Re: [Id-event] "aud" vs. receiver issue raised in WGLC
Marius Scurtescu <mscurtescu@google.com> Tue, 24 October 2017 00:53 UTC
Return-Path: <mscurtescu@google.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2227813AB66 for <id-event@ietfa.amsl.com>; Mon, 23 Oct 2017 17:53:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.45
X-Spam-Level:
X-Spam-Status: No, score=-0.45 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NxEtuR7PtlIM for <id-event@ietfa.amsl.com>; Mon, 23 Oct 2017 17:53:12 -0700 (PDT)
Received: from mail-it0-x235.google.com (mail-it0-x235.google.com [IPv6:2607:f8b0:4001:c0b::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C470B139507 for <id-event@ietf.org>; Mon, 23 Oct 2017 17:53:11 -0700 (PDT)
Received: by mail-it0-x235.google.com with SMTP id l196so8108066itl.4 for <id-event@ietf.org>; Mon, 23 Oct 2017 17:53:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=VA+OON5GLVLp8OqsO5KxmKVsKsDz87guKKkRY5Fo2rQ=; b=EHn5IUTanBrgaLJWluf5ruWjYSxud33YWvgKNjV1D7UIR2kYvUTpn94RNtMkXfiG85 TURgfY8tcqY2/Lf2ui/P/8kBaGCn3l31bUzfokhXm2zCgngk4E/VqGD0iFYgyC9xjLqH y8vtTUjIiS4lULDDsJJDQq5HeQSzE/EHHV+3Uh4HinnCBl1dnmzFQ4ufKbfIUXO0LBKk MUO5M4noUB9g57QkOk29cBrjKyjTaETB+KlPdZg8/U8/RH0z8YEFtnC/IrMeAICxdAcU purj34plXPW7jboF+J4r3xz3e4R5gjPiWy9NAOEzSd4hH/cx3j/FlRxtQHmYiBX7q2NN axnQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=VA+OON5GLVLp8OqsO5KxmKVsKsDz87guKKkRY5Fo2rQ=; b=pxTuMWaFV5By0dDhcckloyffHnhI9/cDKc5HzxY10j1hs/0PLbQchQzmK38ihCUOb7 a+jpFiRCO0CzT7uSuLrH/LmKddR7Au920JlGTE8jIStJirk91BE2PdhVLBJUFanVRbIL bjo7CB/G0d2/1NWuXZo6AMBmj+YEwHpyAMuuArvEuMEc6kEObY6BlkQUKGVm09HF8HRW Z0JozNSeNSPtnjzKphqDl8HYcwmlCnxN99TMLodsSFMlGX+2tgq976Ll1JO73PedNs7d Gz9w9Z5F5adaRf1g7IxvvOmE7b53Phs25n6QDKT8cf1z0wQf2DW+yKkTIEs5MXB8lg/4 HODQ==
X-Gm-Message-State: AMCzsaUiMKq4MZ7RIkRmvHVDZcRGGdlPEBX0etVGV+Jtth/xvj5CNVq7 ktwOkm2cq1cImslhHluJl2GlMTHx68DiNaIUYLADkQ==
X-Google-Smtp-Source: ABhQp+SDKRyOrG1FTGWk2I8N7YVCzNmbAzaAMwygPg8HCyLIFCSPo4rK42vUetpnlHExBo75C35V8JD8L188VnN6fK0=
X-Received: by 10.36.120.136 with SMTP id p130mr11439826itc.54.1508806390673; Mon, 23 Oct 2017 17:53:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.34.9 with HTTP; Mon, 23 Oct 2017 17:52:49 -0700 (PDT)
In-Reply-To: <73EA53D2-55F8-46EB-99BA-41516D844559@oracle.com>
References: <e6649728-f94a-93f5-9885-c948a5b0ed49@gmail.com> <CAGdjJpJtfV9q2iaL-uao1b7XpQjx5uJrX=fnoM36POXLFYrqow@mail.gmail.com> <fa06137b-516f-4a57-8ed5-08cd2cc63af6@sit.fraunhofer.de> <71FA69AE-F8F6-45AB-9550-36BC9395DE32@gmail.com> <684D9C6F-C59A-4850-9A1B-24A026278A62@oracle.com> <CAGdjJpLYxzUqOGxZ9oTLiCzZAwffTEqjxBYNtZO09nF6RnzOAA@mail.gmail.com> <7DAF5B83-F6DB-4015-A011-AB6E13C46B81@oracle.com> <CAGdjJpJtP7w-wL3Pj=QODOjc9m15z0Ssd+8bwxX684c-t1bbiQ@mail.gmail.com> <5FF78162-D0FF-4742-90BF-9A12BA299D06@oracle.com> <CAGdjJpLVKveRGp3RSnxjUgqjv2bmgxZWTNcajRDNG0C2wKG1iw@mail.gmail.com> <73EA53D2-55F8-46EB-99BA-41516D844559@oracle.com>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Mon, 23 Oct 2017 17:52:49 -0700
Message-ID: <CAGdjJpJGh0DAMT-ZUGZ8dYy7cqcS8L8NfSbtthUuYhLQCJJzvg@mail.gmail.com>
To: "Phil Hunt (IDM)" <phil.hunt@oracle.com>
Cc: ID Events Mailing List <id-event@ietf.org>
Content-Type: multipart/alternative; boundary="001a114ab8e4f4080c055c405c7e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/DMOwIX0xwvFvojQJ8bCU3_dMF8M>
