IETF Logo Mail Archive

Re: [Id-event] "aud" vs. receiver issue raised in WGLC

Marius Scurtescu <mscurtescu@google.com> Tue, 24 October 2017 00:47 UTC

Return-Path: <mscurtescu@google.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FACD13AF04 for <id-event@ietfa.amsl.com>; Mon, 23 Oct 2017 17:47:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.45
X-Spam-Level:
X-Spam-Status: No, score=-0.45 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NS4Pxcw2P1yI for <id-event@ietfa.amsl.com>; Mon, 23 Oct 2017 17:47:47 -0700 (PDT)
Received: from mail-io0-x236.google.com (mail-io0-x236.google.com [IPv6:2607:f8b0:4001:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15880138BD8 for <id-event@ietf.org>; Mon, 23 Oct 2017 17:47:47 -0700 (PDT)
Received: by mail-io0-x236.google.com with SMTP id j17so22074169iod.5 for <id-event@ietf.org>; Mon, 23 Oct 2017 17:47:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=oXKPy+gA5pUyXuA3kFifQfb7ermM6b54wYZH/KClFc0=; b=dOsRGJM0qCuMnzUzX8hqi8jgjF6CczeQf1n3u6qaYMRGIF4pggubd7XTiqkhwDYP8P KQS7Rq/BwXIP+JjlcTDw3upCM+C8Lysl71cDWRl3VorTsI8L0YzFm7xkedpnMTJjXPFP B5+Iq814p2/zlYPnjkPbJdBC/kyrrEhN3XkeiYCMM3liXZ6ZtMDPm4yimvsAo8C1y5r5 AVmYIHIjtv4YSYHPbbdW7A2KeHcdciqZtzoyOuTLdtieCy7yfKgjpabgjHUI0AbeCXTT EL9jjpObQE5jmKFAczvM08gNVaoDbZkc25ZbOA+bYW+HurgoNVTWcLH6k10tGqEmabq/ acFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=oXKPy+gA5pUyXuA3kFifQfb7ermM6b54wYZH/KClFc0=; b=dZWt1O2hMuhyHn1qktBu7ZAekDMkl8LQMqaVCMTRG1kuAEpG8WKqJ14o6Fiwko78iS zh5ID0uSHShC47qg18F13QkuTnRkvui6mhvnkxmYP0s4iYowOucNQKcVrCv/KbeZmehf DSncH6Dm91Jd1DSLvpUtYyVRpGRuy+t/advzyMpRbRT2gT+FuaKjUmLxeBZ0A1GCMqSp Wp06Xx3OUSkJOCb7hKYGP1Lf7RCBfEZTg9DlmZYQKoKr6IBR2tJG9W7W4qK/eFa0Jymh wvzMrk6fM2Ju54jQ6noB5y4uXTx+xXXZt9bFcWXh2FwUcfPD+mcCHBcfW20KvOh86uQB OFVw==
X-Gm-Message-State: AMCzsaVJcDFNrsef/+Ehep7gxZ/Iqmvs4mp1npJXHiLlBpQfARec7WdU omM2P+pWub1kfXbbuJSDy/zeKnSVXnPdveCGLPm4VupJ
X-Google-Smtp-Source: ABhQp+RebYgFaCwm4fFAEO2Xo+2SlItfbhckpgkq+gWIoW9RrEFO/y8caXP5XisWunxvgG72fSu/JefsCK87reDwheU=
X-Received: by 10.107.168.103 with SMTP id r100mr19558937ioe.158.1508806066039; Mon, 23 Oct 2017 17:47:46 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.34.9 with HTTP; Mon, 23 Oct 2017 17:47:25 -0700 (PDT)
In-Reply-To: <5FF78162-D0FF-4742-90BF-9A12BA299D06@oracle.com>
References: <e6649728-f94a-93f5-9885-c948a5b0ed49@gmail.com> <CAGdjJpJtfV9q2iaL-uao1b7XpQjx5uJrX=fnoM36POXLFYrqow@mail.gmail.com> <fa06137b-516f-4a57-8ed5-08cd2cc63af6@sit.fraunhofer.de> <71FA69AE-F8F6-45AB-9550-36BC9395DE32@gmail.com> <684D9C6F-C59A-4850-9A1B-24A026278A62@oracle.com> <CAGdjJpLYxzUqOGxZ9oTLiCzZAwffTEqjxBYNtZO09nF6RnzOAA@mail.gmail.com> <7DAF5B83-F6DB-4015-A011-AB6E13C46B81@oracle.com> <CAGdjJpJtP7w-wL3Pj=QODOjc9m15z0Ssd+8bwxX684c-t1bbiQ@mail.gmail.com> <5FF78162-D0FF-4742-90BF-9A12BA299D06@oracle.com>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Mon, 23 Oct 2017 17:47:25 -0700
Message-ID: <CAGdjJpLVKveRGp3RSnxjUgqjv2bmgxZWTNcajRDNG0C2wKG1iw@mail.gmail.com>
To: Phil Hunt <phil.hunt@oracle.com>
Cc: ID Events Mailing List <id-event@ietf.org>
Content-Type: multipart/alternative; boundary="001a11427c389a6cf6055c4049b8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/FKLo8mnRhBjkxa1uTxTLqieYmcs>
Subject: Re: [Id-event] "aud" vs. receiver issue raised in WGLC
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Oct 2017 00:47:50 -0000

