Re: [Id-event] Options regarding SPAGs
Dick Hardt <dick.hardt@gmail.com> Thu, 10 December 2020 23:47 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9E943A1354 for <id-event@ietfa.amsl.com>; Thu, 10 Dec 2020 15:47:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t_t1cx8qmEy4 for <id-event@ietfa.amsl.com>; Thu, 10 Dec 2020 15:47:50 -0800 (PST)
Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36B173A138F for <id-event@ietf.org>; Thu, 10 Dec 2020 15:47:49 -0800 (PST)
Received: by mail-lf1-x12a.google.com with SMTP id h19so10770017lfc.12 for <id-event@ietf.org>; Thu, 10 Dec 2020 15:47:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=25In8jNQwkQ9PLbk/em+9pYF7+X5XHEqVvt2BIl0btk=; b=X+G7hNqu3tcPX9v9niVcAlPR6wZt4p2BLWeoPXcvTX1aH4xbNzX1FGnTxWtXJ53Xjq oklEKtthQ0zbL4BTisIAdkeufhgL8VAK3BSXB/0ejmrVapoTNzzddoT4IZ1PWybUXvNk 1iYlc3GjS9DKdinMUbObWtiA7jtBxdGI09M8zg4SkexzjKM0pkT9vYukZXggknrPD4gk TMO/+Rw1fCf+xjriTH6Oy37p9JYNnFD8GSep2IcvAYkvmhBNZCAf4VglS14Nn9OGYzou BGYHm+9OHlRfLkjQLzvdGrMFaOPlHRPvZxRmITBT39k1cJ6O5Mnec0mIWLhlvJYQHYAh Tlww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=25In8jNQwkQ9PLbk/em+9pYF7+X5XHEqVvt2BIl0btk=; b=exV1nVYvYiEb8h4+SBOWg7ZsRyRp/vs11tEiQCHDHcNFKo6gNIYtgU5jv3b93ThA+O H52DW4CtRnQsjd7z0C7+Tadv5GMnCnYNietlUizyIPG06pQAC5n/Rk86rlL7Cw72eodq RuLBKFtDLcKqgqXdqi4+9CFbMRrmGDeGiMt9tmk0sx4PQ7CE832zz5ZG39fWKtglufXm MTZifQFjX5nZX5SFik72P4lMKvlmIYpPLOpGiztED96GfJoJzkIJxxI1mjaFhFVGaW3w h77zlhubcqEyWubAe1t/SuKNJmHlnT4+ALiSsf5lvidOyXS4ywf8v5GH+HEyKLjkzOHv RkuA==
X-Gm-Message-State: AOAM533X4Ra/+vT4VMBJirK1NbnxqwKYrG3WWpKBFDEW+aV6DnEYRCfd pUfz+xWnF5Cx/WBQ3fEBezXI5TAzBPvrZw2sfKM=
X-Google-Smtp-Source: ABdhPJx92ZF7QRC/xEuOphHsY79Z4uCVqVCUgcOYKFZaANt2xmqFgdINY7N3JoUIBnWqowO9Xckjbeyscdm4iNImKlw=
X-Received: by 2002:a19:3818:: with SMTP id f24mr1466915lfa.89.1607644066968; Thu, 10 Dec 2020 15:47:46 -0800 (PST)
MIME-Version: 1.0
References: <CAMCkG5vAnEyUeRjjRuyuk_mRQEXX2ZdZffGamzGg2+AzjMp9kQ@mail.gmail.com> <CAD9ie-tk53ztCTA8U2bNmaB9dd9x0bK6JNyN=kOU+=RJ8zEUCw@mail.gmail.com> <CAMCkG5v3FTnNz878Fg85hV1vYpVo1QO=AF49yvDOacw9bLw-vQ@mail.gmail.com>
In-Reply-To: <CAMCkG5v3FTnNz878Fg85hV1vYpVo1QO=AF49yvDOacw9bLw-vQ@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Thu, 10 Dec 2020 15:47:10 -0800
Message-ID: <CAD9ie-uzYxw=+5jzPAWL7L4iOBqVmZ2O5v8qhJQkFbHA-S9UFg@mail.gmail.com>
To: Atul Tulshibagwale <atultulshi@google.com>
Cc: SecEvent <id-event@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000897bc905b624cde8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/Hix1v3fgJi3jR4KC1e0yHCAaWIY>
Subject: Re: [Id-event] Options regarding SPAGs
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2020 23:48:00 -0000
Hi Atul I echo Phil's concerns wrt. multi subject SecEvents. FYI: I am more interested in understanding the use cases so that we can explore the various solutions than review your proposed changes. A SAML subject type makes sense to me as it is another subject identifier that is commonly used. wrt. SPAG -- another option would be to wrap the secevent object in a SPAG object -- this would also enable binding multiple secevents together. Given what I understand of the use case, where one channel is being used to exchange SecEvents that belong to different transmitters and senders, wrapping the SecEvent preserves the semantics of a SecEvent, and the SPAG wrapper identifiers the SPAG on the channel. Would