Re: [Id-event] draft-scurtescu-secevent-event-stream-mgmt-api-00
Phil Hunt <phil.hunt@oracle.com> Fri, 01 September 2017 22:50 UTC
Return-Path: <phil.hunt@oracle.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E21113443C for <id-event@ietfa.amsl.com>; Fri, 1 Sep 2017 15:50:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.32
X-Spam-Level:
X-Spam-Status: No, score=-2.32 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eYsVndWQoPx0 for <id-event@ietfa.amsl.com>; Fri, 1 Sep 2017 15:50:35 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CE11132EBD for <id-event@ietf.org>; Fri, 1 Sep 2017 15:50:35 -0700 (PDT)
Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v81MoYSR009531 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <id-event@ietf.org>; Fri, 1 Sep 2017 22:50:34 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id v81MoXmJ026833 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <id-event@ietf.org>; Fri, 1 Sep 2017 22:50:34 GMT
Received: from abhmp0001.oracle.com (abhmp0001.oracle.com [141.146.116.7]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id v81MoXLc014193 for <id-event@ietf.org>; Fri, 1 Sep 2017 22:50:33 GMT
Received: from [192.168.1.46] (/70.70.142.148) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 01 Sep 2017 15:50:33 -0700
From: Phil Hunt <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_3A05A191-2AD3-4B9C-AEE9-393A08ACA469"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Fri, 01 Sep 2017 15:50:38 -0700
References: <CAGdjJpLPjTjS=yXPDYZbVh50WSV8wx4JvHfT5msALAr1E3kNFQ@mail.gmail.com>
To: ID Events Mailing List <id-event@ietf.org>
In-Reply-To: <CAGdjJpLPjTjS=yXPDYZbVh50WSV8wx4JvHfT5msALAr1E3kNFQ@mail.gmail.com>
Message-Id: <F12B7CA4-821B-42F2-8600-5DC32FB31935@oracle.com>
X-Mailer: Apple Mail (2.3273)
X-Source-IP: userv0021.oracle.com [156.151.31.71]
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/E4hbfIF9G-WAeMqN0W7BROCA2KA>
Subject: Re: [Id-event] draft-scurtescu-secevent-event-stream-mgmt-api-00
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Sep 2017 22:50:38 -0000
This is to provide feedback on the proposal submitted by Marius [0]. I do not believe the draft [0] is close to ready for adoption. I am concerned that the design unnecessarily complicates and limits implementation for many tenancy and/or enterprise focused cloud vendors, as well as enterprise organizations that need to receive or send SETs. This applies to all of the areas proposed: RISC, OAuth Revocation, OIDC Backchannel Logout, SCIM, etc. The following is a list of items that are of concern: * Metadata is far from complete - this is to be expected. One of the items that needs to be worked out is what does a publisher need to know in order to formulate SETs with the correct signing and encryption. E.g. should a stream configuration have jwksuris for transmitter (presumably for signing) and receiver (for encryption)? For each item of meta data it has to be made clear what the format of the field is and what the allowances are for defaults, overrides, and updates by parties. * Extension mechanism - for profiling specifications and extension mechanism is needed to define different forms of stream parameters and the contents of a stream. For example, the notion of subscription is narrowly defined and does not apply to SCIM except in one of many potential methods of management. It doesn’t necessarily work for Backchannel Logout either. * RESTfullness and Stream documents - AFAIK a REST API uses HTTP methods to define operations against documents. In the proposed ID, a stream has no specific resource URI endpoint - it is a shared endpoint where the configuration is implied by reading a credential. The stateful management of streams to me *screams* for a resource URL for the stream object against which a set of simple HTTP methods define update and query actions. * Multiple endpoints - This spec has many different endpoints to express different operations. This is not only vastly different from typical RESTful patterns it also opens us up to the same security configuraiton problems that OAuth currently has. IOW how does a receiver know that it has discovered all the correct endpoints? Are they relative to some root? * No Update method (only replace) - no ability to easily change specific configuration items like jwks_uris that might change to facilitate key rotation over time. * Stream status - there is an ability to discover a stream has failed but no metadata to describe the reason for failure Update - Can a receiver pause or enable recovery? For example, if a receiver is getting garbage (e.g. because of bad