IETF Logo Mail Archive

Re: [Id-event] Subject Principals and Subject Principal Administrative Groupings

Tim Cappalli <Tim.Cappalli@microsoft.com> Tue, 14 July 2020 15:53 UTC

Return-Path: <Tim.Cappalli@microsoft.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E6623A08D6 for <id-event@ietfa.amsl.com>; Tue, 14 Jul 2020 08:53:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iUe8xysmE6b7 for <id-event@ietfa.amsl.com>; Tue, 14 Jul 2020 08:53:25 -0700 (PDT)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-eopbgr640098.outbound.protection.outlook.com [40.107.64.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 244B93A08D4 for <id-event@ietf.org>; Tue, 14 Jul 2020 08:53:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aqRDwwiDIRWbv5xvvVI6kOhppPGS6XgW/ueH+7JUpEKbRiIowny0eQ0hkhQs3EuoL1+ojXDFgCuHTNF9w4kntg3HWxPaW/U3WPxkurPAwXhRPyVenXm0vjJYPd3RhrTV2GUkkfBOVyV8QDDQx35M5IpkmHwP/5rsfIAeX92NVOtFxZKRF6HixlCiPmZPRL41Y3qefSKYq4fja5Ro4Zx7Dfqo1b7zT/AbAgTJ6e/s7CWcfXH2xP6vAEpk3tYLTgMw71fvkeOeyPSuhd0EVJswc4m3qwYknHNr4gB8pK4XKrEd7Rp3INAIPOIwGpc9jkrEodKcCMbPmWoZxl9OoABIHQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8HjivB8P4B6xU/+5L94pwSFIXS23Wt/3GFwCjxIAHrs=; b=IoBBmjcCEh7cyE9wdc/YVV4rdyNekrEILB3cCRRIlaEunw8TO/6/LEPLoK1Sdgn1Xf/q8XGRsPpIZ81owBlwf+xHn11src/lKfGFqPC3IBOPKUK0QQLl4TDkBENrO8wpoRpsdrIn1m6jFhh9rrmlWxzBoFY0h67cr1Sy7nSxuoLQTUz4GVXB6GKpHIUzgZm7k/aL7qbFcd+0cNz4jzG3hnDJ/ZbwyhGdRnumnuuj0DKl7AGSa5k8XDNKT7ZNmdynkZOJqTJ5tdrOOmClnvtFw+LIn4o3foM7XXtnkXZQNe4FnlI9A9LG/1LLV3XKQQcnwYtbapXy1kjF99qyRPvPBg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8HjivB8P4B6xU/+5L94pwSFIXS23Wt/3GFwCjxIAHrs=; b=G2Iu5rsFyaxv/To20QRLtdvRZNOTzsa/TKxFf8gKfQ931kMDsf/Y4cmJnGo1LDe+4f/ugZabONLKhKbuj+KMGvazNq+6y/4ep1QJiCqiYKBgCUM33IqukojWHj7Fd1ms7FrFbrJ+Ch+yhDsakuQY4y7PALMLHWG7GEDUaM9/P9E=
Received: from DM6PR00MB0816.namprd00.prod.outlook.com (2603:10b6:5:208::12) by DM6PR00MB0846.namprd00.prod.outlook.com (2603:10b6:5:1b5::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3233.0; Tue, 14 Jul 2020 15:53:20 +0000
Received: from DM6PR00MB0816.namprd00.prod.outlook.com ([fe80::f138:129:83ad:8071]) by DM6PR00MB0816.namprd00.prod.outlook.com ([fe80::f138:129:83ad:8071%8]) with mapi id 15.20.3231.000; Tue, 14 Jul 2020 15:53:20 +0000
From: Tim Cappalli <Tim.Cappalli@microsoft.com>
To: Atul Tulshibagwale <atultulshi=40google.com@dmarc.ietf.org>, Mike Jones <Michael.Jones@microsoft.com>
CC: SecEvent <id-event@ietf.org>, Dick Hardt <dick.hardt@gmail.com>
Thread-Topic: [Id-event] Subject Principals and Subject Principal Administrative Groupings
Thread-Index: AdZZdQCtdiOOYOmMSIKP7V+31IqM3AAecqAAAAIEbU8=
Date: Tue, 14 Jul 2020 15:53:19 +0000
Message-ID: <DM6PR00MB081613C5937AAE8494A2826E95610@DM6PR00MB0816.namprd00.prod.outlook.com>
References: <CH2PR00MB06786BC0E20E4CF98170AA54F5610@CH2PR00MB0678.namprd00.prod.outlook.com>, <CAMCkG5umX2+QPzQFPAcyVXisrh46oeJ1RurU4o1QkDD2nWA8OA@mail.gmail.com>