On Mon, Oct 23, 2017 at 4:15 PM, Phil Hunt <phil.hunt@oracle.com> wrote:

> It’s quite relevant to those with distributed architectures.
>
> If an Event Stream requires that SETs need to be encrypted (using JWE),
> the SETs needs to be encrypted so the “receiver" can read it.  Regardless,
> “aud” should be interpreted by the traditional JWT method which suggests
> the security domain the event is for.  For example, a web site relying
> party does not have the capability to process (or issue) events itself (eg.
> because of a distributed architecture). The relying party assigns another
> entity the role of Event Receiver (or Transmitter).
>
> The problem being that If the “set” is encrypted for “aud” then only the
> “aud” entity can read the SET which will make it impossible to for another
> server to handle or worse, it would require sharing of private keys.
>

The RP controls the configuration of the stream, so they can specify an
endpoint that belongs to the outsourced receiver and they can also specify
an encryption key that is controlled by the outsourced receiver. The RP
does not need access to the private key at all.

I still think it is irrelevant to the transmitter, or to this spec. I agree
it is totally relevant for the RP,



> Phil
>
> Oracle Corporation, Identity Cloud Services Architect
> @independentid
> www.independentid.com
> phil.hunt@oracle.com
>
> On Oct 23, 2017, at 3:58 PM, Marius Scurtescu <mscurtescu@google.com>
> wrote:
>
> I think "aud" should point to the Receiver, the outsourcing is irrelevant.
>
> Nothing needs to change here IMO.
>
> Marius
>
> On Mon, Oct 23, 2017 at 3:55 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
>
>> It seems reasonable to further clarify that the definition of a receiver
>> could be improved.
>>
>> I propose to change from:
>>
>>    Event Receiver
>>       An Event Receiver is an entity that receives SETs through some
>>       distribution method.
>>
>>
>> To:
>>
>>    Event Receiver
>>       An Event Receiver is an entity that receives SETs through some
>>       distribution method. An Event Receiver MAY be a different
>>
>>       entity than that described by the “aud” claim.
>>
>>
>> Phil
>>
>> Oracle Corporation, Identity Cloud Services Architect
>> @independentid
>> www.independentid.com
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.independentid.com&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=fDB9pNmWNg5BPXoRtaXXB1Iz_tq5wICJLi5itJHRai0&s=Ee7RsPFKzheWNvOz1Ut9gCvs_2bw0DE6GEeg-S0KMyE&e=>
>> phil.hunt@oracle.com
>>
>> On Oct 23, 2017, at 2:38 PM, Marius Scurtescu <mscurtescu@google.com>
>> wrote:
>>
>> I think "aud" is perfectly fine.
>>
>> IMO it should make no difference for the Transmitter that the event is
>> actually handled by an outsourced entity, the RP trusts that entity and the
>> event is generated and targeted to the RP and not to the current outsourced
>> processor.
>>
>> Marius
>>
>> On Mon, Oct 23, 2017 at 10:57 AM, Phil Hunt <phil.hunt@oracle.com> wrote:
>>
>>>
>>> All,
>>>
>>> I am reviewing the previous feedback from WGLC and will be bringing up
>>> any unresolved issues for quick discussion/confirmation…
>>>
>>> Following up on Marius and Henk’s comment, I am concerned that “aud” has
>>> a very specific meaning and is often tied to a security domain definition.
