IETF Logo Mail Archive

Re: [Id-event] Options regarding SPAGs

Phillip Hunt <phil.hunt@independentid.com> Sat, 05 December 2020 17:04 UTC

Return-Path: <phil.hunt@independentid.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 882C43A08AF for <id-event@ietfa.amsl.com>; Sat, 5 Dec 2020 09:04:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level:
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=independentid-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X2EeeLQvcBzh for <id-event@ietfa.amsl.com>; Sat, 5 Dec 2020 09:04:07 -0800 (PST)
Received: from mail-pg1-x529.google.com (mail-pg1-x529.google.com [IPv6:2607:f8b0:4864:20::529]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8C673A08A5 for <Id-event@ietf.org>; Sat, 5 Dec 2020 09:04:03 -0800 (PST)
Received: by mail-pg1-x529.google.com with SMTP id q3so5565362pgr.3 for <Id-event@ietf.org>; Sat, 05 Dec 2020 09:04:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=independentid-com.20150623.gappssmtp.com; s=20150623; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=80Np0Madyl+d/s7RQWOAqPsJCfVe7BZAaRQqdh1HDTc=; b=EjUEP4ZNk9SuwspfFJa73cxWlV0IFRTRMSrMH6ney8dXK9G3vWEVhhT2oL0n1kF2o0 pw/rDm6GkPuEqlxzqhW7h1kQ10tQyhPeH3/ppmGkKn4zvBuBc2BmyXBQACr/AutiuJ1+ JXTKoCsuSJ7Px/jFtCjLkNRyyGYm3E5U/Omg6sjVgy6mu4RD7DRafWyAS550sngdy9tW c3oT66/RTKz1MnQV6Js56gKlUP92GMYqavaRX8HQlOCPqE4Ce2NWCuUmYb7xdyfYt1Bp Sss2WwV213EVuYCfUjPh0QD9w/pS75xe5y/G+aVXMT+bQncg9MR56zZj4v+I+OaQHTkg f24Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=80Np0Madyl+d/s7RQWOAqPsJCfVe7BZAaRQqdh1HDTc=; b=LtV9QeAhE1dpR58gbIA+tULZxb5bmYuR4DLv2e60BC2I16L+AxiJZ8byBAMZvf2oB2 muFAHEadGsGb9Xr0zTkfiJqXrJD0KNseAI2eocozGQ1RBOdALfTSfmHoUJ2wS56hibNN By1I7y+UL48q1SDgMqmRqR05p4W1tJxZDa8TxPNHtwKfpe3fZOGOiMbYgr4pCN1ak6Aq XGEgrmom3Tlwosr9vglZ4rAxxxwo945/5c/yPmDW1A/8rRsq2boNeVFK4ETwaewFqTvS nJMNXEFiAjTrIOgfbvYWGX85EEIluVOSIQzwntEGA3cqpyEGsnlAnELqjn4rnfsHuTBh wndw==
X-Gm-Message-State: AOAM530fZdM0nvY543I5D2ZbkSrXQClZ27J0KMdyDItUdtroA/xGXrXM 3Ha8NTf9QcMBR8VaQzM7g+2+1g==
X-Google-Smtp-Source: ABdhPJynBHc4m95VnN4e6az6QnqoKeO3NHjXtw0yyp+rRsGKHG2CZtnWx8Mh6OqCInZUYcPRMqDxBA==
X-Received: by 2002:a62:e50e:0:b029:19d:9fab:4 with SMTP id n14-20020a62e50e0000b029019d9fab0004mr9268789pff.0.1607187843014; Sat, 05 Dec 2020 09:04:03 -0800 (PST)
Received: from [192.168.1.70] (d75-156-79-23.bchsia.telus.net. [75.156.79.23]) by smtp.gmail.com with ESMTPSA id w11sm9661221pfi.162.2020.12.05.09.04.02 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 05 Dec 2020 09:04:02 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail-8F3FAFE8-6B2F-4DB3-ADDE-292CDBA16BAC"
Content-Transfer-Encoding: 7bit
From: Phillip Hunt <phil.hunt@independentid.com>
Mime-Version: 1.0 (1.0)
Date: Sat, 05 Dec 2020 09:04:01 -0800
Message-Id: <6C154303-F3D3-45A5-9701-25FDF319E92E@independentid.com>
References: <CAMCkG5v3FTnNz878Fg85hV1vYpVo1QO=AF49yvDOacw9bLw-vQ@mail.gmail.com>
Cc: Dick Hardt <dick.hardt@gmail.com>, SecEvent <Id-event@ietf.org>
In-Reply-To: <CAMCkG5v3FTnNz878Fg85hV1vYpVo1QO=AF49yvDOacw9bLw-vQ@mail.gmail.com>
To: Atul Tulshibagwale <atultulshi=40google.com@dmarc.ietf.org>
X-Mailer: iPhone Mail (18B92)
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/GDIJMH18mu2mzecK84jgfzL_WqI>
Subject: Re: [Id-event] Options regarding SPAGs
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Dec 2020 17:04:10 -0000

When we first started discussions around SET, one goal was to keep events simple/atomic. If multiple subjects are effected by the same event, why not issue multiple events and a “txn” value to indicate each SET is part of the same parent event/transaction?

Creating compound events to express full context creates a lot of contextual “binding” between sender and receiver. 

