IETF Logo Mail Archive

Re: [Id-event] Consensus :: Single Event Syntax

Marius Scurtescu <mscurtescu@google.com> Fri, 08 December 2017 00:48 UTC

Return-Path: <mscurtescu@google.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EA6E126C26 for <id-event@ietfa.amsl.com>; Thu, 7 Dec 2017 16:48:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m7gISgsvWbsC for <id-event@ietfa.amsl.com>; Thu, 7 Dec 2017 16:48:23 -0800 (PST)
Received: from mail-it0-x234.google.com (mail-it0-x234.google.com [IPv6:2607:f8b0:4001:c0b::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74D9F120726 for <id-event@ietf.org>; Thu, 7 Dec 2017 16:48:23 -0800 (PST)
Received: by mail-it0-x234.google.com with SMTP id b5so1403983itc.3 for <id-event@ietf.org>; Thu, 07 Dec 2017 16:48:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=SN6qFZhcFYqKp6zzymmPf5+SnEQ/JoPpndOnLDTmZWM=; b=Oj9wzQ4TAmc7SVER2gs+x9iDOba26CRzoeK9wd5M3Uiux2gj6NdD/8MaQGuuFxMmke 3QmPvX1XJu2fNn4acSs/HCACyZJRilpuDUqri6DMKK0CHnyhWN2UVzq8k9G9AoeexwjD QtW6GdonDq/7cGeL7EkMrAsIcGILzlXlU3RsJQ3Z+moRg3oReivLKLauab5fO0i6SOzp jFhBr4f5oHqCt/W93Qjwc6H24G9HWCQKCfSSwG+GzFrq0a+E6Qk+3AHmXTVTUiA/BWQH Ou8NSTTaPTqLhYzBnli+uQRdG88Scodr+KQLpPNUVXpKRi+m/q3jVbDY+JQjWy6Ohdsh m4Eg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=SN6qFZhcFYqKp6zzymmPf5+SnEQ/JoPpndOnLDTmZWM=; b=h6tR1fk8dXIg7Zk6ylCEqW9M5S97iz6/oVhE4n8jkeMC5k/UkSTZlSKj/vc81bwZ2G Msn2gCDOiKJxLRSlzfgrTReVa5vOthaou+r9lQ6JmdgWCWf7c6xn9Gx2XX6YUnJkxJw1 7C6DYohMi+9BPIZvGwUWR6a2uAUhEiR5R0K2cUmn4GpAhI5q2CBAe99o9FVTO0bVVQci 2mUqxohtiEPdCuJtzDCkahYDxbfNg7abFOKlGtHIXQDHwdSMkekEqAp39EWU7Tf0/I58 rSoeQ/Bd+IxuGfLfOCg/xteg6v8lNJMIftC/koF2n6zI2vQJ3fU5Ha1QUVI36iKm0edi 6PWw==
X-Gm-Message-State: AKGB3mIR8jm3oYBryvXpCvrSJU9QAK7DCA24G6fywTQsnpQHwyzdtYGI II0CLIz3VkW8qYNv2O90v5qBoCzQ00EAJl/e+0rzbQ==
X-Google-Smtp-Source: AGs4zMZcVbDp9akNXBaWSRYE/g0ftiF18rDIfP43cIIF17npHAhr5/ljjHdBJ5ZpxBBrOXBRc6ZtW7ZUTyLRx7VigAY=
X-Received: by 10.36.39.8 with SMTP id g8mr1068534ita.42.1512694102295; Thu, 07 Dec 2017 16:48:22 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.34.19 with HTTP; Thu, 7 Dec 2017 16:48:01 -0800 (PST)
In-Reply-To: <7D8D1499-7F37-4CF1-B638-561450CABCDF@cisco.com>
References: <CAD9ie-s_tmCqwBh0u=89Zx7FZEUMq0-TcPY_t-3t006oTrTbmw@mail.gmail.com> <C7C5A5CC-351F-4F65-9977-19508ECF8A65@oracle.com> <BN6PR21MB0500C56E9363709A8538EED8F53E0@BN6PR21MB0500.namprd21.prod.outlook.com> <7D8D1499-7F37-4CF1-B638-561450CABCDF@cisco.com>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Thu, 07 Dec 2017 16:48:01 -0800
Message-ID: <CAGdjJp+K=ht6S=JiDSAuir_HopNuis7s5Ykjhi+ZcVhFfW7Tig@mail.gmail.com>
To: "Morteza Ansari (moransar)" <moransar@cisco.com>
Cc: Mike Jones <Michael.Jones@microsoft.com>, Phil Hunt <phil.hunt@oracle.com>, SecEvent <id-event@ietf.org>, Yaron Sheffer <yaronf.ietf@gmail.com>, Dick Hardt <dick.hardt@gmail.com>
Content-Type: multipart/alternative; boundary="001a1147c5ac9fa47b055fc98a77"
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/ErJ-USNGfcYRB9kDlrPB2rUd8Gc>
Subject: Re: [Id-event] Consensus :: Single Event Syntax
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Dec 2017 00:48:27 -0000

comments inline...