Subject: Re: [Id-event] "aud" vs. receiver issue raised in WGLC
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Oct 2017 00:53:15 -0000
I raised a wording issue, not sure if it still applies: "The abstract mentions "issuer" and "receiver" in the last sentence. "receiver" does not sound right (that should be used in the context of a transmitter), but I don't have a better suggestion. Audience? The last paragraph of section 1 mentions "subscriber". I think it should be either "receiver" or "audience"." Marius On Mon, Oct 23, 2017 at 5:49 PM, Phil Hunt (IDM) <phil.hunt@oracle.com> wrote: > Ok. But you raised the concern. Are you withdrawing it? > > Phil > > On Oct 23, 2017, at 5:47 PM, Marius Scurtescu <mscurtescu@google.com> > wrote: > > On Mon, Oct 23, 2017 at 4:15 PM, Phil Hunt <phil.hunt@oracle.com> wrote: > >> It’s quite relevant to those with distributed architectures. >> >> If an Event Stream requires that SETs need to be encrypted (using JWE), >> the SETs needs to be encrypted so the “receiver" can read it. Regardless, >> “aud” should be interpreted by the traditional JWT method which suggests >> the security domain the event is for. For example, a web site relying >> party does not have the capability to process (or issue) events itself (eg. >> because of a distributed architecture). The relying party assigns another >> entity the role of Event Receiver (or Transmitter). >> >> The problem being that If the “set” is encrypted for “aud” then only the >> “aud” entity can read the SET which will make it impossible to for another >> server to handle or worse, it would require sharing of private keys. >> > > The RP controls the configuration of the stream, so they can specify an > endpoint that belongs to the outsourced receiver and they can also specify > an encryption key that is controlled by the outsourced receiver. The RP > does not need access to the private key at all. > > I still think it is irrelevant to the transmitter, or to this spec. I > agree it is totally relevant for the RP, > > > >> Phil >> >> Oracle Corporation, Identity Cloud Services Architect >> @independentid >> www.independentid.com >> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.independentid.com&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=CB-Hkcxglh-YNhXysOrrok_4zCGDYpxX49Xsuqtk5xM&s=yLs1cTxnvZUXAqt72qLGSJmz0X3EKVE6yNBJ0nsVUgo&e=> >> phil.hunt@oracle.com >> >> On Oct 23, 2017, at 3:58 PM, Marius Scurtescu <mscurtescu@google.com> >> wrote: >> >> I think "aud" should point to the Receiver, the outsourcing is irrelevant. >> >> Nothing needs to change here IMO. >> >> Marius >> >> On Mon, Oct 23, 2017 at 3:55 PM, Phil Hunt <phil.hunt@oracle.com> wrote: >> >>> It seems reasonable to further clarify that the definition of a receiver >>> could be improved. >>> >>> I propose to change from: >>> >>> Event Receiver >>> An Event Receiver is an entity that receives SETs through some >>> distribution method. >>> >>> >>> To: >>> >>> Event Receiver >>> An Event Receiver is an entity that receives SETs through some >>> distribution method. An Event Receiver MAY be a different >>> >>> entity than that described by the “aud” claim. >>> >>> >>> Phil >>> >>> Oracle Corporation, Identity Cloud Services Architect >>> @independentid >>> www.independentid.com >>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.independentid.com&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=fDB9pNmWNg5BPXoRtaXXB1Iz_tq5wICJLi5itJHRai0&s=Ee7RsPFKzheWNvOz1Ut9gCvs_2bw0DE6GEeg-S0KMyE&e=> >>> phil.hunt@oracle.com >>> >>> On Oct 23, 2017, at 2:38 PM, Marius Scurtescu <mscurtescu@google.com> >>> wrote: >>> >>> I think "aud" is perfectly fine. >>> >>> IMO it should make no difference for the Transmitter that the event is >>> actually handled by an outsourced entity, the RP trusts that entity and the >>> event is generated and targeted to the RP and not to the current outsourced >>> processor. >>> >>> Marius >>> >>> On Mon, Oct 23, 2017 at 10:57 AM, Phil Hunt <phil.hunt@oracle.com> >>> wrote: >>> >>>> >>>> All, >>>> >>>> I am reviewing the previous feedback from WGLC and will be bringing up >>>> any unresolved issues for quick discussion/confirmation… >>>> >>>> Following up on Marius and Henk’s comment, I am concerned that “aud” >>>> has a very specific meaning and is often tied to a security domain >>>> definition. We should not necessarily say this is the receiver though it >>>> often turns out to be. For example a RP (“aud”) has outsourced events >>>> processing to a third party (the so called receiver). >>>> >>>> I am happy with the current claim set, but maybe some text explaining >>>> that a receiver does not have to be the aud is appropriate? I don’t see >>>> any benefit to having a receiver claim as this could complicate processing >>>> more than its worth. >>>> >>>> There are a few other comments in this thread, but this one seemed the >>>> most unresolved. >>>> >>>> Phil >>>> >>>> >>>> On Aug 3, 2017, at 8:03 AM, Henk Birkholz < >>>> henk.birkholz@sit.fraunhofer.de> wrote: >>>> >>>> Hello, >>>> >>>> to me, the "audience" claim seems to be a good choice here. >>>> >>>> Viele Grüße, >>>> >>>> Henk >>>> >>>> On 08/02/2017 11:45 PM, Marius Scurtescu wrote: >>>> >>>> The abstract mentions "issuer" and "receiver" in the last sentence. >>>> "receiver" does not sound right (that should be used in the context of a >>>> transmitter), but I don't have a better suggestion. Audience? >>>> The last paragraph of section 1 mentions "subscriber". I think it >>>> should be either "receiver" or "audience". >>>> The explanation for figure 1 states that the issuer denotes the >>>> transmitter. If the issuer and the transmitter are assumed to be the same >>>> entity, then the transmitter definition in section 1.2 should make that >>>> clear. >>>> Figure 3, I think the "sub" claim should be nested in the event, next >>>> to the issuer that provides the correct context. The "iss" and "sub" >>>> definitions in 2.1 also touch on this, providing conflicting advice. >>>> Section 2,1, definition of "nbf". The definition says that this is the >>>> event time. I see two problems: >>>> - the name suggest "not before", not exactly the same as event time >>>> - there can be multiple events >>>> maybe this claim should be dropped? >>>> Section 2.1, definition of "exp". Omitting this claim is the short term >>>> solution to the confusion issue. Why not mention that and that it SHOULD >>>> NOT be used? >>>> Section 2.1, definition of "events". It states that all events must >>>> refer to the same logical event. Lately in discussions we reached the >>>> conclusion that all events in a SET should be defined in the same profile, >>>> which is a stronger requirement. I think this definition should mention >>>> that. >>>> Regarding events and profiles. There was a proposal to add a new claim >>>> to uniquely identify the profile. I think we need to discuss that. >>>> Figure 5. Maybe a signed example would be better, especially that the >>>> next paragraph mentions that signatures or encryption should be used. >>>> Section 4.5, second paragraph. Mentions that "nonce" is also required, >>>> but that is not actually true. Id Tokens issued at the token endpoint for >>>> example will not have it. I suggest we drop the whole paragraph. >>>> Marius >>>> On Mon, Jul 31, 2017 at 1:40 PM, Yaron Sheffer <yaronf.ietf@gmail.com < >>>> mailto:yaronf.ietf@gmail.com <yaronf.ietf@gmail.com>>> wrote: >>>> This is to announce working group last call on this draft >>>> (https://urldefense.proofpoint.com/v2/url?u=https-3A__dat >>>> atracker.ietf.org_doc_draft-2Dietf-2Dsecevent-2Dtoken_&d=DwI >>>> GaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRr >>>> KugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=UUydIFEV9SQ_lw_LNE4lvS >>>> 7pQLXEZEWA2F1i7bfAuUY&s=9SIT98RlAb1C9Md1W54IRl6cxjlKfjqT99u5-Ojw4Fw&e= >>>> <https://urldefense.proofpoint.com/v2/url?u= >>>> https-3A__datatracker.ietf.org_doc_draft-2Dietf-2Dsecevent-2 >>>> Dtoken_&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK >>>> 10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=UUydIFEV9 >>>> SQ_lw_LNE4lvS7pQLXEZEWA2F1i7bfAuUY&s=9SIT98RlAb1C9Md1W54IRl6 >>>> cxjlKfjqT99u5-Ojw4Fw&e= >). >>>> Please send your comments to the list. Even if you are perfectly >>>> happy with the draft, please let us know that you support its >>>> publication as-is by posting to the list. >>>> Because of the summer holidays, this last call is open for 3 weeks, >>>> until Aug. 21. >>>> Thanks, >>>> Dick and Yaron >>>> _______________________________________________ >>>> Id-event mailing list >>>> Id-event@ietf.org <mailto:Id-event@ietf.org <Id-event@ietf.org>> >>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www. >>>> ietf.org_mailman_listinfo_id-2Devent&d=DwIGaQ&c=RoP1YumCXCga >>>> WHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEi >>>> vzjWwlNKe4C_lLIGk&m=UUydIFEV9SQ_lw_LNE4lvS7pQLXEZEWA2F1i7bfA >>>> uUY&s=jX1QgcFI8umtt8pEkthXa3uL_TsJINLVTXORUpSDnvA&e= <ht >>>> tps://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf. >>>> org_mailman_listinfo_id-2Devent&d=DwIGaQ&c=RoP1YumCXCgaWHvlZ >>>> YR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjW >>>> wlNKe4C_lLIGk&m=UUydIFEV9SQ_lw_LNE4lvS7pQLXEZEWA2F1i7bfAuU >>>> Y&s=jX1QgcFI8umtt8pEkthXa3uL_TsJINLVTXORUpSDnvA&e= > >>>> _______________________________________________ >>>> Id-event mailing list >>>> Id-event@ietf.org >>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.iet >>>> f.org_mailman_listinfo_id-2Devent&d=DwIGaQ&c=RoP1YumCXCgaWHv >>>> lZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzj >>>> WwlNKe4C_lLIGk&m=UUydIFEV9SQ_lw_LNE4lvS7pQLXEZEWA2F1i7bfAuUY >>>> &s=jX1QgcFI8umtt8pEkthXa3uL_TsJINLVTXORUpSDnvA&e= >>>> >>>> >>>> _______________________________________________ >>>> Id-event mailing list >>>> Id-event@ietf.org >>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.iet >>>> f.org_mailman_listinfo_id-2Devent&d=DwIGaQ&c=RoP1YumCXCgaWHv >>>> lZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzj >>>> WwlNKe4C_lLIGk&m=UUydIFEV9SQ_lw_LNE4lvS7pQLXEZEWA2F1i7bfAuUY >>>> &s=jX1QgcFI8umtt8pEkthXa3uL_TsJINLVTXORUpSDnvA&e= >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Id-event mailing list >>>> Id-event@ietf.org >>>> https://www.ietf.org/mailman/listinfo/id-event >>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_id-2Devent&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=qgzi6hIQUdXUCZu3X2lrQFAdGZO2O9szzwPah2M8LX0&s=kr9e2Ob_q0g5BinjBOLJAjrZeWIcrCNx9O1jax-Bs8o&e=> >>>> >>>> >>> >>> >> _______________________________________________ >> Id-event mailing list >> Id-event@ietf.org >> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.iet >> f.org_mailman_listinfo_id-2Devent&d=DwICAg&c=RoP1YumCXCgaWHv >> lZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivz >> jWwlNKe4C_lLIGk&m=fDB9pNmWNg5BPXoRtaXXB1Iz_tq5wICJLi5itJHRai >> 0&s=7M0OleTd4BpCbNMHkA9Vif8ucznK2XkdYp7wB0zI3N0&e= >> >> >> >
- [Id-event] WG Last Call for draft-ietf-secevent-t… Yaron Sheffer
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Mike Jones
- Re: [Id-event] WG Last Call for draft-ietf-seceve… John Bradley
- Re: [Id-event] WG Last Call for draft-ietf-seceve… William Denniss
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Phil Hunt
- Re: [Id-event] WG Last Call for draft-ietf-seceve… M.Lizar@OCG
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Nat Sakimura
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Phil Hunt
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Adam Dawes
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Richard Backman, Annabelle
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Phil Hunt
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Richard Backman, Annabelle
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Phil Hunt
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Richard Backman, Annabelle
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Marius Scurtescu
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Henk Birkholz
- [Id-event] "aud" vs. receiver issue raised in WGLC Phil Hunt
- Re: [Id-event] "aud" vs. receiver issue raised in… Mike Jones
- Re: [Id-event] "aud" vs. receiver issue raised in… Marius Scurtescu
- Re: [Id-event] "aud" vs. receiver issue raised in… Phil Hunt
- Re: [Id-event] "aud" vs. receiver issue raised in… Marius Scurtescu
- Re: [Id-event] "aud" vs. receiver issue raised in… Phil Hunt
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Mike Jones
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Mike Jones
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Mike Jones
- Re: [Id-event] "aud" vs. receiver issue raised in… Marius Scurtescu
- Re: [Id-event] "aud" vs. receiver issue raised in… Phil Hunt (IDM)
- Re: [Id-event] "aud" vs. receiver issue raised in… Marius Scurtescu
- Re: [Id-event] "aud" vs. receiver issue raised in… Phil Hunt (IDM)
- Re: [Id-event] "aud" vs. receiver issue raised in… Mike Jones
- Re: [Id-event] "aud" vs. receiver issue raised in… Phil Hunt
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Benjamin Kaduk
- Re: [Id-event] "aud" vs. receiver issue raised in… Mike Jones
- Re: [Id-event] "aud" vs. receiver issue raised in… Phil Hunt