IETF Logo Mail Archive

Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens

Mike Jones <Michael.Jones@microsoft.com> Tue, 07 March 2017 00:39 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AD8C12941C for <id-event@ietfa.amsl.com>; Mon, 6 Mar 2017 16:39:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.009
X-Spam-Level:
X-Spam-Status: No, score=-2.009 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I3deoRZq3GJ6 for <id-event@ietfa.amsl.com>; Mon, 6 Mar 2017 16:39:38 -0800 (PST)
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02on0130.outbound.protection.outlook.com [104.47.37.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 669D1129565 for <id-event@ietf.org>; Mon, 6 Mar 2017 16:39:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=cTE2LczIOaFyf52L1fZASJxeeCvTcT1KUpvg/EJd3HU=; b=UWLeApjfvBLgssjE8PyVdftFDAu33Qcn/pHK9g4tFCZdF/Hy2cVbmew4EX7i39b7u1hhugXxnKB09p0wFlSFNaUJHJIP7/H4Q597UDP8BDqDSPMwcOjhskaF55LRrUrwIrieWVlTgFjX3CDLHQO+H5kTe/54P+G0o1XsS4jWOwU=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0502.namprd21.prod.outlook.com (10.172.122.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.947.0; Tue, 7 Mar 2017 00:39:37 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.0947.007; Tue, 7 Mar 2017 00:39:37 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Justin Richer <jricher@mit.edu>, "Phil Hunt (IDM)" <phil.hunt@oracle.com>
Thread-Topic: [Id-event] Thread: Clarifying use of sub and iss in SET tokens
Thread-Index: AQHSkrmW5tqPJIY8NEisvT0PLETCCaGFT4mAgAAhegCAAM4FAIACUTGg
Date: Tue, 07 Mar 2017 00:39:36 +0000
Message-ID: <CY4PR21MB0504F24541054228A72FC93FF52F0@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <4611E3C8-9772-44EA-940D-077E1EA6247F@oracle.com> <7f44a710-0545-157c-b75e-d46853cf2e06@mit.edu> <4B014CCA-BCBE-4894-9F2F-17DA2541509A@oracle.com> <1bbfcb1f-c554-3baf-e260-fbd475c803bb@mit.edu>
In-Reply-To: <1bbfcb1f-c554-3baf-e260-fbd475c803bb@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: mit.edu; dkim=none (message not signed) header.d=none;mit.edu; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:1::36]
x-ms-office365-filtering-correlation-id: 921e317f-5e8c-480b-e860-08d464f26ed6
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:CY4PR21MB0502;
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0502; 7:1bp2TTdcgItdkwAHpe4SAWaGvrst/ipAnkRqGeIKVLPCfme3VyV6OAMPdFD2c5XHYILhKjtZSsnUAi3n5VeVU9NY96pRWqXll0OU6x+Uv1VGsiydsvoO3t/EVJVl0sI/Suddi77o5MMA4XiJauuuKN+o6GRtst0S8r7hZum0/V/KvQXV4GLnBkEdYn3yJlz3Yx3NFE9gSLDIkURAytz/2BRpMzmVj321/cwrhcVZ8tfcLXkGniXZ4mYC7YdihbrXxWCRqUqDnGs55Ib4glfzXA8NFGzJPfSCu7V8bTs3+EQO5PVOw+//xypkr1XQXb8chTuu1z48h4jgHhfgdhMWn476CeOWS6oluFp8Gb/LUi0=
x-microsoft-antispam-prvs: <CY4PR21MB05020C73D2E6CBEE5EB937DAF52F0@CY4PR21MB0502.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(21748063052155)(146099531331640)(17755550239193)(201166117486090);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123558025)(20161123560025)(20161123562025)(20161123555025)(20161123564025)(6072148); SRVR:CY4PR21MB0502; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0502;
x-forefront-prvs: 0239D46DB6
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(39850400002)(39860400002)(39840400002)(39410400002)(39450400003)(377454003)(24454002)(25786008)(2950100002)(6436002)(38730400002)(6246003)(102836003)(92566002)(790700001)(33656002)(8676002)(229853002)(5660300001)(5005710100001)(606005)(6116002)(10090500001)(8990500004)(86362001)(4326008)(2171002)(1680700002)(2906002)(76176999)(53936002)(81166006)(77096006)(53386004)(3280700002)(3660700001)(10290500002)(122556002)(2900100001)(575784001)(54356999)(53546006)(7906003)(54896002)(74316002)(93886004)(55016002)(7736002)(6306002)(99286003)(189998001)(50986999)(9686003)(236005)(7696004)(6506006)(106116001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0502; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB0504F24541054228A72FC93FF52F0CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Mar 2017 00:39:36.9392 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0502
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/OhDFTm5z-ktgGquS4iLqKfoyruQ>
Cc: ID Events Mailing List <id-event@ietf.org>
Subject: Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 00:39:42 -0000

Justin, I suspect you didn’t see my earlier reply to Phil’s note that you also replied to, so I’m repeating it here and sending it to you directly.  (It wouldn’t be the first time that DMARC policies caused some of my contributions to be not received by some participants. :-( )

Agreed that this is unclear.  Duplicating information in a protocol *always* introduces an unnecessary error case – the need to define how to handle the situation in which two pieces of information that are required to be identical are different.  Information in a SET should occur at most once.