In-Reply-To: <CAMCkG5umX2+QPzQFPAcyVXisrh46oeJ1RurU4o1QkDD2nWA8OA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-07-14T15:53:05.3899414Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Privileged
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [100.0.202.188]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: dedc326f-0fd1-4836-51a6-08d8280e07f8
x-ms-traffictypediagnostic: DM6PR00MB0846:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <DM6PR00MB084645E788ED2654699F053595610@DM6PR00MB0846.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: UHJ6ajTgypfp8hf80tDT1x0RmPa+LH4gcojbja5JMvQ5JHi4wEN1OAktkKDADOgtwIwxkA8MpzdV2iqMomU2y9F2M/VMmxBWZAI75voOHE3dEGjDffZ4daiP83Fr0zP+NzXlROqSNS7UwdEgCKrQZl9uo31BT+Elft7eXV/95Ov5lxxK1QQAJ6daYcEEWTjphcLwO9UNTS/zu4Awc6axERnizjyKRIzwNnK3UsAuQq3VZi0CHSnhtss1mpdThDFY4uq6xfo9Ta/Ho/EEXP2+Rpj2WU1FBK7rR8AMI6dz3lldjJhpn255jI+Fk+sKcN2Rr32U0z8uouhY3iJfjMZfZ6b3SBba/4rn+4D5y1hZkdOXKq6i8Hwo3llc+qwH5B5J9GaWLZ5djKDEcURuOz+8YruzYnZoUK/t7DjiI3WIthAOglLgCjxDHETJ1q/2cSqBgDJuCZ2k1bttne6u6OFnow==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR00MB0816.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(396003)(136003)(346002)(376002)(366004)(82960400001)(82950400001)(8936002)(7696005)(52536014)(71200400001)(54906003)(53546011)(6506007)(10290500003)(4326008)(55016002)(9686003)(6636002)(110136005)(8676002)(8990500004)(186003)(76236003)(83380400001)(478600001)(966005)(5660300002)(86362001)(166002)(2906002)(33656002)(66946007)(30864003)(76116006)(26005)(91956017)(66476007)(64756008)(66556008)(66446008)(316002)(99710200001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: 76qOOoMBpUJoAflZ2Y8Z8HmG1RUM/v6qggDM//yrc94EHVA3udf+U26khKfhZdsQKBs3aCVpeWT5Q/QehBp/MxoBFqZDIl7+RKIihbaCGTTKS12GGVgkqqlQvyjUrNDZfNUYOtuKbSOWQSLuMxWn8keNXd1aRZyFpgyQMHWqqyniboj61GOgid6HS0NIC3EvDaQ33mgvBUMFzYdVopTbKeiTol0Yj99o3AWJ7U2Q5l4N14O2yYZW38VeLvJ723ar1sZ/LChdTkIMZGJAY0HxiEQUwLfw1t/+rxx5GxCWkDjkfiPq/u/dN4K6BIx+01yGaiSB3j2PckZv6dA3zkTeYXNIMgJ34EmrO+nd8uNMHq43hnduBe+aAVE0sfyBVEW2+h6DWk47t45NdypZ0PN9bupgHc3+nrYJ19We6NHBsVQTsi1dXndicAhxV7/nNhhCyThJ9HYMHw9yOE2yHIjBYwC4ANL1NFiEKvyCNvy2qhOAOK1zocI1HXuiUH/drPyqJLgiRHU6ueyAMFr5Qae4l7b23xhLgfmGkae8lHHFePNfo+/73LYYKcdDTLHu0I45/r+5C972YI0B9uljIDKCnQ==
Content-Type: multipart/alternative; boundary="_000_DM6PR00MB081613C5937AAE8494A2826E95610DM6PR00MB0816namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR00MB0816.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: dedc326f-0fd1-4836-51a6-08d8280e07f8
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Jul 2020 15:53:19.9988 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: /feNwdBriNtcZBKiuQ7s7iwhn/vyWw6yQvgYE+LpztEEh1TdJmQRux+OXwPV7yNTxsFxhBbBpG3Ulbb2cQ3tgw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR00MB0846
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/3uiXotPEX7AAALjLrA2DDBsTOx0>
Subject: Re: [Id-event] Subject Principals and Subject Principal Administrative Groupings
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jul 2020 15:53:28 -0000

