IETF Logo Mail Archive

Re: [Id-event] Draft-06 issue re: subject principal grouping

Yaron Sheffer <yaronf.ietf@gmail.com> Fri, 02 October 2020 15:26 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AED53A165C for <id-event@ietfa.amsl.com>; Fri, 2 Oct 2020 08:26:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K8tMt5nGP0Gu for <id-event@ietfa.amsl.com>; Fri, 2 Oct 2020 08:26:26 -0700 (PDT)
Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com [IPv6:2a00:1450:4864:20::434]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A9E73A1634 for <id-event@ietf.org>; Fri, 2 Oct 2020 08:26:26 -0700 (PDT)
Received: by mail-wr1-x434.google.com with SMTP id m6so2288361wrn.0 for <id-event@ietf.org>; Fri, 02 Oct 2020 08:26:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :references:in-reply-to:mime-version:content-transfer-encoding; bh=PKIZSNxHlbR7yW5FeI0RkSuo2Oq1B76ERiHtdwwtR8I=; b=c4bIRGuex+0/n1I23iFiAdYZn1CIhX4mVVbg0yyq47RF4VasOsq5Sm/yDpV3CRwdGO 0edbxo1uM9ISDJBZx0abcmcg1f8xC48WmYjOkYFdvutAY5+kEsHDDMW40Pso54BZT5bI lVld3oi/hcPTpk0CivXWhTdi3AErO5vawgjXKHujbiIWXfe/C4Ky0DJftUqwhvV9XBdK QKQdI0kTJaZLyoMaDrcws6fuLk+aoMsC+L+uczKmX9y4HP6p6fdObibV3yoHYYKtIZxV WGSI/TYPv2UjmdueHu7n751ytYM30xbrIS3v9GFVVhzuMSZnrSXC11yyK5EaGKYv+orp jTTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version :content-transfer-encoding; bh=PKIZSNxHlbR7yW5FeI0RkSuo2Oq1B76ERiHtdwwtR8I=; b=iKTs3JZzKaemz+OGhA+wK1IiTVHRxv/ECELB5p3M30W33Ohsn3S8SdAMUAzuVOzUtw JSwVMRyCn6e5ByczUGMFzwFcBn3UN5cSznh8KocdvSq88CmtZROJwD0Dy7RNuKtjPHXm EZYGnQQYeNKPQOvBfWOyrjYdEpeXgXvBu4RQk0ZyzTABpsaY6vYJjpZ9IyWoKA/knDfw yvnR1qT73NG8vkoQWQUWlihxzIAuzlv/APec2icKUzfZJwOpaVXxMBt1pfFRSchhcUEY +KU4pDSJXXd32Nam90pHckBF1/VvO1hZmfuEoA5AB0Ap3L4kBwvDxEuJiGW95tCGu10O jk+g==
X-Gm-Message-State: AOAM532xhXyX94HaXx3BX3tMc+3IW/sdMBKTJmXVnyuorjp/dIl8Jq31 CV6qS24Hq9RQ2KtOLK0c370=
X-Google-Smtp-Source: ABdhPJz1pT8xfYJ0lXiT6DFtHW2l48EY5wRifwJg+Bv6PqMOhGA8WfP/xCtbo7FRuT3QILTKaijxzw==
X-Received: by 2002:adf:dcd1:: with SMTP id x17mr3957828wrm.150.1601652384576; Fri, 02 Oct 2020 08:26:24 -0700 (PDT)
Received: from [172.26.49.35] (pub-corp-42-8.intuit.com. [91.102.42.8]) by smtp.gmail.com with ESMTPSA id a3sm2103597wmb.46.2020.10.02.08.26.23 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 02 Oct 2020 08:26:23 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/16.41.20091302
Date: Fri, 02 Oct 2020 18:26:22 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: Atul Tulshibagwale <atultulshi=40google.com@dmarc.ietf.org>, Justin Richer <jricher@mit.edu>
CC: SecEvent <id-event@ietf.org>
Message-ID: <947809F3-7C03-478F-B3A5-A483E9426375@gmail.com>
Thread-Topic: [Id-event] Draft-06 issue re: subject principal grouping
References: <CAMCkG5u5YjqNrQu=Uth7F=QPvAy9-BwBCoQcMXd=ihMFjcHcmw@mail.gmail.com> <33AA53B6-D6E1-498C-AC47-470ABB558BDB@mit.edu> <CAMCkG5u6dVe7qKLfXhiesUNan2VwvRUFXxppzUnpT=7HQ7W_3A@mail.gmail.com>
In-Reply-To: <CAMCkG5u6dVe7qKLfXhiesUNan2VwvRUFXxppzUnpT=7HQ7W_3A@mail.gmail.com>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/GhNUnIfKLfpFWvXKR-BVDDCmaSA>
Subject: Re: [Id-event] Draft-06 issue re: subject principal grouping
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Oct 2020 15:26:28 -0000

Hi Justin, Atul,

I think this may be a reasonable way to extend the solution.

