Re: [Id-event] Review of draft-ietf-secevent-subject-identifiers-05 by Michael Jones
"Richard Backman, Annabelle" <richanna@amazon.com> Fri, 10 July 2020 21:56 UTC
Return-Path: <prvs=4535bef39=richanna@amazon.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C67B83A0B5B for <id-event@ietfa.amsl.com>; Fri, 10 Jul 2020 14:56:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.597
X-Spam-Level:
X-Spam-Status: No, score=-9.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XNej-trcmw7F for <id-event@ietfa.amsl.com>; Fri, 10 Jul 2020 14:56:37 -0700 (PDT)
Received: from smtp-fw-6001.amazon.com (smtp-fw-6001.amazon.com [52.95.48.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66EFD3A0C22 for <id-event@ietf.org>; Fri, 10 Jul 2020 14:56:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1594418193; x=1625954193; h=from:to:date:message-id:references:in-reply-to: mime-version:subject; bh=hFILIXVQTR1pH3hUHnhWJsodoqkEKYuPmw5ZHOF207I=; b=fRMGMcrRNX6ve+pbgZmeSwfiH+cq9UubvAp1NEAGy07S1I4Qx9mCJw5+ 60Bx8/BPtNgJ+uGe/iBg05U/rYblFX8nrx1aUb173TrDFm2n8rECV7TV4 EG2Mneeoq4EuTFm7iV4inBqO0vzb/11aUJbaHLbzY+DMcwwJlHrS9bwKa 0=;
IronPort-SDR: VlcZ0GSTExYG4421PVDTcbXmk/VZYEn6Gt0L0YIGZDhAhp6NF+VhiqMRWofoNTJAi1BOEolrZR G74CQsCzyvEg==
X-IronPort-AV: E=Sophos; i="5.75,336,1589241600"; d="scan'208,217"; a="42668473"
Thread-Topic: [Id-event] Review of draft-ietf-secevent-subject-identifiers-05 by Michael Jones
Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-1a-821c648d.us-east-1.amazon.com) ([10.43.8.6]) by smtp-border-fw-out-6001.iad6.amazon.com with ESMTP; 10 Jul 2020 21:56:32 +0000
Received: from EX13MTAUWC001.ant.amazon.com (iad55-ws-svc-p15-lb9-vlan2.iad.amazon.com [10.40.159.162]) by email-inbound-relay-1a-821c648d.us-east-1.amazon.com (Postfix) with ESMTPS id 2DEC1A17B4; Fri, 10 Jul 2020 21:56:30 +0000 (UTC)
Received: from EX13D11UWC003.ant.amazon.com (10.43.162.162) by EX13MTAUWC001.ant.amazon.com (10.43.162.135) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 10 Jul 2020 21:56:30 +0000
Received: from EX13D11UWC004.ant.amazon.com (10.43.162.101) by EX13D11UWC003.ant.amazon.com (10.43.162.162) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 10 Jul 2020 21:56:30 +0000
Received: from EX13D11UWC004.ant.amazon.com ([10.43.162.101]) by EX13D11UWC004.ant.amazon.com ([10.43.162.101]) with mapi id 15.00.1497.006; Fri, 10 Jul 2020 21:56:30 +0000
From: "Richard Backman, Annabelle" <richanna@amazon.com>
To: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>, "id-event@ietf.org" <id-event@ietf.org>
Thread-Index: AdZWXhwXIwwWD9McR5OirUlEvStrBAAbC6SA
Date: Fri, 10 Jul 2020 21:56:30 +0000
Message-ID: <3B0F8089-26CD-46F6-ACC4-B239358BF051@amazon.com>
References: <BY5PR00MB0676DAA4C5ECC281853BDA15F5650@BY5PR00MB0676.namprd00.prod.outlook.com>
In-Reply-To: <BY5PR00MB0676DAA4C5ECC281853BDA15F5650@BY5PR00MB0676.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.36.20041300
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.43.160.65]
Content-Type: multipart/alternative; boundary="_000_3B0F808926CD46F6ACC4B239358BF051amazoncom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/Rg-VFLLzVnltgDHw524U8UYu9Vw>
Subject: Re: [Id-event] Review of draft-ietf-secevent-subject-identifiers-05 by Michael Jones
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2020 21:56:46 -0000
Thanks for the review, Mike. I had a few follow up questions [richanna] inline [/richanna]. – Annabelle Backman (she/her) AWS Identity https://aws.amazon.com/identity/ From: Id-event <id-event-bounces@ietf.org> on behalf of Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org> Date: Thursday, July 9, 2020 at 8:55 PM To: "id-event@ietf.org" <id-event@ietf.org> Subject: [EXTERNAL] [Id-event] Review of draft-ietf-secevent-subject-identifiers-05 by Michael Jones CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. I did a cover-to-cover read of draft-ietf-secevent-subject-identifiers-05. My resulting review comments follow, grouped into substantive and editorial sections. SUBSTANTIVE COMMENTS Abstract – Remove [JSON], [JWT], and [SET] references. Past IESG reviews of other specs have told me that citations are not allowed in abstracts, since they need to stand alone without the rest of the specification. 2. Notational Conventions Copy https://tools.ietf.org/html/draft-ietf-secevent-http-poll-12#section-1.2 and make it a Definitions or Terminology sub-section under the current Notational Conventions section. 3. Subject Identifiers – The language “Every Subject Identifier Type MUST have a unique name registered…” is surprisingly different that the corresponding JWT spec language with also allows Private identifiers and Collision-Resistant identifiers. Why not also allow them here? [richanna] Funnily enough, this exact thing came up on the OIDF SSE call this week. 