Re: [Id-event] Dealing with issuer conflict
Mike Jones <Michael.Jones@microsoft.com> Thu, 18 May 2017 19:52 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C04712EBDC for <id-event@ietfa.amsl.com>; Thu, 18 May 2017 12:52:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.799
X-Spam-Level:
X-Spam-Status: No, score=-4.799 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7SUwxWG5pbuf for <id-event@ietfa.amsl.com>; Thu, 18 May 2017 12:52:25 -0700 (PDT)
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-bl2nam02on0135.outbound.protection.outlook.com [104.47.38.135]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04C7A129B18 for <id-event@ietf.org>; Thu, 18 May 2017 12:46:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=tneS8rEAwwYAn1NOKMUxnOv2ShvNRiypMl7SE9//+nI=; b=l2nfUigCAEjBrHSb/EP8OtzY5WvsGlNlhKeaY7+0nOXURgTAKuKmpRuXFjA4SDDgDbCKt5VvlBs/7y3AzLOVUrKcpFzuUKc/BlPWVO++xR0PE+Tj8h6pQYpSp7CJG69kh3TniKLA2hZtbRhf0vXNjpJLY/Uc+/I3eSmkF+dmsyo=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0183.namprd21.prod.outlook.com (10.173.193.9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1124.0; Thu, 18 May 2017 19:46:40 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.1124.007; Thu, 18 May 2017 19:46:41 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "Phil Hunt (IDM)" <phil.hunt@oracle.com>
CC: Dick Hardt <dick.hardt@gmail.com>, ID Events Mailing List <id-event@ietf.org>
Thread-Topic: [Id-event] Dealing with issuer conflict
Thread-Index: AQHSz5GPBeIUkwXJI0S9grGRbpCBVKH6GH8AgAAO/4CAADPHoIAAEkCAgAAGbLCAAAhqgIAAAahg
Date: Thu, 18 May 2017 19:46:40 +0000
Message-ID: <CY4PR21MB05041186A46A2E20E01A83C1F5E40@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <D1129EE9-8D49-4262-A569-FF373490EB85@oracle.com> <CAD9ie-unodo_BgMdH-iT64U6n7A4H_kEVOLCViWqDuLfRSRgSg@mail.gmail.com> <262D32B6-940E-4B96-9981-079A5443ED3E@oracle.com> <CY4PR21MB0504CBB636CAD1E33158997DF5E40@CY4PR21MB0504.namprd21.prod.outlook.com> <74177700-9959-4F07-83E3-F3B750CAC9B8@oracle.com> <CY4PR21MB0504BE77665A866FF1960E58F5E40@CY4PR21MB0504.namprd21.prod.outlook.com> <9342926E-FC34-45E4-919D-FB61FE8EB6A3@oracle.com>
In-Reply-To: <9342926E-FC34-45E4-919D-FB61FE8EB6A3@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Ref=https://api.informationprotection.azure.com/api/72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetBy=mbj@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2017-05-18T12:46:38.5076864-07:00; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General
authentication-results: oracle.com; dkim=none (message not signed) header.d=none;oracle.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:3::32c]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0183; 7:rd6FNGQdMpUJSQujHhoWycAGKdxmxYYoMCTBO/gqPpN0U78l4sJDhdie1E2G2e9dR9umhaA2IjF4fpP1By6UKK8I7FBqK3/ufqT1QTaujL7csLCEuLLp1Oq7aA5VLtjiXVSmKbYJQJgxvsxaftav3uhMgR3Cr1qSCPrx/PZAt+zBtifIYQn+KMuWtJEHhJJku0cH91fVR2V3sRwa0Y1cebD62tWCD5HMomSQSXnq+8KKw4QUwLgH+/GELPb2m+arsTTfVmSqDwXcjimIISiGR4cNewFeJRoCucZN0aOuM/mRLrLDwtBTszBLW/suIERZqaZrp8xosZJzpEJP09LVxXJGETWybReCXpQQsGC59Ds=
x-ms-traffictypediagnostic: CY4PR21MB0183:
x-ms-office365-filtering-correlation-id: bb547f20-c01d-4169-4303-08d49e269ae0
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081)(201703131423075)(201703031133081)(201702281549075); SRVR:CY4PR21MB0183;
x-microsoft-antispam-prvs: <CY4PR21MB01837B6FA1B65C5E71C12816F5E40@CY4PR21MB0183.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(10436049006162)(21748063052155)(21532816269658)(146099531331640)(17755550239193)(5213294742642);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700036)(100105000095)(100000701036)(100105300095)(100000702036)(100105100095)(61425038)(6040450)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(93006095)(93001095)(100000703036)(100105400095)(6055026)(61426038)(61427038)(6041248)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123564025)(20161123560025)(20161123558100)(20161123562025)(6072148)(100000704036)(100105200095)(100000705036)(100105500095); SRVR:CY4PR21MB0183; BCL:0; PCL:0; RULEID:(100000800036)(100110000095)(100000801036)(100110300095)(100000802036)(100110100095)(100000803036)(100110400095)(100000804036)(100110200095)(100000805036)(100110500095); SRVR:CY4PR21MB0183;