But I have a problem with Atul’s example below: the SPAG attribute that he’s proposing defines a scope (a.k.a. namespace) for the subject ID. I don’t think the receiver can act correctly on the event *unless* it understands the tenant ID. So this is not a benign extension that can be ignored by a receiver with no consequence.

The SecEvent mechanism to distinguish multiple tenants is not to embed the tenant’s identity in the event, rather it is to use separate event streams. In fact, this is enabled by the OpenID SSE document [1] which defines a profile of this solution: “Using path components enables supporting multiple issuers per host. This is required in some multi-tenant hosting configurations.”

Thanks,
	Yaron

[1] https://openid.net/specs/openid-risc-profile-1_0-ID1.html#rfc.section.3.2.1

From: Id-event <id-event-bounces@ietf.org> on behalf of Atul Tulshibagwale <atultulshi=40google.com@dmarc.ietf.org>
Date: Thursday, October 1, 2020 at 19:02
To: Justin Richer <jricher@mit.edu>
Cc: SecEvent <id-event@ietf.org>
Subject: Re: [Id-event] Draft-06 issue re: subject principal grouping

Hi Justin,
Agree with the theme of the language proposed in your email. I'd like to propose something similar, like:

"Each subject_type may define required fields. Subject identifiers MUST include all fields required by the subject_type, but MAY contain other fields, either defined as optional fields within this Subject Identifiers specification or elsewhere. A receiver MUST ignore fields in a Subject Identifier that it does not understand."

Atul


On Wed, Sep 30, 2020 at 1:51 PM Justin Richer <mailto:jricher@mit.edu> wrote:
Atul,

I raised this in my review as well. I think the goal of the restriction was to make the subject identifier objects compact and easily processed without getting a bunch of arbitrary stuff strung onto them, but I think the MUST NOT might go too far toward that.


I would like to see the requirement relaxed but also have guidance as to how and when to add additional members to the object. Maybe the subject_type field determines the REQUIRED fields and their semantics, but extensions MAY add new fields? And that a receiver MUST ignore fields they don’t understand? 



 — Justin


On Sep 29, 2020, at 8:28 PM, Atul Tulshibagwale <mailto:atultulshi=40google.com@dmarc.ietf.org> wrote:

Hi Annabelle,
After reviewing the https://github.com/richanna/secevent/blob/master/draft-ietf-secevent-subject-identifiers.txt (document dated Sep 04), there's one issue that I feel needs to be addressed:

The sentence on line 246 ("A Subject Identifier MUST NOT contain any members...") has the consequence that if we need to add claims in a specific subject identifier type (e.g. email), then we will need to define new subject identifier types.

As discussed earlier, I am interested in adding a "Subject Principal Administrative Grouping" or SPAG as a property of any subject identifier. This is important because the same principal may appear in different administrative groupings, and without the disambiguation, it will be impossible to figure out which SPAG the event that includes a subject identifier applies to.

For example, if the user "mailto:a@b.com" is present in two tenants of a service that acts as a SSE Receiver. Say the tenant names in which this user occurs is "http://B.com" and "http://C.com". This can happen if "mailto:a@b.com" is an employee of the tenant http://B.com, but is on a contract for a project that is run by the tenant "http://C.com".

If the event received only has the subject:
"subject" : {
  "subject_type" : "email",
  "email" : "mailto:a@b.com"
}

Then it will be impossible for the receiver to determine whether the event applies to the tenant http://B.com or http://C.com. If on the other hand, an optional claim "spag_id" is added, then the subject looks like:

"subject" : {
  "subject_type" : "email",
  "email" : "mailto:a@b.com",
  "spag_id" : "http://B.com"
}

This disambiguates the particular grouping that the event applies to.

So, I feel there are at least two ways of addressing this concern:
1. Include SPAGs as a concept in the Subject Identifiers spec and allow a "spag_id" claim in any subject identifier
2. Drop the requirement on line 246, and allow subject identifiers to have additional claims, which may be defined elsewhere.
Thanks,
Atul

_______________________________________________
Id-event mailing list
mailto:Id-event@ietf.org
https://www.ietf.org/mailman/listinfo/id-event

_______________________________________________ Id-event mailing list Id-event@ietf.org https://www.ietf.org/mailman/listinfo/id-event

v2.8.7 | Report a Bug | By Email