On Sun, Dec 3, 2017 at 11:40 PM, Morteza Ansari (moransar) <
moransar@cisco.com> wrote:

> I have gone through the minutes Dick posted from the main and side
> meetings and I went back through the mailing list threads on the topic
> (thanks Phil for the pointers). To be honest I am still at a loss as to why
> this is such a contentious issue. I feel the current SET spec addresses all
> the use cases we have identified so far and the complexity of handing
> events vs. event is very minimal.
>

Sure, we can live with "events" (except for Tony, his use case is not met).
Why can't we take implementation feedback and improve the spec?


>
>
> Furthermore with some minor additions along what Yaron suggested in
> https://www.ietf.org/mail-archive/web/id-event/current/msg00736.html or
> something similar we should be able to handle the case where some profile
> wants to define additional restriction on the SET.
>

That helps writing profiles, still leaves room for ambiguity and privacy
issues when implementing a transmitters. Something like "Profiling
specifications SHOULD define the allowed event statements" cannot be
enforced in a parser, this is just a recommendation (easy to miss by an
implementer).


>
> Given the data and discussion so far, I am with Mike & Phil in the support
> of SET as defined in the WG document.
>
>
>
>
>
> Cheers,
>
> Morteza
>
>
>
> *From: *Id-event <id-event-bounces@ietf.org> on behalf of Mike Jones <
> Michael.Jones@microsoft.com>
> *Date: *Friday, December 1, 2017 at 7:17 PM
> *To: *Phil Hunt <phil.hunt@oracle.com>, SecEvent <id-event@ietf.org>
> *Cc: *Yaron Sheffer <yaronf.ietf@gmail.com>, Dick Hardt <
> dick.hardt@gmail.com>
>
> *Subject: *Re: [Id-event] Consensus :: Single Event Syntax
>
>
>
> I am strongly opposed to making a change to reintroduce a distinction
> between primary and secondary events.  This topic has been heavily
> discussed in the working group and people very clearly came down on the
> side of having no such distinction.  Annabelle’s draft needlessly
> reintroduces this distinction, with the result being a breaking change and
> making the structure more complicated, not less.  See the deeply nested
> “related events” structure in https://tools.ietf.org/html/
> draft-backman-secevent-token-03#section-3 to understand some of the of
> the additional complexity being proposed.
>
>
>
> The working draft already meets the needs of multiple use cases and is in
> production use.  There are not sufficient reasons to reintroduce complexity
> that was previously soundly rejected and to make wholesale design changes
> after working group last call.
>
>
>
> We should stay with what already works and complete the SET spec in a
> timely fashion.
>
>
>
>                                                                 -- Mike
>
>
>
> *From:* Id-event [mailto:id-event-bounces@ietf.org
> <id-event-bounces@ietf.org>] *On Behalf Of *Phil Hunt
> *Sent:* Friday, December 1, 2017 10:36 AM
> *To:* SecEvent <id-event@ietf.org>
> *Cc:* Yaron Sheffer <yaronf.ietf@gmail.com>; Dick Hardt <
> dick.hardt@gmail.com>
> *Subject:* Re: [Id-event] Consensus :: Single Event Syntax
>
>
>
> For historical purposes, this has been discussed twice before (once at the
> request of Annabelle).
>
>
>
> I think it would be helpful, why, after WGLC, this issue is being brought
> forward yet again. Dick has stated that Annabelle’s concern that she finds
> it difficult to implement is sufficient.  Yet, I’m not sure we are
> entertaining a new concern here. No new information was provided.
>
>
>
> I note that at the time, the chairs did not feel there was a lack of
> consensus in order to call for one in the past.
>
>
>
> On some of these matters, the choice may be arbitrary, and that is why I
> think keeping track of prior discussion is important so that we can clearly
> move forward and not repeat discussion of the past further confusing
> consensus.
>
>
>
> While I advocated for singular events as a possibility in the past, I now
> have much more stronger technical reasons for the WG draft design, which
> have strengthened rather than weakened in the past week. I will share these
> later, after the minutes have been published.
>
>
>
> On Dec 10, 2016, Yaron while reviewing the ID draft-hunt-idevent-token-07
> [1]:
>
>   * Why "events" and not "event"? We don't really have support for
>
>     multiple events. Certainly not if they are all of the same type.
>
>     The current text is confusing: "events" is not the same as "a
>
>     primary event and its extensions”.
>
> [MIKE] Reflects your earlier comment re: primary vs. extensions.  "events” is
>
> plural to reflect the fact that the attribute is multi-valued. I agree,
>
> given that only one primary event can be included, the naming is misleading.
>
>
>
> From later in the thread [2]:
>
>  * 2: "first value" is meaningless. JSON objects are unordered (4th
>    paragraph of RFC 7159). If order /is/ important, we could make
>    "events" into an array.
>
> *[Phil] *Yup.   How would the group like to fix this?  We could make
> “events”
> singular and have an extensions attribute to hold the extensions.  Or we