– Mike

From: Id-event [mailto:id-event-bounces@ietf.org] On Behalf Of Justin Richer
Sent: Sunday, March 5, 2017 5:13 AM
To: Phil Hunt (IDM) <phil.hunt@oracle.com>
Cc: ID Events Mailing List <id-event@ietf.org>
Subject: Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens


Yes, exactly. I believe the event payload should have clearly defined semantics within the event object itself. Claims within the object are defined and controlled by the event, and things outside the object are applicable to the SET itself. We already have several use cases listed where the issuer is different for the token and the event, and the subject and audience may be different as well. It's clear to me that this indicates that we should have clearly defined separation between the envelope (the SET) and the payload (the event).

I believe that duplication of information *lessens* the chance of error cases as there's now only one way to interpret each piece of data. If I get a token and I read "payload.iss" I know that it's the issuer of the SET. If I then read "payload.heart-resource-server-access-uri.iss" I know it's the issuer of the HEART audit event (to throw a strawman of one of many examples out there).

Yes, an event type could define its payload to never include "iss" inside of it and say "the issuer of the SET MUST be the same as the issuer of the event", if you really feel like optimizing things in your particular use case. But I do need to ask why you'd do that to yourself: If both issuers (or subjects, or audiences) are the same, then what harm is there in repeating the information other than to make the event body potentially larger? These aren't ID tokens being chucked around in browsers, so if that's the motivation I ask if we're not pre-optimizing a problem that we don't have.

In all cases I believe the SET definition should be very clear that any claims at the root apply to the SET itself and don't automatically flow down to the events inside the data objects within. The claims inside the event objects should be strictly more specifically applied to the events themselves.

 -- Justin

On 3/4/2017 7:55 PM, Phil Hunt (IDM) wrote:
That seems unclear.

Do you mean put subj ans issuer inside the payload regardless of whether the issuer of the event is the same or different from the subject?  That way it is always the same though it may be duplicative?

Phil

On Mar 4, 2017, at 2:56 PM, Justin Richer <jricher@mit.edu<mailto:jricher@mit.edu>> wrote:

3:

Put "iss" and "sub" inside the event when they apply to the event, even if they're the same as the "iss" and "sub" of the event token itself.

 -- Justin
On 3/1/2017 1:27 PM, Phil Hunt wrote:
In the comments on idtoken-07, Yaron raised concerns around the confusion of “iss” of the subject of the event vs. issuer of the event.  The current text says that if there is a need to distinguish between “iss” of the “sub” vs. “iss” of the event, then the event should place the “iss” of the subject in the event payload area.

I agree this does seem awkward.

I have been thinking a related concern, that a SET could be confused as an access token if it has a “sub” value.  If we stop using “sub” then we’re potentially causing web access management systems to reject SETs as invalid access tokens — this is theoretically a GOOD THING.

PLEASE INDICATE 1 or 2, or provide additional discussion.

Two options:

1. Leave as is.

2.  Create a new attribute object, “esub” (event subject) which is a JSON object that contains the attributes needed to identify the subject.  For example:

We currently have:

   {

     "jti": "fb4e75b5411e4e19b6c0fe87950f7749",



     "sub": "248289761001",

     "iat": 1458496025,

     "iss": "https://my.examplemed.com<https://my.examplemed.com/>",

     "aud": [

       "https://rp.example.com"

     ],

     "events": {

       "https://openid.net/heart/specs/consent.html":{

         "iss":"https://connect.example.com",

         "consentUri":[

           "https://terms.examplemed.com/labdisclosure.html#Agree"

         ]

       }

     }

   }

Could be represented as:

   {

     "jti": "fb4e75b5411e4e19b6c0fe87950f7749",



     “esub": {

       “sub”:"248289761001”,

       "iss":"https://connect.example.com”

     }

     "iat": 1458496025,

     "iss": "https://my.examplemed.com<https://my.examplemed.com/>",

     "aud": [

       "https://rp.example.com"

     ],

     "events": {

       "https://openid.net/heart/specs/consent.html":{

         "consentUri":[

           "https://terms.examplemed.com/labdisclosure.html#Agree"

         ]

       }

     }

   }

Comments:
* “sub” remains untouched in the sense that it retains the meaning used in traditional access tokens.
* “esub” contains the full information to address the subject.  No need to look around for a second “iss” (which may or may not be there)

To do this would require defining “esub” and sub-attributes like, “iss”, “sub” (which follow current defs), and probably “uri” for those entities that are referenceable as a URI.  Examples of URI subjects:
*  in implicit federation (from RISC):   “uri”:”mailto:phil.hunt@yahoo.com”
*  in SCIM where resources have URIs:  “uri”:”https://scim.example.com/Users/44f6142df96bd6ab61e7521d9"

One catch. Profiling specs would not be able to define new ways of addressing subjects with esub.

Phil

Oracle Corporation, Identity Cloud Services & Identity Standards
@independentid
www.independentid.com<http://www.independentid.com>
phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>










_______________________________________________

Id-event mailing list

Id-event@ietf.org<mailto:Id-event@ietf.org>

https://www.ietf.org/mailman/listinfo/id-event

v2.23.0 | Report a Bug | By Email