x-forefront-prvs: 0311124FA9
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(39450400003)(39840400002)(39400400002)(39410400002)(39850400002)(377454003)(24454002)(51444003)(54356999)(76176999)(10290500003)(2900100001)(236005)(189998001)(561944003)(2906002)(86612001)(33656002)(8936002)(72206003)(478600001)(50986999)(3280700002)(54906002)(6306002)(99286003)(9686003)(55016002)(6506006)(606005)(7906003)(54896002)(7736002)(77096006)(93886004)(3660700001)(6436002)(229853002)(4326008)(25786009)(39060400002)(966005)(53946003)(74316002)(38730400002)(53936002)(6246003)(8676002)(53546009)(5660300001)(122556002)(81166006)(2950100002)(5005710100001)(110136004)(6116002)(8990500004)(102836003)(6916009)(10090500001)(575784001)(19609705001)(86362001)(790700001)(7696004); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0183; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB05041186A46A2E20E01A83C1F5E40CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 May 2017 19:46:40.8854 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0183
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/HCWtbhkT2ErkJK5kGbNxtH7NBL8>
Subject: Re: [Id-event] Dealing with issuer conflict
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 May 2017 19:52:32 -0000
In many use cases, only SETs from a single event family will be legal and all will use the same claims conventions. In that case, a normal JWT parser will likely be used and the application will process the additional event-specific claims. There’s no general-purpose SET parser in the mix. I think that trying to architect this for a world in which there’s a single SET parser for SETs of all kinds would skew the architecture and have the unintended side-effect of excluding some use cases through unnecessary complexity. The SET spec should define the “events” claim and stop there. SET is already poised for success as it is now. We shouldn’t add restrictions that will jeopardize that achievement. Events and event families should do the rest, in ways appropriate to their use cases. -- Mike P.S. How to represent RISC events that might be issued either by an Identity Provider or Relying party is an entirely appropriate discussion to have in the RISC working group, but not here in the ID Events working group. From: Phil Hunt (IDM) [mailto:phil.hunt@oracle.com] Sent: Thursday, May 18, 2017 12:34 PM To: Mike Jones <Michael.Jones@microsoft.com> Cc: Dick Hardt <dick.hardt@gmail.com>; ID Events Mailing List <id-event@ietf.org> Subject: Re: [Id-event] Dealing with issuer conflict Thanks Mike. I think we disagree. The concern I have is that most implementers will have to write code that always checks for the absence of a duplicate issuer claim because it changes the meaning of subject. This strikes me as complexity that needs to be dealt with in the core spec. It stems from our SecToken's use of JWT and its popular use today. If every profiling spec can do this differently requiring different parsers whats the point of secevents? Phil On May 18, 2017, at 12:08 PM, Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote: Most of what you’re talking about seems to me to be decisions that can be made by particular event definitions or event family definitions. I have no problem with particular events or event families employing some of the strategies that you’re describing. The SET spec already facilitates that. But