😃 [/richanna] 3. Subject Identifiers – The term “payload claims” is confusing. Please change this term to “Subject Identification Claims” throughout the specification. [richanna] Agreed on not using “payload claims”. Replacement is TBD, but I think we can and should avoid the word “claim” here, since that is a very specific thing in the JWT world. [/richanna] 3.1. Account Subject Identifier Type – Figure 1 – This figure is confusing because it makes it seem like “subject_type” and “uri” are top-level JWT claims. Please correct this possible confusion by adding "sub_id": to the example. The updated example would look like this: "sub_id": { "subject_type": "account", "uri": "acct:example.user@service.example.com", } Also add "sub_id": to all other examples, such as those in 3.2, 3.3, 3.4, etc. [richanna] Subject Identifiers can occur outside of JWTs, and not only as the value of the JWT “sub_id” claim. Adding context representing one use case for Subject Identifiers makes these examples unnecessarily complicated. I suggested on Phil’s review that we could add examples of Subject Identifiers being used in context (e.g., as a “sub_id” claim or embedded within a SET event payload) earlier in the doc, and move away from using “claim” to refer to the members within a Subject Identifier JSON object. Would that address your concern? [/richanna] 3.2.1 Email Canonicalization – Please add a note that the domain portion of an RFC 5322 addr-spec already must be treated in a case-insensitive manner, per RFC 1034. [richanna] It strikes me as weird to pull this into the doc. If we changed the second sentence of 3.2.1 to specify the local part, e.g., “some providers treat the local part of email addresses as case-insensitive” would that address your concern? [/richanna] 3.3. Phone Number Subject Identifier – Please change all instances of “phone-number” to “phone_number” to match the JWT claim of the same name. This occurs multiple times throughout the specification. 3.4. Issuer and Subject Subject Type Identifier – Add a note that this is the way that subjects are identified in OpenID Connect ID Tokens. 5.1. Identifier Correlation – Add this phrase to the end of the last sentence “or when correlation is essential to the use case”. 6. Security Considerations – Talk about integrity-protecting SETs. Borrow or reference security considerations from the other SecEvent specs. 7.1. Security Even Subject Identifier Types Registry – Please add a suggestion to IANA that this registry be located at https://www.iana.org/assignments/secevent/. 7.1.1. Registration Template – Add underscore “_” to the set of acceptable characters. 7.1.1. Registration Template – Change Controller – Remove OpenID statements and replace them by IETF specifications and “IETF”. 7.1.1. Registration Template – Defining Document(s) – Also add “prohibited” to the list of conditions to be described. 7.1.3. Guidance for Expert Reviewers – State that multiple Expert Reviewers should be appointed. You can borrow language about that from RFC 7519.. 7.2. JSON Web Token Claims Registration – Change “established by [SET]” to “established by “[JWT]”. Acknowledgements – Also acknowledge the SecEvent working group and its members. EDITORIAL COMMENTS 1. Introduction – Change “section 1.2” to “Section 1.2” (and similarly change to Title Case for any other occurrences of “section”, “figure”, or “table”). 1. Introduction – Add a comma after “but not limited to”. 1. Introduction – Add a comma after “for example”. 2. Notational Conventions – Update to use RFC 8417 language. 3. Subject Identifiers – Change “which” to “that” in “which are to be interpreted” 3.1. Account Subject Identifier Type – Figure 1 – It’s odd to have a period ending a sentence fragment. Delete the period at the end of the figure caption. Do this for all other figures when the caption is also a sentence fragment, such as Figure 2, Figure 3, Figure 4, etc. 4.1. "sub_id" Claim – Change "sub_id" to <spanx style="verb">sub_id</spanx> in the source so that the formatting is correctly applied across all output representations. Similarly, use spanx style verb for all other instances of literals in the specification. 4.1. "sub_id" Claim – Likewise, change `sub` to <spanx style="verb">sub</spanx> and `sub_id` to <spanx style="verb">sub_id</spanx>. Search for other similar instances of uses of " ' or ` in the spec and correct them to spanx style verb. 4.2. “sub_id” and “iss-sub” Subject Identifiers – This section seems to repeat information in Section 3.4 (Issuer and Subject Subject Identifier Type). Please consolidate them. 8.1. Normative References – IANA.JWT.Claims – Delete the odd text “n.d.,”. 8.1. Normative References – Choose one of [JWT] or [RFC7519] and delete the other one. 8.1. Informative References – Change [OIDC] to the standard reference name [OpenID.Core]. -- Mike
- [Id-event] Review of draft-ietf-secevent-subject-… Mike Jones
- Re: [Id-event] Review of draft-ietf-secevent-subj… Richard Backman, Annabelle
- Re: [Id-event] Review of draft-ietf-secevent-subj… Dick Hardt