I agree that SPAGs should be defined in the spec.

tim

From: Id-event <id-event-bounces@ietf.org>
Date: Tuesday, July 14, 2020 at 10:55
To: Mike Jones <Michael.Jones@microsoft.com>
Cc: SecEvent <id-event@ietf.org>rg>, Dick Hardt <dick.hardt@gmail.com>
Subject: Re: [Id-event] Subject Principals and Subject Principal Administrative Groupings
A few points / responses:

  1.  Agree with Mike that spag_id should not be a required claim unless it's actually required for every subject. So keeping it optional (if we decide to have it at all) is the right thing to do.
  2.  IMO it will be far simpler for multi-tenanted hosts to use SPAGs rather than manage multiple event streams (i.e. one per tenant)
  3.  A multi-tenanted architecture is increasingly very common, so this will apply to a large number of organizations.
  4.  For single tenanted transmitters, the SPAG id may be inferred by receivers. Single tenanted receivers may ignore the SPAG ids in the subjects. So processing SPAGs in hybrid situations does not appear to be cumbersome.
  5.  The use of SPAGs is not limited to tenant-level information, since it may be applied to OUs or groups
  6.  If we agree that SPAG is a "meta concept" that applies in most situations, then capturing it in the spec is probably important. What Dick is proposing is a way to implement SPAGs without specifying them in a standard, so each entity is free to define it the way they want. This approach can cause incompatibilities.
  7.  Without SPAGs in the spec, if peers need to send events about SPAGs, then they need to use the "iss-sub" catch all to send events about enabling or disabling events about SPAGs. Since this is not standardized, it could also cause proprietary and incompatible implementations.
Atul

On Mon, Jul 13, 2020 at 5:23 PM Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote:
As I see it, the use cases that require a spag_id can use them when necessary (unless the working group decides on another way to do this) but I certainly would oppose requiring it when it’s unnecessary.

                                                       -- Mike

From: Id-event <id-event-bounces@ietf.org<mailto:id-event-bounces@ietf.org>> On Behalf Of Dick Hardt
Sent: Monday, July 13, 2020 5:13 PM
To: Atul Tulshibagwale <atultulshi@google.com<mailto:atultulshi@google.com>>
Cc: SecEvent <id-event@ietf.org<mailto:id-event@ietf.org>>
Subject: Re: [Id-event] Subject Principals and Subject Principal Administrative Groupings

Would different URLs for each relationship not solve your issue of maintaining secrets for each SPAG? For example:

https:/example.com/secevent/SPAG_ID_1<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fexample.com%2Fsecevent%2FSPAG_ID_1&data=02%7C01%7Ctim.cappalli%40microsoft.com%7C9ccd8d2be2814ab880e208d82805fa11%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637303353431075063&sdata=DJL1CFQXxAlH%2FECuofX26jHlMl%2F3ZZkzsx8CpaWqXdI%3D&reserved=0>

https:/example.com/secevent/SPAG_ID_2<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fexample.com%2Fsecevent%2FSPAG_ID_2&data=02%7C01%7Ctim.cappalli%40microsoft.com%7C9ccd8d2be2814ab880e208d82805fa11%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637303353431075063&sdata=tvfSRx1awudo6z%2B3wHdQbhsskKTp9gHxp%2Bt01PVKAxc%3D&reserved=0>

https:/example.com/secevent/SPAG_ID_3<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fexample.com%2Fsecevent%2FSPAG_ID_3&data=02%7C01%7Ctim.cappalli%40microsoft.com%7C9ccd8d2be2814ab880e208d82805fa11%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637303353431085057&sdata=AlxSKnSv%2BUyOmZ03PgZF%2BHLfpRnadcdLMJCyrTkyaX0%3D&reserved=0>

Then the credential is independent of the SPAG, but we are not injecting an identifier (spag_id) that is only relevant to orgs that want to use the same credentials across SPAG relationships.