per previous discussions, we shouldn’t be making restrictions in the SET spec that limit its applicability by making restrictions on claims usage that will only work for some event use cases and will rule out others. We should hold to the bright-line test that event definitions define what claims are included in SETS (other than the “events” claim itself) and how they’re used. Intruding on that will unnecessarily limit the applicability of SETs. -- Mike From: Phil Hunt [mailto:phil.hunt@oracle.com] Sent: Thursday, May 18, 2017 11:41 AM To: Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> Cc: Dick Hardt <dick.hardt@gmail.com<mailto:dick.hardt@gmail.com>>; ID Events Mailing List <id-event@ietf.org<mailto:id-event@ietf.org>> Subject: Re: [Id-event] Dealing with issuer conflict Mike, I’m not sure we’re on the same page here. My impression is this is still on the outstanding list. Let’s look at some example cases: For example, if a relying party (e.g. retail store) wants to notify an IDP that the user has been deleted… Currently in the draft: When issued by an OpenID Connect issuer: { "iss": "https://connect.myidp.com<https://urldefense.proofpoint.com/v2/url?u=https-3A__connect.myidp.com&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=ZRxoy6LboCUVOSdvaKuUa2q0bYlGv-xBKQr_PYRO1Hg&s=kJ5Mfn6i39lorLgbbkC40kBC-Hfkom_nHJw9DvCTou8&e=>", "sub": "248289761001", "aud": ["connect.myidp.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__connect.myidp.com&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=ZRxoy6LboCUVOSdvaKuUa2q0bYlGv-xBKQr_PYRO1Hg&s=JcMmHMLfNI_3lsrNceb6VM6dKMbZBX7-Urd_E6grwkg&e=>"], "iat": 1471566154, "jti": "bWJq", "events": { "http://schemas.openid.net/risc/event-type/account-deleted<https://urldefense.proofpoint.com/v2/url?u=http-3A__schemas.openid.net_risc_event-2Dtype_account-2Ddeleted&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=ZRxoy6LboCUVOSdvaKuUa2q0bYlGv-xBKQr_PYRO1Hg&s=QHxJy7zqDzcRGhmcGhatA2k15bYULPODbW71Ztc4Kx4&e=>": {} } } BUT, when issued by a party other than the issuer of the subject: { "iss": "https://exampleretail.store.com<https://urldefense.proofpoint.com/v2/url?u=https-3A__exampleretail.store.com&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=ZRxoy6LboCUVOSdvaKuUa2q0bYlGv-xBKQr_PYRO1Hg&s=YZax0bYIy8_J3nc40E5kAMdsqQpui6Slj4YZYqI7bFM&e=>", "sub": "248289761001", "aud": ["connect.myidp.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__connect.myidp.com&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=ZRxoy6LboCUVOSdvaKuUa2q0bYlGv-xBKQr_PYRO1Hg&s=JcMmHMLfNI_3lsrNceb6VM6dKMbZBX7-Urd_E6grwkg&e=>"], "iat": 1471566154, "jti": "bWJq", "events": { "http://schemas.openid.net/risc/<https://urldefense.proofpoint.com/v2/url?u=http-3A__schemas.openid.net_risc_&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=ZRxoy6LboCUVOSdvaKuUa2q0bYlGv-xBKQr_PYRO1Hg&s=JVaG5ee6BYf27emDyvsG749Ej4XX9d2FcKveRJ20ww8&e=>event-type/account-deleted": { "iss”:"connect.myidp.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__connect.myidp.com&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=ZRxoy6LboCUVOSdvaKuUa2q0bYlGv-xBKQr_PYRO1Hg&s=JcMmHMLfNI_3lsrNceb6VM6dKMbZBX7-Urd_E6grwkg&e=>” } } } If you are writing code, if you agree that the OP issues a lot of events, you end up having to check that there’s no embedded “iss” present before you can assume the issuer of the subject is the same as that of the SET token. This strikes me as very complex. Regarding your assertion: Any “sub” at the top-level (if any) should be associated with the “iss” at the top-level, which is always the event issuer. May be you are thinking that we should be solving this by always issuing embedded iss and sub (Alternative 1): { "iss": "https://exampleretail.store.com<https://urldefense.proofpoint.com/v2/url?u=https-3A__exampleretail.store.com&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=ZRxoy6LboCUVOSdvaKuUa2q0bYlGv-xBKQr_PYRO1Hg&s=YZax0bYIy8_J3nc40E5kAMdsqQpui6Slj4YZYqI7bFM&e=>", "aud": ["connect.myidp.