I am not saying multiple subjects is always wrong. But this begins to feel like a lot of parsing complexity (affecting event parsing speed) on every message rather than send a few more simple messages.  For example ksql can capture multiple events in a stream to learn that the same event for multiple subjects is related if that needs to be known. 

Phil

> On Dec 4, 2020, at 4:41 PM, Atul Tulshibagwale <atultulshi=40google.com@dmarc.ietf.org> wrote:
> 
> 
> Hi Dick,
> #4 may not always be an option if the event has more than one subject claim (e.g. for an event like "device transfer"). 
> 
> Regarding other additions:
> Subject Categories:
> Earlier, I had proposed that a subject identifier of any subject_type have an optional common claim named "subject_category", which could identify the type of subject principal the subject identifier refers to. However, since the future of this request in the Subject Identifiers spec wasn't clear, we decided to add a new "subject_type" in the SSE spec, called "user-device-session". The SSE spec draft defines the algorithm to figure out the category of the subject principal based on the content of this subject identifier.
> 
> As a result of this new subject type definition in the SSE spec draft, "subject_category" is no longer a requirement for the SSE work. However, since the SSE spec is still being drafted, if the Subject Identifiers spec has the ability to add a subject category claim to any subject_type, then we can possibly change the SSE spec to make use of it.
> 
> SAML Subject Type:
> I had proposed that a SAML subject type be introduced in the Subject Identifiers. This will help us send and receive events relating to a specific SAML-based federated session. I thought this would be a common subject type of interest to the Subject Identifiers spec. However, we have now added it as a subject type in the SSE draft spec. If the Subject Identifiers draft were to include this, it would be very easy for us to remove this from the SSE draft spec.
> 
> BTW a good way to look at all my proposed changes to the Subject Identifiers draft is by reviewing my pull request here: https://github.com/richanna/secevent/pull/1
> 
> Thanks,
> Atul
> 
> 
>> On Thu, Dec 3, 2020 at 5:43 PM Dick Hardt <dick.hardt@gmail.com> wrote:
>> I think there is also a fourth option:
>> 
>> 4. a SPAG identifier can be placed in a separate top level object or top level property
>> 
>> Atul: in the other thread, you mentioned that there were other additions that the OpenID Shared Signals and Events WG is interested in. Would you enumerate them as well so that we can address all potential issues?
>> 
>> 
>> ᐧ
>> 
>>> On Thu, Dec 3, 2020 at 3:04 PM Atul Tulshibagwale <atultulshi=40google.com@dmarc.ietf.org> wrote:
>>> Hi all,
>>> Based on Dick's request, I'd like to summarize the situation with SPAGs here.
>>> 
>>> Background:
>>> The present Subject Identifiers draft forbids a subject identifier of a specific subject_type from having any claims that are not described in the subject_type. This prevents higher-level specs from proposing any additional claims to be included in subject identifiers of subject types that are defined in the Subject Identifier spec.
>>>  
>>> SPAGs:
>>> Subject Principal Administrative Groupings or SPAGs are an addition to the OpenID "Shared Signals and Events Profile of SETs", which is a revision of the "RISC Profile of SETs". The present draft of the SecEvents Subject Identifiers spec is derived from a section in this RISC Profile. The SSE Profile now refers to the SecEvents Subject Identifiers draft.
>>> 
>>> SPAGs are required to address the following needs:
>>> Disambiguate a subject identifier if it belongs to more than one sub-organizations. For example, if the subject claim in an event is of the subject type "email", then a SPAG may be used to specify the sub-organization the specified email should be scoped down to. A dynamic organization may have the same email in multiple sub-organizations, and the event may apply to only one such sub organization.
>>> Provide a lighter weight mechanism to start and stop event streams for sub-organizations. These could be OUs or dynamic groups within an organization, or separate tenants in a multi-tenanted transmitter or receiver.
>>> Requirements from Subject Identifiers:
>>> A SPAG may be specified as an additional attribute of a subject identifier with any subject type, in order to disambiguate and scope the event with that subject identifier.
>>> A SPAG may be a new subject type of its own when it is used in an event that specifies the starting or stopping of a stream.
>>> Options:
>>> The following options are possible to address this requirement.
>>> Minimal Change to the present Subject Identifiers draft: Remove the words "or not described" on line 247. This way a higher-level spec that needs to add additional attributes to all subject identifiers used in that spec can add them and specify the additional attributes' optional or required nature. In this option, SPAGs will be defined in the SSE profile spec.
>>> Include SPAGs in the Subject Identifiers spec: Include language for SPAGs proposed earlier in this list, so that:
>>> Subject Principals and SPAGs are defined in the Subject Identifiers spec
>>> An additional attribute named "spag_id" is added as an optional attribute of any subject_type.
>>> An additional subject_type "spag" is defined (this is used primarily for "control plane" events.)
>>> Do both 1. and 2: With this, we will address the issue that higher-level specs cannot insert additional attributes in predefined subject types, and define SPAGs within the Subject Identifiers spec.
>>> Thanks,
>>> Atul
>>> 
>>> _______________________________________________
>>> Id-event mailing list
>>> Id-event@ietf.org
>>> https://www.ietf.org/mailman/listinfo/id-event
> _______________________________________________
> Id-event mailing list
> Id-event@ietf.org
> https://www.ietf.org/mailman/listinfo/id-event

v2.23.0 | Report a Bug | By Email