis <denis.ietf@free.fr<mailto:denis.ietf@free.fr>> wrote:


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.


I believe that this document should be enhanced on three aspects that are currently not addressed.

Section 3.1 (Identifier Formats versus Principal Types) states:
Identifier Formats define how to encode identifying information for a subject.  They do not define the type or nature of the subject itself.
 While this statement is correct, it should be remembered that the title of this document is:

" Subject Identifiers for Security Event Tokens"

and is not:

" Subject Identifiers Formats for Security Event Tokens".

Therefore it would be possible to add optional attributes/characteristics to Subject Identifiers which relate to two different topics:

-          the granularity of the identification and
-          the correlation operations that may be either performed or prevented using some values contained in a specific format.

1. Granularity of the identification

A subject identifier may be able to identify an entity either individually or as a member of a group.

In order to be able to make the difference, an optional class attribute should be defined which may take one out of two values:

  *   "ind" to indicate an individual identifier or
  *   "grp" to indicate a group identifier.

Examples:

 "format": "email",
     "class": "ind"
     "email": "tom.jones@example.com"<mailto:tom.jones@example.com>

"format": "email",
     "class": "grp"
     "email": "marketing@example.com"<mailto:marketing@example.com>


[richanna]
This seems like it should be a claim about the subject, rather than a part of the identifier. It only needs to be part of the identifier if it is necessary in order to sufficiently identify the subject given the context.
[/richanna]


2. Correlation operations that may be either performed or prevented

Currently, the Privacy Considerations section only addresses one correlation case where a JWT would have both "sub" and "sub_id" JWT claims.
While it is appropriate to mention such a case, other correlation cases exist.

These cases become visible if the "sub_id" contains an optional subject identifier type attribute.

A subject identifier type attribute would be able to support four values: guid, shared, unique and tmp.

-          a guid type indicates a globally unique identifier. Such subject identifier type allows service providers or other servers to link their accounts
        as soon as they use the same guid.

-          an issuer and subject pair (i.e. a subject identifier with the iss_sub format) where the subject identifier format would include :
-          a shared identifier type (shared) to indicate a subject identifier shared by several service providers
        (such subject identifier type allows service providers to link their accounts), or

-          a unique identifier type (unique) to indicate a subject identifier specific to a single service provider
        (such subject identifier type does not allow service providers or servers to link their accounts), or
-          a temporary identifier type (tmp) to indicate a subject identifier issued only once by the issuer (sometimes called session identifier).
        (such subject identifier type does not allow any service provider to perform any linkage between accounts, even on a single service provider). .

Examples:

"format": "opaque",
     "type": "guid"
     "id": "11112222333344445555"

"format": "iss_sub",
     "type": "shared"
     "iss": "http://issuer.example.com/"<http://issuer.example.com/>,
     "sub": "145234573"

"format": "iss_sub",
     "type": "unique"
     "iss": "http://issuer.example.com/"<http://issuer.example.com/>,
     "sub": "145234573"

"format": "opaque",
     "type": "tmp"
     "id": "11112222333344445555"


[richanna]
Are there use cases in which an event processor would behave differently based on this value?
[/richanna]

3. Hierarchical group memberships, functional group memberships and roles.

Examples of group identifiers are : hierarchical group memberships, functional group memberships and roles.
It would be useful to define one format for these common groups: one or more character strings separated by the character slash.
for both hierarchical (hgrp) and functional group memberships (fgrp) and roles (role):

Examples:

"format": "hgrp",
     "hgrp": "marketing/customer relationships"

"format": "fgrp",
     "fgrp": " university/science/teacher"

"format": "role",
     "role": "auditor"


[richanna]
These seem like principal types to me, not identifier formats.
[/richanna]


4. Two nits:
   (...) ways. (e.g., a host might be identified by an IP or MAC address,
   while a user might be identified by an email address) Furthermore,
The punctuation point should be moved after the closing parenthesis.
7.1.  Confidentiality and Integrity

   This specification does not define any mechanism for ensuring the
   confidentiality or integrityi of a Subject Identifier.
Change "integrityi" into "integrity".

Denis

Thank you Dick and the authors.

With my co-chair hat off, I support progressing this document. I also have a couple comments:

3.2.2: The text refers twice to "alias" subject IDs, but the format is now named "aliases".

Fig. 14 seems to be in conflict with the requirement to have a single subject for the JWT ("a JWT has one and only one JWT Subject"). Yes, maybe Elizabeth has a second email address, but we cannot assume that applications have this kind of logic. Similarly, the subject-related discussion in Sec. 4.2 (which is arguably a bit vague) as well as Fig. 18 seems to allow two different subjects within the JWT.

Thanks,
                Yaron

From: Dick Hardt <dick.hardt@gmail.com><mailto:dick.hardt@gmail.com>
Date: Wednesday, May 26, 2021 at 23:22
To: SecEvent <id-event@ietf.org><mailto:id-event@ietf.org>
Cc: Yaron Sheffer <yaronf.ietf@gmail.com><mailto:yaronf.ietf@gmail.com>, Richard Backman, Annabelle <richanna=40amazon.com@dmarc.ietf.org><mailto:richanna=40amazon.com@dmarc.ietf.org>, Roman Danyliw <rdd@cert.org><mailto:rdd@cert.org>, Marius Scurtescu <marius.scurtescu@coinbase.com><mailto:marius.scurtescu@coinbase.com>
Subject: Subject Identifiers - Working Group Last Call
Hello WG

Thanks to Annabelle (and Marius) for the latest update:

https://datatracker.ietf.org/doc/html/draft-ietf-secevent-subject-identifiers-08

Yaron and I would like to make another working group last call on this draft. We are hopeful there will be enough feedback on this draft from people that have reviewed it for us to recommend the draft progressing to the next step.

Please review and respond if you are supportive of this draft, and if you are not supportive, please clarify your concerns.

Dick and Yaron

[Image removed by sender.]ᐧ


_______________________________________________
Id-event mailing list
Id-event@ietf.org<mailto:Id-event@ietf.org>
https://www.ietf.org/mailman/listinfo/id-event

v2.23.0 | Report a Bug | By Email