[Id-event] Late comment on experience with draft-ietf-secevent-subject-identifiers-12
Phillip Hunt <phil.hunt@independentid.com> Thu, 25 August 2022 17:01 UTC
Return-Path: <phil.hunt@independentid.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B34AFC152567 for <id-event@ietfa.amsl.com>; Thu, 25 Aug 2022 10:01:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.904
X-Spam-Level:
X-Spam-Status: No, score=-6.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=independentid-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u-jY6oyxBehj for <id-event@ietfa.amsl.com>; Thu, 25 Aug 2022 10:01:36 -0700 (PDT)
Received: from mail-pj1-x1033.google.com (mail-pj1-x1033.google.com [IPv6:2607:f8b0:4864:20::1033]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF9ABC1526EC for <id-event@ietf.org>; Thu, 25 Aug 2022 10:01:13 -0700 (PDT)
Received: by mail-pj1-x1033.google.com with SMTP id o4so966757pjp.4 for <id-event@ietf.org>; Thu, 25 Aug 2022 10:01:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=independentid-com.20210112.gappssmtp.com; s=20210112; h=to:date:message-id:subject:mime-version:from:from:to:cc; bh=O9BLMIsV7IDyZzp7S2rQGZSHex13b6Aq7yeMyLwRL4E=; b=QTuraP6/Ck82hExHjqsPXKO5wqdHGEJHPnruslKIeQLmpwb6KqW1x57AKKdewHsVyV SVX5GpF0v/o0ps4hM2ABWfgioi8lGLwglJdfJ0L/v+k2ETdRpizXIFfW8SaGfvYJwU3z yUVZQoz3jwzFCgVyD3+gVAI77R41PK+YpFhpFfkp6VJCH26W0Vduw1950flFzwlsN4l/ VttttbG+5dNkts62+tW34ReNm3vCkUIJnn4wMsKcoMUmQraUWjwS9nlMk7hED1O0MLaJ FkIv9MsmBkhj/T7Orsn/ZoMMQE8/t23GcT8EPGW9uUTTm760ntE4eiLmvCiXL0f0pRMQ kIJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:date:message-id:subject:mime-version:from:x-gm-message-state :from:to:cc; bh=O9BLMIsV7IDyZzp7S2rQGZSHex13b6Aq7yeMyLwRL4E=; b=faQjyAABRtzi6kB/cfpAKhPSWfu6/Cx9v3zqYnXe/qWObLXxbjWyWxzKdkHHsVfvJo 9zGpmvoxjRYkzJ1DtTIQ9lpNbl9r+/7UjIizu54XzxAiVM2qpQQqZnjFV+zrxcM9zTHm 6Pw/roUyW0kn5ITDjPzYXs6eQ2xodwj9vfo7URr4gXEYAr4bvYPU6BTWXCCBOo+jRDpI wWe9QMXpsPXhqfaIJ8py2I1G5FAGUviV/DpQPBNVE+VzmLmfzmKib2gzAvilhMTJhJTu l+8U9eulDbdPAH/CsvIe96dG/o2kMxFCn9ExBfyJTJNb2sEWG7cqpocbHVO0nSJpg2SQ d3pg==
X-Gm-Message-State: ACgBeo2EhZpQEAyv8xpRcm7jzZRtDvemIJW0E19L0f3ZdbPUcqbDfovO tGBsUqGY00TATsYpUPEintrOyD3V1NlaHw==
X-Google-Smtp-Source: AA6agR7j6JoP4vqPWZxOjBZ2iOp3StN6CN2CDyMw4WqBe470GSNjLB8sXQfnnc0a2udSU5EEsbIH5A==
X-Received: by 2002:a17:90b:1bd0:b0:1fb:740b:c3ba with SMTP id oa16-20020a17090b1bd000b001fb740bc3bamr37915pjb.61.1661446872271; Thu, 25 Aug 2022 10:01:12 -0700 (PDT)
Received: from smtpclient.apple ([2001:569:7a90:4400:8daa:d5ee:c0d3:b68c]) by smtp.gmail.com with ESMTPSA id n66-20020a622745000000b0052d981e7842sm15389510pfn.208.2022.08.25.10.01.11 for <id-event@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 25 Aug 2022 10:01:11 -0700 (PDT)
From: Phillip Hunt <phil.hunt@independentid.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_27F830AA-8913-43D5-BC50-2F986553BC3F"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Message-Id: <DF7EF9B9-3AB8-4D76-A15E-10C537FD03F2@independentid.com>
Date: Thu, 25 Aug 2022 10:01:08 -0700
To: ID Events Mailing List <id-event@ietf.org>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/Mn0HSQ0cuoczaFV0g1YE0yYovc4>
Subject: [Id-event] Late comment on experience with draft-ietf-secevent-subject-identifiers-12
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Aug 2022 17:01:40 -0000
Apologies for this late feedback. I felt it important to share my recent (right now) after recent review of interop with the OpenID Shared Signals draft and the new SCIM WG SCIM Events Profile draft (draft-ietf-scim-events-00 <https://datatracker.ietf.org/doc/draft-ietf-scim-events/>). It appears there is potential for interop concerns or mistakes arising because the examples in this draft suggests profilers to embed subject identifiers inside of the events claim that may suggest multiple events about different subjects are possible (contrary to RFC8417). A best practice would be to use the “sub_id” to hold such claims. It should be noted that the use of subject identifiers in event “payloads” should be supplemental to sub_id. A SET that contains multiple events about the same transaction must be about the same top-level identifier “sub_id” (per section 2.0 of RFC8417). For example in SCIM Events, a SET could be issued that contains both a provisioning event (urn:ietf:params:event:SCIM:prov:patch) AND a signal (urn:ietf:params:event:SCIM:sig:authMethod). In the current draft the “sub” claim ties the events together to indicate the event occurs from the same transaction about the same subject. In contrast, the OpenID RISC Profile embeds subjects in events: https://openid.net/specs/openid-risc-profile-specification-1_0-01.html The interop concern is: * Subject information located in differing places (top level sub_id claim or embedded in event payloads) * A possible impression a SET can contain multiple events with per event identifiers about different subjects contrary to section 2 RFC8417 I would like the authors to consider adjusting the draft to more strongly recommend “sub_id” as the main claim and that subject objects in event payloads SHOULD be specific to that event type (ie. as a supplemental context). From an inter-op perspective it is much easier to write code to look for sub_id and recognize it as a standard json object. I ran into this problem recently implementing SET for SCIM Events and testing interop with the implementation described at SharedSignals.guide. In this implementation, events are only accepted if subject is embedded in the event “payload” rather than as a top-level claim (“sub-id”). Further I have been asked if SCIM Events could adopt support this draft. If SCIM were to support it, we would use the ’sub_id’ claim. Off the top, this would make SCIM incompatible with the implementation of sharedsignals.guide which implements SSEF (https://openid.net/specs/openid-sse-framework-1_0-ID1.html). Phillip Hunt @independentid phil.hunt@independentid.com
- [Id-event] Late comment on experience with draft-… Phillip Hunt