On Mon, Jul 13, 2020 at 5:08 PM Atul Tulshibagwale <atultulshi@google.com<mailto:atultulshi@google.com>> wrote:
I am OK with making the spag_id a required claim in every subject identifier. For single tenanted transmitters, it would be a constant value for all events they generate.

On Mon, Jul 13, 2020 at 4:01 PM Dick Hardt <dick.hardt@gmail.com<mailto:dick.hardt@gmail.com>> wrote:
So the receiver is using authentication sometimes to determine SPAG, and not at other times?

I'm digging into this as I had always thought of the event being between two parties, where they are identified by the endpoint and/or the credentials.

Adding a relationship identifier seems to be solving the problem at the wrong layer, unless it is in all events.


On Mon, Jul 13, 2020 at 3:54 PM Atul Tulshibagwale <atultulshi@google.com<mailto:atultulshi@google.com>> wrote:
Sorry for the terse message.

If a single tenant transmitter is trusted by a multi-tenanted receiver for a specific tenant, then the SPAG-id need not be included if the subject is unique at the tenant level, because the receiver will automatically identify SPAG that the subject belongs to on its end (based on the authentication).



On Mon, Jul 13, 2020 at 3:37 PM Dick Hardt <dick.hardt@gmail.com<mailto:dick.hardt@gmail.com>> wrote:
Which part is not required?

On Mon, Jul 13, 2020 at 3:33 PM Atul Tulshibagwale <atultulshi@google.com<mailto:atultulshi@google.com>> wrote:
Not required, since the claim is optional.

On Mon, Jul 13, 2020 at 3:25 PM Dick Hardt <dick.hardt@gmail.com<mailto:dick.hardt@gmail.com>> wrote:
Would a transmitter that is only in one SPAG (a single tenant system) have to include its SPAG id in events sent to a receiver that accepts events from multiple SPAGs? But it would not include it in sending events to other receivers that have separate credentials for each relationship?



ᐧ

On Mon, Jul 13, 2020 at 3:05 PM Atul Tulshibagwale <atultulshi@google.com<mailto:atultulshi@google.com>> wrote:
That could be true but there are a few ways in which it can be avoided:

  1.  The peers leverage some higher-level trust to accept / decline events relating to lower level SPAGs. For example, if trust is established at a tenant level, then an OU level SPAG need not have its own authorization.
  2.  The secret required for establishing the authorization of a SPAG may be temporary. For example:

     *   An administrator signs in to their tenant in the transmitter's administrator console
     *   The admin obtains a temporary authorization (one-time code)
     *   The admin signs in to their tenant in the receiver's administration console and pastes in the one-time code
     *   The receiver sends a request to enable the stream for the specified SPAG with that one-time authorization.
In the first case, there are no additional secrets required. In the second case, the secret is temporary.



On Mon, Jul 13, 2020 at 2:34 PM Dick Hardt <dick.hardt@gmail.com<mailto:dick.hardt@gmail.com>> wrote:
I see the SPAG lets the transmitter and receiver provide context, as the subject identifier may be the same across SPAGs.

Now I'm trying to understand how the transmitter authenticates to the receiver if it does not have it's own secret (assuming that authentication model) -- IE, how does the receiver know the transmitter is authorized for that SPAG?


On Mon, Jul 13, 2020 at 2:08 PM Atul Tulshibagwale <atultulshi@google.com<mailto:atultulshi@google.com>> wrote:
Dick, your understanding is correct.

To clarify the proposal here, Here's the text I'm proposing to be added:

3.  Subject Principals

   Subject Principals are the management entities associated with
   Subjects.  These may be human or robotic principals or devices or
   other entities that are managed by transmitters and receivers.  For
   example, the same Subject Principal may be referred to by an email
   address or a phone number.  A transmitter or receiver will typically
   manage subject principals and organize them into sub-groupings such
   as tenants, groups, organizational units, etc.

   Subjects are identified by Subject Identifiers defined below.

3.1.  SPAGs

   Subject Principals MAY be grouped for administrative purposes into
   "Subject Principal Administrative Groupings" or SPAGs.  For example,
   all users belonging to one customer of a "multi-tenanted" Transmitter
   may be in one SPAG.  Alternatively, an Organizational Unit or a group
   of Subjects within a customer of a Transmitter (whether multi-
   tenanted or not) may be one SPAG.  SPAGs may have overlapping sets of
   Subjects.

