Re: [Id-event] Repeat WG last call: Subject Identifiers

[Yaron Sheffer <yaronf.ietf@gmail.com>]

(Hats off)

 

Hi Mike,

 

To your first point, this is not a security protocol. Rather it is a definition of a security-critical part of potentially several security protocols. As such, protocols can and should each define the degree of extensibility that works for them. But I disagree with your assertion that a generic identifier type should be extensible just because the JSON format has great support for extensibility. If needed, protocols can define extensibility points *outside* the subject identifier.

 

To my understanding, your proposal “formats should be allowed to define that their elements are extensible” is addressed by the preceding paragraph, albeit not with full unrestricted extensibility:

 

An Identifier Format MAY describe more members than are strictly necessary to identify a subject, and MAY describe conditions under which those members are required, optional, or prohibited.  

 

Thanks,

                Yaron

 

From: Mike Jones <Michael.Jones@microsoft.com>
Date: Sunday, March 20, 2022 at 15:58
To: Yaron Sheffer <yaronf.ietf@gmail.com>, "id-event@ietf.org" <id-event@ietf.org>
Subject: RE: Repeat WG last call: Subject Identifiers

 

I support publication of this draft following a few revisions.  I’d like comments below to be addressed first.

 

NORMATIVE

 

Section 3 (Subject Identifiers) says “A Subject Identifier MUST NOT contain any members prohibited or not described by its Identifier Format, and MUST contain all members required by its Identifier Format.”  This is not normal JSON usage; normal JSON usage would allow additional members to be present and say that they must be ignored if not understood.  We should consider making this change.  At the very least, formats should be allowed to define that their elements are extensible.

 

Section 3.2.3 defines a DID URL format.  There’s nothing special here about a DID URLs that would make them different than other URLs.  Please revise this section to instead define either a “url” or “uri” format.  It would be fine to say that DID URLs are one kind of URL or URI that could be used, just as https URLs would be.  That would be more general and would still allow the use of DID URLs as subject identifiers.

 

EDITORIAL

 

“general purpose” -> “general-purpose”

 

RFC 7159 is listed twice in the Definitions section.

 

It’s customary to acknowledge individual reviewers of the specification by name.  Please do so.

 

                                                       Best wishes,

                                                       -- Mike

 

From: Id-event <id-event-bounces@ietf.org> On Behalf Of Yaron Sheffer
Sent: Wednesday, March 9, 2022 2:54 PM
To: id-event@ietf.org
Subject: [Id-event] Repeat WG last call: Subject Identifiers

 

This is to start a repeat working group last call for draft-ietf-secevent-subject-identifiers [1]. Please respond to the list with your comments, even if they only amount to “I read the draft and it’s fine”.

 

We solicit and encourage WG feedback. However given the age of the draft and overall low working group energy, the current plan is to progress the draft to the IESG by default, unless any major issues are raised.

 

As you review the document, please note that two versions (-09 and -10) were published recently. 

 

The LC will be open until March 20.

 

Thanks,

                Yaron

 

[1] https://datatracker.ietf.org/doc/draft-ietf-secevent-subject-identifiers/