that not work? /Dick ᐧ On Fri, Dec 4, 2020 at 4:41 PM Atul Tulshibagwale <atultulshi@google.com> wrote: > Hi Dick, > #4 may not always be an option if the event has more than one subject > claim (e.g. for an event like "device transfer"). > > Regarding other additions: > *Subject Categories*: > Earlier, I had proposed that a subject identifier of any subject_type have > an optional common claim named "subject_category", which could identify the > type of subject principal the subject identifier refers to. However, since > the future of this request in the Subject Identifiers spec wasn't clear, we > decided to add a new "subject_type" in the SSE spec, called > "user-device-session". The SSE spec draft defines the algorithm to figure > out the category of the subject principal based on the content of this > subject identifier. > > As a result of this new subject type definition in the SSE spec draft, > "subject_category" is no longer a requirement for the SSE work. However, > since the SSE spec is still being drafted, if the Subject Identifiers spec > has the ability to add a subject category claim to any subject_type, then > we can possibly change the SSE spec to make use of it. > > *SAML Subject Type*: > I had proposed that a SAML subject type be introduced in the Subject > Identifiers. This will help us send and receive events relating to a > specific SAML-based federated session. I thought this would be a common > subject type of interest to the Subject Identifiers spec. However, we have > now added it as a subject type in the SSE draft spec. If the Subject > Identifiers draft were to include this, it would be very easy for us to > remove this from the SSE draft spec. > > BTW a good way to look at all my proposed changes to the Subject > Identifiers draft is by reviewing my pull request here: > https://github.com/richanna/secevent/pull/1 > > Thanks, > Atul > > > On Thu, Dec 3, 2020 at 5:43 PM Dick Hardt <dick.hardt@gmail.com> wrote: > >> I think there is also a fourth option: >> >> 4. a SPAG identifier can be placed in a separate top level object or top >> level property >> >> Atul: in the other thread, you mentioned that there were other additions >> that the OpenID Shared Signals and Events WG is interested in. Would you >> enumerate them as well so that we can address all potential issues? >> >> >> ᐧ >> >> On Thu, Dec 3, 2020 at 3:04 PM Atul Tulshibagwale <atultulshi= >> 40google.com@dmarc.ietf.org> wrote: >> >>> Hi all, >>> Based on Dick's request, I'd like to summarize the situation with SPAGs >>> here. >>> >>> *Background*: >>> The present Subject Identifiers draft >>> <https://github.com/richanna/secevent/blob/1fd045d251ff3c6be9a500c6a78d895be3c6b2bf/draft-ietf-secevent-subject-identifiers.txt> >>> forbids a subject identifier of a specific subject_type from having any >>> claims that are not described in the subject_type. This prevents >>> higher-level specs from proposing any additional claims to be included in >>> subject identifiers of subject types that are defined in the Subject >>> Identifier spec. >>> >>> *SPAGs*: >>> Subject Principal Administrative Groupings or SPAGs are an addition to >>> the OpenID "Shared Signals and Events Profile of SETs" >>> <https://bitbucket.org/openid/risc/src/caep-draft-01/openid-sse-profile-2_0.txt>, >>> which is a revision of the "RISC Profile of SETs >>> <https://bitbucket.org/openid/risc/src/master/openid-risc-profile-1_0.txt>". >>> The present draft of the SecEvents Subject Identifiers spec is derived from >>> a section in this RISC Profile. The SSE Profile now refers to the SecEvents >>> Subject Identifiers draft. >>> >>> SPAGs are required to address the following needs: >>> >>> 1. Disambiguate a subject identifier if it belongs to more than one >>> sub-organizations. For example, if the subject claim in an event is of the >>> subject type "email", then a SPAG may be used to specify the >>> sub-organization the specified email should be scoped down to. A dynamic >>> organization may have the same email in multiple sub-organizations, and the >>> event may apply to only one such sub organization. >>> 2. Provide a lighter weight mechanism to start and stop event >>> streams for sub-organizations. These could be OUs or dynamic groups within >>> an organization, or separate tenants in a multi-tenanted transmitter or >>> receiver. >>> >>> *Requirements from Subject Identifiers*: >>> >>> 1. A SPAG may be specified as an additional attribute of a subject >>> identifier with any subject type, in order to disambiguate and scope the >>> event with that subject identifier. >>> 2. A SPAG may be a new subject type of its own when it is used in an >>> event that specifies the starting or stopping of a stream. >>> >>> *Options*: >>> The following options are possible to address this requirement. >>> >>> 1. *Minimal Change to the present Subject Identifiers draft*: Remove >>> the words "or not described" on line 247 >>> <https://github.com/richanna/secevent/blob/1fd045d251ff3c6be9a500c6a78d895be3c6b2bf/draft-ietf-secevent-subject-identifiers.txt#L247>. >>> This way a higher-level spec that needs to add additional attributes to all >>> subject identifiers used in that spec can add them and specify the >>> additional attributes' optional or required nature. In this option, SPAGs >>> will be defined in the SSE profile spec. >>> 2. *Include SPAGs in the Subject Identifiers spec*: Include language >>> for SPAGs proposed earlier in this list, so that: >>> 1. Subject Principals and SPAGs are defined in the Subject >>> Identifiers spec >>> 2. An additional attribute named "spag_id" is added as an >>> optional attribute of any subject_type. >>> 3. An additional subject_type "spag" is defined (this is used >>> primarily for "control plane" events.) >>> 3. *Do both 1. and 2*: With this, we will address the issue that >>> higher-level specs cannot insert additional attributes in predefined >>> subject types, and define SPAGs within the Subject Identifiers spec. >>> >>> Thanks, >>> Atul >>> >>> _______________________________________________ >>> Id-event mailing list >>> Id-event@ietf.org >>> https://www.ietf.org/mailman/listinfo/id-event >>> >>
- [Id-event] Options regarding SPAGs Atul Tulshibagwale
- Re: [Id-event] Options regarding SPAGs Dick Hardt
- Re: [Id-event] Options regarding SPAGs Atul Tulshibagwale
- Re: [Id-event] Options regarding SPAGs Phillip Hunt
- Re: [Id-event] Options regarding SPAGs Atul Tulshibagwale
- Re: [Id-event] Options regarding SPAGs Phil Hunt
- Re: [Id-event] Options regarding SPAGs Dick Hardt
- Re: [Id-event] Options regarding SPAGs Atul Tulshibagwale
- Re: [Id-event] Options regarding SPAGs Atul Tulshibagwale
- Re: [Id-event] Options regarding SPAGs Dick Hardt