>>> We should not necessarily say this is the receiver though it often turns
>>> out to be. For example a RP (“aud”) has outsourced events processing to a
>>> third party (the so called receiver).
>>>
>>> I am happy with the current claim set, but maybe some text explaining
>>> that a receiver does not have to be the aud is appropriate?  I don’t see
>>> any benefit to having a receiver claim as this could complicate processing
>>> more than its worth.
>>>
>>> There are a few other comments in this thread, but this one seemed the
>>> most unresolved.
>>>
>>> Phil
>>>
>>>
>>> On Aug 3, 2017, at 8:03 AM, Henk Birkholz <henk.birkholz@sit.fraunhofer.
>>> de> wrote:
>>>
>>> Hello,
>>>
>>> to me, the "audience" claim seems to be a good choice here.
>>>
>>> Viele Grüße,
>>>
>>> Henk
>>>
>>> On 08/02/2017 11:45 PM, Marius Scurtescu wrote:
>>>
>>> The abstract mentions "issuer" and "receiver" in the last sentence.
>>> "receiver" does not sound right (that should be used in the context of a
>>> transmitter), but I don't have a better suggestion. Audience?
>>> The last paragraph of section 1 mentions "subscriber". I think it should
>>> be either "receiver" or "audience".
>>> The explanation for figure 1 states that the issuer denotes the
>>> transmitter. If the issuer and the transmitter are assumed to be the same
>>> entity, then the transmitter definition in section 1.2 should make that
>>> clear.
>>> Figure 3, I think the "sub" claim should be nested in the event, next to
>>> the issuer that provides the correct context. The "iss" and "sub"
>>> definitions in 2.1 also touch on this, providing conflicting advice.
>>> Section 2,1, definition of "nbf". The definition says that this is the
>>> event time. I see two problems:
>>> - the name suggest "not before", not exactly the same as event time
>>> - there can be multiple events
>>> maybe this claim should be dropped?
>>> Section 2.1, definition of "exp". Omitting this claim is the short term
>>> solution to the confusion issue. Why not mention that and that it SHOULD
>>> NOT be used?
>>> Section 2.1, definition of "events". It states that all events must
>>> refer to the same logical event. Lately in discussions we reached the
>>> conclusion that all events in a SET should be defined in the same profile,
>>> which is a stronger requirement. I think this definition should mention
>>> that.
>>> Regarding events and profiles. There was a proposal to add a new claim
>>> to uniquely identify the profile. I think we need to discuss that.
>>> Figure 5. Maybe a signed example would be better, especially that the
>>> next paragraph mentions that signatures or encryption should be used.
>>> Section 4.5, second paragraph. Mentions that "nonce" is also required,
>>> but that is not actually true. Id Tokens issued at the token endpoint for
>>> example will not have it. I suggest we drop the whole paragraph.
>>> Marius
>>> On Mon, Jul 31, 2017 at 1:40 PM, Yaron Sheffer <yaronf.ietf@gmail.com <
>>> mailto:yaronf.ietf@gmail.com <yaronf.ietf@gmail.com>>> wrote:
>>>    This is to announce working group last call on this draft
>>>    (https://urldefense.proofpoint.com/v2/url?u=https-3A__dat
>>> atracker.ietf.org_doc_draft-2Dietf-2Dsecevent-2Dtoken_&d=D
>>> wIGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5bi