keys) can the receiver tell the transmitter to stop? * Stream identifier - There is no individual stream identifier. The spec states… > An Event Transmitter MAY use the same URLs as endpoints for multiple > streams, provided that the Event Transmitter has some mechanism > through which they can identify the applicable Event Stream for any > given request, e.g. from authentication credentials. The definition > of such mechanisms is outside the scope of this specification. This turns out to be overly restrictive. This was discussed at length in the development of the delivery API. It simply isn’t workable. It makes it hard to: Allow DevOps systems to independently check operational status of streams because they must have a copy of the receivers credential It forces receivers to have multiple credentials if they are receiving multiple streams from a sending organization. For example an RP may receive events from multiple tenancies The credentials of provisioning entities and administrators are likely not the same as the receiving entity. The receiver of a SET of SETs for RISC or OIDC should not be restricted or bound to the Client_ID of the RP. The RP *must* be able to outsource handling of events to another server entity (with different credential) or to an external third party such as a CASB vendor. Multiple security entities will need to provision, manage, monitor, and interact with Stream resources Subject enrolment - The method published really only addressed the RISC use cases. It does not address broader user cases such as membership as defined by a group or profile condition. Even within RISC there is no agreement yet on how clients and IDPs track subjects (e.g. sub, email, telephone, etc). These capabilities were addressed in the original distribution draft (section 2 and 4 of the distribution draft [1]) submitted last year to the WG. They were addressed because of the base protocol (RFC7644) supports - see the SCIM Use Case document for more discussion on provisioning protocol capabilities of RFC7644 [2]. It may be worthwhile reproducing those sections as a separate draft with clear examples on how all the use cases items are covered in the specs and are in fact already proven to work well as a provisioning protocol. I can do that if there is interest. [0] draft-scurtescu-secevent.event-stream-mgmt-ap [1] https://tools.ietf.org/html/draft-hunt-secevent-distribution-01 [2] https://tools.ietf.org/html/draft-hunt-secevent-usecases-00 Going forward, I am working on a new control plane specification document which I believe covers all of the use cases for RISC, Logout, and SCIM. It can be used in minimalistic fashion (avoiding much of RFC7644/43) in a way that looks similar to Marius and Annabelle’s proposal. I hope to have this done soon and am waiting for a few comments before publishing. Phil Oracle Corporation, Identity Cloud Services Architect & Standards @independentid www.independentid.com <http://www.independentid.com/>phil.hunt@oracle.com <mailto:phil.hunt@oracle.com> > On Aug 11, 2017, at 10:43 AM, Marius Scurtescu <mscurtescu@google.com> wrote: > > A new version of the management api (aka control plane) draft was published: > https://datatracker.ietf.org/doc/draft-scurtescu-secevent-event-stream-mgmt-api/ <https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Dscurtescu-2Dsecevent-2Devent-2Dstream-2Dmgmt-2Dapi_&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=8GQYK59RCc9Z6vAq3NiokxFhK9W8kVnqk4vcMalYBnU&s=v1QewDOZz8s-Ou3qL_OEwysJfux5p5Ror1gtDtCB-oc&e=> > > The document was renamed and it replaces: > draft-scurtescu-secevent-simple-control-plane > > This new version addresses most of the feedback received at IETF 99 in Prague: > - stream configuration update operation added > - stream status operation added > - verification event defined in this draft > - 429 HTTP status codes clean up > - added security considerations section > - moved endpoint descriptions to Event Stream Management section > - fixed example URIs and phone numbers > - typos and text changes > > Please read and provide feedback. We would like to see this draft adopted as a workgroup draft as soon as possible. > > Thanks, > Marius > _______________________________________________ > Id-event mailing list > Id-event@ietf.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_id-2Devent&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=8GQYK59RCc9Z6vAq3NiokxFhK9W8kVnqk4vcMalYBnU&s=k-N-QlKTDPikiSIcAZfAhA7rrErQ0peqxXzp176jKoI&e=
- [Id-event] draft-scurtescu-secevent-event-stream-… Marius Scurtescu
- Re: [Id-event] draft-scurtescu-secevent-event-str… Phil Hunt