[Id-event] Comments on draft-ietf-secevent-subject-identifiers
Denis <denis.ietf@free.fr> Mon, 15 March 2021 10:15 UTC
Return-Path: <denis.ietf@free.fr>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4CFB3A09BD for <id-event@ietfa.amsl.com>; Mon, 15 Mar 2021 03:15:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.117
X-Spam-Level:
X-Spam-Status: No, score=-1.117 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PoRQx4EOExOZ for <id-event@ietfa.amsl.com>; Mon, 15 Mar 2021 03:15:13 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp08.smtpout.orange.fr [80.12.242.130]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DB0A3A09BC for <id-event@ietf.org>; Mon, 15 Mar 2021 03:15:12 -0700 (PDT)
Received: from [192.168.1.11] ([90.79.53.231]) by mwinf5d67 with ME id gaF92400C4zJUWJ03aF9b4; Mon, 15 Mar 2021 11:15:10 +0100
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Mon, 15 Mar 2021 11:15:10 +0100
X-ME-IP: 90.79.53.231
To: richanna@amazon.com, marius.scurtescu@coinbase.com, id-event@ietf.org
From: Denis <denis.ietf@free.fr>
Message-ID: <abf2756d-1c81-07df-e263-4dc7820292ef@free.fr>
Date: Mon, 15 Mar 2021 11:15:09 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.8.0
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------FA607AF739EB8BCFCE8C6E90"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/JdVHrgjYAIW3Cy7QP6v6PnRvK7Y>
Subject: [Id-event] Comments on draft-ietf-secevent-subject-identifiers
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Mar 2021 10:15:18 -0000
Hello Annabelle and Marius,
I am a participant to the GNAP WG. Since the
draft-ietf-secevent-subject-identifiersis mentioned in the
draft-ietf-gnap-core-protocol, I took a look at it.
Last week, I sent to both of you two emails and since I got no response
(your anti-spam software might be too effective), I have subscribed to
the SECEVENT mailing list,
to make sure that this email will reach you.
I have two sets of comments.
*
Firstly, about the title and the abstract
*
The definition of Subject Identifier in the draft-07 (section 3) is :
A Subject Identifier is a JSON [RFC7159] object whose contents may
be used to identify a subject */within some context/**.*
However, page 2 of the draft-07 states:
As described in Section 1.2 of SET [RFC8417], subjects */related
to/**
**/ security events/* may take a variety of forms, including but not
limited to a JWT [RFC7519] principal, an IP address, a URL, etc.
RFC 8417 (Security Event Token (SET)) states in its abstract:
Abstract
This specification defines the /Security Event Token (SET) data///
/ structure/. A SET describes statements of fact from the perspective
of an issuer about a subject. These statements of fact represent an
event that occurred directly to or about a security subject, for
example, a statement about the issuance or revocation of a token on
behalf of a subject. This specification is intended to enable
representing security- and identity-related events. A SET is a JSON
Web Token (JWT), which can be optionally signed and/or encrypted.
SETs can be distributed via protocols such as HTTP.
There is a need to be able to use subject identifiers that will /not
necessarily be used in a Security Event Token (SET) data structure./
These Subject Identifiers might still be used in a Security Event Token
(SET) data structure, /but not necessarily/.
The current title of the draft is: "Subject Identifiers for Security
Event Tokens" .
More appropriate titles would be:
Subject Identifiers for Security Event Tokens /and other purposes/
or simply
Subject Identifiers
The first sentence from the abstract should slightly be reworded or
could even be removed. Currently, it is:
Security events communicated within Security Event Tokens may
support a variety of identifiers to identify the subject and/or
other principals related to the event.
*Then after, about the content of the draft*
**In the GNAP WG, it is envisioned to request some /_types_ /of subject
identifiers to be placed into an access token, then to place some
subjects identifiers
(with their values) into an access token and for a RS (Resources Server)
to compare these subjects identifiers (with their values) against
validation rules
originating from RO (Resource Owner) acting as an ADF (Access Decision
Function) which also use the same subjects identifiers (with their values).
In order to address privacy concerns, it is desirable to make a
difference between:
(1) a globally unique identifier (e.g. an email address, a social
security number or a DID (Decentralized Identifier), gu_id
(2) an identifier locally unique to that AS for all the RSs, as_id
(3) an identifier unique for every AS - RS pair, or rs_id
(4) a temporary identifier for a single session (i.e. a large random
identifier), session_id
More info is available in the slides 9 to 12 presented at the last IETF
110 GNAP WG virtual meeting. These slides are available at:
https://datatracker.ietf.org/meeting/110/materials/slides-110-gnap-gnap-model-and-trust-relationships-00
<https://datatracker.ietf.org/meeting/110/materials/slides-110-gnap-gnap-model-and-trust-relationships-00>
For example, for a globally unique identifier:
"sub_id": {
"subject_type": "gu_id"
"gu_id": " email",
"email: "john@hughes.com" <mailto:john@hughes.com>,
}
or
"sub_id": {
"subject_type": "gu_id"
"gu_id": "ssn ",
"cn": 250
"ssn ": "170065550100",
}
or
"sub_id": {
"format": "gu_id",
"gu_id": " did",
"did: "did:/DID:Method:DID Method Specific String/",
}
For example, for an identifier locally unique to that AS for all the RSs
"sub_id": {
"format": "as_id"
"iss": "http://issuer.example.com/" <http://issuer.example.com/>,
"id": "john_hughes.com",
}
For example, foran identifier unique for one AS - RS pair
"sub_id": {
"format": "rs_id",
"iss": "http://issuer.example.com/" <http://issuer.example.com/>,
"rs": "_http://server.com/_"
"id": "1452345734788822",
}
For example, fora temporary identifier valid for a single session
"sub_id": {
"format": "session_id"
"iss": "http://issuer.example.com/" <http://issuer.example.com/>
"session_id": "A57B893E17F6471D",
}
When supporting RBAC (Role Based Access Control), it would be nice to
define a "sub_id" able to support roles.
For example, foran identifier supporting a role:
"sub_id": {
"format": "as_role",
"iss": "http://issuer.example.com/" <http://issuer.example.com/>,
"role": "science/teacher",
}
or
"sub_id": {
"format": "as_role",
"iss": "http://issuer.example.com/" <http://issuer.example.com/>,
"role": "auditor",
}
When supporting ABAC (Attribute Bases Access Control), it would be nice
to define a "sub_id" able to support group memberships.
For example, foran identifier supporting a group membership:
"sub_id": {
"subject_type": "as_grp",
"iss": "http://issuer.example.com/" <http://issuer.example.com/>,
"grp": "university/science/teacher",
}
Denis