> could go to a more complex JSON structure (not personally a fan).
>
>
> *[Yaron]* I'm personally fine with a main "event" object and an
> "extensions" attribute. I can even live with "event" being called "events",
> per Mike's proposal. But the structure needs to make sense as a JSON object
> if we want it implemented.
>
>
>
> [PH] Thread: Should the primary event be a separate attribute?
>
>
>
> We had this broken out before. If there is sufficient desire to break it
> out again, I have no objection.
>
>
>
> Then following WG adoption, I re-reraised the issue after discussion with
> Annabelle draft-secevent-token-00 [3]:
>
> On this topic, following Yaron’s comments Mike Jones raised some points
> that there should be no distinction between primary events and extensions (
> https://mailarchive.ietf.org/arch/msg/id-event/0Hhg46ROcidQDLL7OnXUs88TJ9U).
>  Summarizing:
>
> * Processors will run through all of them regardless. It is not
> necessarily helpful to understand which is a primary vs. extension
>
> * Let’s drop distinction between primary vs. extension. You can simply
> express one or more sets of event attributes in a single JWT
>
>
>
> My proposal is to drop this terminology in the text and keep the attribute
> multi-valued. The purpose of the attribute is to inform the reader what
> events are being asserted and what additional data may be present. It is up
> to the reader to ultimately infer meaning when one or more URIs are
> present.  Further, when multiple URIs are present it must still to make a
> combined statement about a single state change about a subject. It must not
> be used to convey multiple distinct (e.g. transactions) events about a
> subject.
>
>
>
> Assuming everyone agrees, I will plan to remove these distinctions in the
> next update with some new text. Please comment if you have concerns.
>
>
>
> To which Mike Jones responded [4]
>
> I believe we already had consensus to drop the primary/secondary
> distinction, which we intentionally did before adoption of the working
> group draft.  I believe any such distinction will both be unhelpful and
> result in syntactic complexity.  Please let’s finish stamping out the
> notion that any of the events in a SET are somehow different than the
> others.
>
>
>
> William Denniss wrote [5]:
>
> I agree with your proposal.
>
>
>
> They're all just events. Up to implementors to define & categorize their
> events how they like.
>
>
>
> Marius also agreed (he may have switched positions now) [6]:
>
> I also think it makes sense to remove the primary/secondary distinction.
>
>
> Marius
>
>
>
> Justin also agreed (and may have switched positions) [7]
>
> +1, drop "primary" and keep it an object
>
>  -- Justin
>
>
>
> References:
>
> [1] - https://www.ietf.org/mail-archive/web/id-event/current/msg00298.html
>
> [2] - https://www.ietf.org/mail-archive/web/id-event/current/msg00299.html
>
> [3] - https://www.ietf.org/mail-archive/web/id-event/current/msg00345.html
>
> [4] - https://www.ietf.org/mail-archive/web/id-event/current/msg00347.html
>
> [5] - https://www.ietf.org/mail-archive/web/id-event/current/msg00349.html
>
> [6] - https://www.ietf.org/mail-archive/web/id-event/current/msg00365.html
>
> [7] - https://www.ietf.org/mail-archive/web/id-event/current/msg00406.html
>
>
>
> Phil
>
>
>
> Oracle Corporation, Identity Cloud Services Architect
>
> @independentid
>
> www.independentid.com
>
> phil.hunt@oracle.com
>
>
>
>
> On Dec 1, 2017, at 8:50 AM, Dick Hardt <dick.hardt@gmail.com> wrote:
>
>
>
> Is it important to syntactically ensure that only one event is in a SET?
> For privacy reasons, some use cases want to ensure that only one signal is
> in a SET.
> This adds some additional complexity for use cases that want to include
> multiple signals in a SET.
>
> See https://tools.ietf.org/html/draft-backman-secevent-token-02
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dbackman-2Dsecevent-2Dtoken-2D02&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=p986FFBYCnXfbWjoBBpAe4IarEj1m7ezmVE3DPSQzwY&s=P-rrbMomS-aMBQQ0HPfPzvNPkWHLDYs8SsugRHx-eLM&e=> for
> an proposed syntax that ensures one event per SET, and enables multiple
> events per SET when desired
>
>
>
> We will track results here: https://github.com/IETF-
> SecEvent/Drafts/issues/1
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_IETF-2DSecEvent_Drafts_issues_1&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=p986FFBYCnXfbWjoBBpAe4IarEj1m7ezmVE3DPSQzwY&s=3f7fFs9ZKZrg1ScI3Ml2r8ykvHGuBbup831kDUNklfw&e=>
>
>
>
> Discussion to be on the mail list as usual, not in the issue tracker!
>
>
>
> /Dick
>
> _______________________________________________
> Id-event mailing list
> Id-event@ietf.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.
> ietf.org_mailman_listinfo_id-2Devent&d=DwICAg&c=
> RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=
> na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=
> p986FFBYCnXfbWjoBBpAe4IarEj1m7ezmVE3DPSQzwY&s=YnAKATJz3qVYniVaDUIMtQb9L-
> vMocgsYARzV6axzq4&e=
>
>
>
> _______________________________________________
> Id-event mailing list
> Id-event@ietf.org
> https://www.ietf.org/mailman/listinfo/id-event
>
>

v2.23.0 | Report a Bug | By Email