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__connect.myidp.com&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=ZRxoy6LboCUVOSdvaKuUa2q0bYlGv-xBKQr_PYRO1Hg&s=JcMmHMLfNI_3lsrNceb6VM6dKMbZBX7-Urd_E6grwkg&e=>"], "iat": 1471566154, "jti": "bWJq", "events": { "http://schemas.openid.net/risc/event-type/account-deleted<https://urldefense.proofpoint.com/v2/url?u=http-3A__schemas.openid.net_risc_event-2Dtype_account-2Ddeleted&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=ZRxoy6LboCUVOSdvaKuUa2q0bYlGv-xBKQr_PYRO1Hg&s=QHxJy7zqDzcRGhmcGhatA2k15bYULPODbW71Ztc4Kx4&e=>": { "iss”:”connect.myidp.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__connect.myidp.com&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=ZRxoy6LboCUVOSdvaKuUa2q0bYlGv-xBKQr_PYRO1Hg&s=JcMmHMLfNI_3lsrNceb6VM6dKMbZBX7-Urd_E6grwkg&e=>” "sub": "248289761001", } } } OR, Alternative 2: { "iss": "https://exampleretail.store.com<https://urldefense.proofpoint.com/v2/url?u=https-3A__exampleretail.store.com&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=ZRxoy6LboCUVOSdvaKuUa2q0bYlGv-xBKQr_PYRO1Hg&s=YZax0bYIy8_J3nc40E5kAMdsqQpui6Slj4YZYqI7bFM&e=>", "sub": "248289761001", "aud": ["connect.myidp.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__connect.myidp.com&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=ZRxoy6LboCUVOSdvaKuUa2q0bYlGv-xBKQr_PYRO1Hg&s=JcMmHMLfNI_3lsrNceb6VM6dKMbZBX7-Urd_E6grwkg&e=>"], "iat": 1471566154, "jti": “bWJq" “subIss”:”connect.myidp.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__connect.myidp.com&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=ZRxoy6LboCUVOSdvaKuUa2q0bYlGv-xBKQr_PYRO1Hg&s=JcMmHMLfNI_3lsrNceb6VM6dKMbZBX7-Urd_E6grwkg&e=>”, "events": { "http://schemas.openid.net/risc/event-type/account-deleted<https://urldefense.proofpoint.com/v2/url?u=http-3A__schemas.openid.net_risc_event-2Dtype_account-2Ddeleted&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=ZRxoy6LboCUVOSdvaKuUa2q0bYlGv-xBKQr_PYRO1Hg&s=QHxJy7zqDzcRGhmcGhatA2k15bYULPODbW71Ztc4Kx4&e=>": {} } } I can see pros and cons for either. I like option 1 because it also makes the SET different from ID Tokens and Access Tokens. Option 2 is nice because most SETs we’ve been talking about just have an event type and a subject and no claims. The best way to define this is to enforce that sub may only be used at the top level if it is globally identifiable (e.g. such as in the case of SCIM URIs). Phil Oracle Corporation, Identity Cloud Services Architect & Standards @independentid www.independentid.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.independentid.com&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=ZRxoy6LboCUVOSdvaKuUa2q0bYlGv-xBKQr_PYRO1Hg&s=1rw9A2hB-RR82vYgRNzhLmNcUkpJ6uyq4PFNDImb-78&e=> phil.hunt@oracle.com<mailto:phil.hunt@oracle.com> On May 18, 2017, at 10:40 AM, Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote: I believe that the solution already discussed is the best one. If the event issuer is different than a logical issuer associated with the event subject, then put the logical “iss” and “sub” values inside the event. Any “sub” at the top-level (if any) should be associated with the “iss” at the top-level, which is always the event issuer. Any proposal that requires duplicating information, such as requiring “subIss” even when it’s always identical to “iss”, is not a great architectural choice, since it creates unnecessary error conditions that would not otherwise be possible. (How should implementations handle the case where two values are required to match but don’t?) -- Mike From: Id-event [mailto:id-event-bounces@ietf.org] On Behalf Of Phil Hunt (IDM) Sent: Thursday, May 18, 2017 7:31 AM To: Dick Hardt <dick.hardt@gmail.com<mailto:dick.hardt@gmail.com>> Cc: ID Events Mailing List <id-event@ietf.org<mailto:id-event@ietf.org>> Subject: Re: [Id-event] Dealing with issuer conflict ?? Happens in any case where sub is not globally identifiable. In Connect, since sub is not uniquely identified, the iss for the sub must be included. This creates a conflict if the issuer of the SET is not the issuer of the subject. Resolving the iss conflict has been on the list of issues since chicago. In RISC we were discussing account close events. I am assume one of the scenarios is RPs will notify IDPs when they close an account. They must use an iss not associated with sub. As things stand now, they will have to assert the extra iss value in their payload---which for most events is complex to parse since their are no other extra claims. Phil On May 18, 2017, at 6:36 AM, Dick Hardt <dick.hardt@gmail.com<mailto:dick.hardt@gmail.com>> wrote: Phil, would you clarify the use case and the requirement to ensure everyone on the list is aligned? Thanks On Wed, May 17, 2017 at 9:45 PM Phil Hunt (IDM) <phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>> wrote: In many cases where we are talking about events (eg risc) there is no need for extra claims other than the event type itself. It occurs to me that in the case of RP issued events the current sectoken format requires an embedded iss to deal with the conflict with the set issuer. It seems to add a lot of complication for most events. What if we defined a new sectoken top level attribute 'subIss' to mean "subject issuer" and keep iss reserved for the SET issuer. I would suggest this as a recommended attribute even when iss and subIss are the same for parsing consistency. Thoughts? Phil _______________________________________________ Id-event mailing list Id-event@ietf.org<mailto:Id-event@ietf.org> https://www.ietf.org/mailman/listinfo/id-event<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_id-2Devent&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=p1Vsd1Hb7BX87sV4x9MhtsGbORcuiacHxujwThSnWh4&s=ATYzOXXGto5afit3OgTjh19KczxKCvaBwC7ftofHMrs&e=> -- Subscribe to the HARDTWARE<https://urldefense.proofpoint.com/v2/url?u=http-3A__hardtware.com_&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=p1Vsd1Hb7BX87sV4x9MhtsGbORcuiacHxujwThSnWh4&s=NGbCAfBEl5TtskWdjjWOY2cQJA3Fsy9QvntPnstyIkc&e=> mail list to learn about projects I am working on! _______________________________________________ Id-event mailing list Id-event@ietf.org<mailto:Id-event@ietf.org> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_id-2Devent&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=p1Vsd1Hb7BX87sV4x9MhtsGbORcuiacHxujwThSnWh4&s=ATYzOXXGto5afit3OgTjh19KczxKCvaBwC7ftofHMrs&e= _______________________________________________ Id-event mailing list Id-event@ietf.org<mailto:Id-event@ietf.org> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_id-2Devent&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=8LfCYox0y3ghN8YAXLrAb5zfUt5rVD8vbwKwvw8-Rjk&s=gv4-yN8LDVir82WEWzix61-YzkrfquEPKMk_TtLylrw&e=
- [Id-event] Dealing with issuer conflict Phil Hunt (IDM)
- Re: [Id-event] Dealing with issuer conflict Dick Hardt
- Re: [Id-event] Dealing with issuer conflict Phil Hunt (IDM)
- Re: [Id-event] Dealing with issuer conflict Mike Jones
- Re: [Id-event] Dealing with issuer conflict Phil Hunt
- Re: [Id-event] Dealing with issuer conflict Mike Jones
- Re: [Id-event] Dealing with issuer conflict Phil Hunt (IDM)
- Re: [Id-event] Dealing with issuer conflict Mike Jones
- Re: [Id-event] Dealing with issuer conflict Marius Scurtescu
- Re: [Id-event] Dealing with issuer conflict Phil Hunt (IDM)
- Re: [Id-event] Dealing with issuer conflict Phil Hunt (IDM)
- Re: [Id-event] Dealing with issuer conflict Mike Jones