>>> RrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=UUydIFEV9SQ_lw_LNE4l
>>> vS7pQLXEZEWA2F1i7bfAuUY&s=9SIT98RlAb1C9Md1W54IRl6cxjlKfjqT99u5-Ojw4Fw&e=
>>>      <https://urldefense.proofpoint.com/v2/url?u
>>> =https-3A__datatracker.ietf.org_doc_draft-2Dietf-2Dsecevent-
>>> 2Dtoken_&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057Sb
>>> K10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=UUydIFEV
>>> 9SQ_lw_LNE4lvS7pQLXEZEWA2F1i7bfAuUY&s=9SIT98RlAb1C9Md1W54IRl
>>> 6cxjlKfjqT99u5-Ojw4Fw&e= >).
>>>    Please send your comments to the list. Even if you are perfectly
>>>    happy with the draft, please let us know that you support its
>>>    publication as-is by posting to the list.
>>>    Because of the summer holidays, this last call is open for 3 weeks,
>>>    until Aug. 21.
>>>    Thanks,
>>>         Dick and Yaron
>>>    _______________________________________________
>>>    Id-event mailing list
>>>    Id-event@ietf.org <mailto:Id-event@ietf.org <Id-event@ietf.org>>
>>>    https://urldefense.proofpoint.com/v2/url?u=https-3A__www.
>>> ietf.org_mailman_listinfo_id-2Devent&d=DwIGaQ&c=RoP1YumCXCga
>>> WHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEi
>>> vzjWwlNKe4C_lLIGk&m=UUydIFEV9SQ_lw_LNE4lvS7pQLXEZEWA2F1i7bfA
>>> uUY&s=jX1QgcFI8umtt8pEkthXa3uL_TsJINLVTXORUpSDnvA&e=     <ht
>>> tps://urldefense.proofpoint.com/v2/url?u=https-3A__www.
>>> ietf.org_mailman_listinfo_id-2Devent&d=DwIGaQ&c=
>>> RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0
>>> FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=UUydIFEV9SQ_lw_LNE4lvS7pQLXE
>>> ZEWA2F1i7bfAuUY&s=jX1QgcFI8umtt8pEkthXa3uL_TsJINLVTXORUpSDnvA&e= >
>>> _______________________________________________
>>> Id-event mailing list
>>> Id-event@ietf.org
>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.iet
>>> f.org_mailman_listinfo_id-2Devent&d=DwIGaQ&c=RoP1YumCXCgaWHv
>>> lZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzj
>>> WwlNKe4C_lLIGk&m=UUydIFEV9SQ_lw_LNE4lvS7pQLXEZEWA2F1i7bfAuUY
>>> &s=jX1QgcFI8umtt8pEkthXa3uL_TsJINLVTXORUpSDnvA&e=
>>>
>>>
>>> _______________________________________________
>>> Id-event mailing list
>>> Id-event@ietf.org
>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.iet
>>> f.org_mailman_listinfo_id-2Devent&d=DwIGaQ&c=RoP1YumCXCgaWHv
>>> lZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzj
>>> WwlNKe4C_lLIGk&m=UUydIFEV9SQ_lw_LNE4lvS7pQLXEZEWA2F1i7bfAuUY
>>> &s=jX1QgcFI8umtt8pEkthXa3uL_TsJINLVTXORUpSDnvA&e=
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Id-event mailing list
>>> Id-event@ietf.org
>>> https://www.ietf.org/mailman/listinfo/id-event
>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_id-2Devent&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=qgzi6hIQUdXUCZu3X2lrQFAdGZO2O9szzwPah2M8LX0&s=kr9e2Ob_q0g5BinjBOLJAjrZeWIcrCNx9O1jax-Bs8o&e=>
>>>
>>>
>>
>>
> _______________________________________________
> Id-event mailing list
> Id-event@ietf.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.
> ietf.org_mailman_listinfo_id-2Devent&d=DwICAg&c=
> RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=
> JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=fDB9pNmWNg5BPXoRtaXXB1Iz_
> tq5wICJLi5itJHRai0&s=7M0OleTd4BpCbNMHkA9Vif8ucznK2XkdYp7wB0zI3N0&e=
>
>
>

v2.23.0 | Report a Bug | By Email