   A SPAG MAY be the Subject of certain stream update events defined
   later in this spec, hence is defined as a Subject Type of its own
   below..  A SPAG identifier MAY be included in other subject types to
   disambiguate the subject.

   A SPAG subject identifier is agreed to offline between a transmitter
   and a receiver.
The benefits of doing this are:

  1.  Multi-tenanted hosts do not need to maintain secrets per tenant and per transmitter tenant if each tenant has to be an event transmitter and an event receiver of its own.
  2.  An event stream may be established between two multi-tenanted hosts, and so does not need to be managed at a per-tenant level
  3.  The same subject or subject principal may be a part of multiple SPAGs, and identifying the SPAG that an event relates to can be achieved if the standard allows for the SPAGs to be identified.


On Mon, Jul 13, 2020 at 11:32 AM Dick Hardt <dick.hardt@gmail.com<mailto:dick.hardt@gmail.com>> wrote:
To clarify, your proposal is driven by the implementation burden of maintaining separate secrets / streams between a transmitter and receiver?
ᐧ

On Mon, Jul 13, 2020 at 9:01 AM Atul Tulshibagwale <atultulshi=40google.com@dmarc.ietf.org<mailto:40google.com@dmarc..ietf.org>> wrote:
Hi all,
Here's a quick background for the proposal<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Frichanna%2Fsecevent%2Fpull%2F1&data=02%7C01%7Ctim.cappalli%40microsoft.com%7C9ccd8d2be2814ab880e208d82805fa11%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637303353431085057&sdata=8kZ%2FE667mzW9NoHuWC0UjIciV%2BEFDjXXPQccVoofSSk%3D&reserved=0> for including Subject Principals and Subject Principal Administrative Groupings or SPAGs in the Subject Identifiers spec.

Use of Subject Identifiers in Shared Signals and Events:
The Shared Signals and Events (SSE) profile of SETs specifies that transmitters and receivers send and receive SETs that contain Subject Identifiers. These subject identifiers have the format that is now being discussed as a separate specification here.

Transmitters and Receivers in SSE
The SSE profile defines transmitters and receivers as hosts that manage streams between peers. The receiver authenticates to the transmitter using OAuth, requiring the use of a secret per receiver. In a multi-tenanted host that handles hundreds of thousands or millions of independent tenants, maintaining such a secret per instance of a receiver is cumbersome. Furthermore, since a transmitter and a receiver has to maintain a stream per pair, creating such per-tenant streams can add significant implementation overhead.

SPAGs
Therefore, we need a notion of a grouping of subjects within the same transmitter and receiver to distinguish between various administrative groupings that exist within a host. These groupings could include tenants, organizational units or user groups.. This grouping is captured in the notion of a SPAG. The uniqueness of a user identifier (subject identifier) may also be limited to a SPAG. For example, if a random unique ID represents a user, then that ID may be unique within a SPAG and not universally across a transmitter or receiver. This is because each transmitter and receiver may have multiple connections to other transmitters and receivers, and ensuring uniqueness across all such peers is probably an intractable problem.

Subject Principals
While what is represented within a subject identifier may be only an aspect of the management entity, the administrative grouping is about the management entity itself. This could be the user, device or other principal that the subject identifier represents. Therefore, an abstract notion of a Subject Principal is also required in order specify what the grouping within a SPAG is about.

The above is captured in the "Subject Principal" and "SPAG" sections within the proposed PR<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Frichanna%2Fsecevent%2Fpull%2F1&data=02%7C01%7Ctim.cappalli%40microsoft.com%7C9ccd8d2be2814ab880e208d82805fa11%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637303353431095051&sdata=pj4WBHmM8VqizQydVnmsGZths6AJ9IgJTgnOpnMDe3U%3D&reserved=0>amp;reserved=0>.

Thanks,
Atul

_______________________________________________
Id-event mailing list
Id-event@ietf.org<mailto:Id-event@ietf.org>
https://www.ietf.org/mailman/listinfo/id-event<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fid-event&data=02%7C01%7Ctim.cappalli%40microsoft.com%7C9ccd8d2be2814ab880e208d82805fa11%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637303353431095051&sdata=4lnyQUcGLfoMktuNhXDCn%2B43Kg%2FjhyIaNiH6OlO7r2Q%3D&reserved=0>

v2.8.7 | Report a Bug | By Email