Re: [Id-event] Review of draft-ietf-secevent-subject-identifiers-05 by Michael Jones
Dick Hardt <dick.hardt@gmail.com> Sat, 11 July 2020 01:24 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42A133A09E9 for <id-event@ietfa.amsl.com>; Fri, 10 Jul 2020 18:24:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GF5uemmzqA1k for <id-event@ietfa.amsl.com>; Fri, 10 Jul 2020 18:24:12 -0700 (PDT)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 789333A09E1 for <id-event@ietf.org>; Fri, 10 Jul 2020 18:24:11 -0700 (PDT)
Received: by mail-lf1-x12b.google.com with SMTP id o4so4173260lfi.7 for <id-event@ietf.org>; Fri, 10 Jul 2020 18:24:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=lAJEbXKSKoiQ47HbpPC4srSz3TSh88Spn9U82CCAEa4=; b=km7YJ4aByCqh6mL+t6R7SWxiZQyrsdY4yLVnYgxfAPt1xmX2YLGbaw7FCjR5W54TIh 0m4KGa2whOtBYgS68odUkP0+IJ09ed0dUtT0yrd5jBQY7hNDFdLcH2hp6n7vvUy96/1T WOBXfYcWoK9dGhB5v/fPVeEVvLADg1rlKzR1cTTzrGWR4nLJ3Z/p1s2a4D9fjxf5pF06 j3enVVXXVQxYVQ8+QXguSe2CUHLqOgkaCpikUNAzR9/bHCoXYcK3C4IXDX4XInRHZmGD ZVgjQ5NjIrbpe+4zHaLO1JSsBdl5/bMrheb0RGLdzGCT0wV7bDrfDlo46y0KUvGpkznv dIJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lAJEbXKSKoiQ47HbpPC4srSz3TSh88Spn9U82CCAEa4=; b=lxOF3wCqM/L0GKit+lMLaFTsi/NOgTx8E0IRdoOvt30JZ4bAb1I+MrWKWTfCB+m16N x97pfJIDYtdeiJArA/9qKyWbFuIGy2jFmj0GsaSn3p1JQp6DB64OZ74s8pDPz+Nbr1+u 6X+8UYWH0Q4LzJ/bRSYQU2D7SB139lLH0pkjwu/sbWAp776vrc1+Hj57sJxnEyck9FvN EG1he1oSM4v/1MBkiYbcFTSWEmWLoo5+/06lgL3nv/ikQ5BqLSU4PkH9nHERmCmsYObz oScor93JjGsQtgBSNfvAdiXM1Pb5/BES+5UJAAMEdCy34Dgm0QcjhPD57s2wuhJRe3hD LCHA==
X-Gm-Message-State: AOAM53273xTWo3BZ3e61j8MyKhRUFYkAyG2lC5iuvDIkyUvci/eTdUrd C5kwnFNSv8tPIeXgbHNo41lN7SjfG4oDnsqbrxz2AS91MI8=
X-Google-Smtp-Source: ABdhPJxDopexEla81gYdyop3eINKtPVBVXe6Am5tgIEFmXn/R1GPZShDTI+tSMpfQ2iDOVdy4EXUv68BwnndKTDgYa8=
X-Received: by 2002:ac2:518c:: with SMTP id u12mr44987758lfi.91.1594430649466; Fri, 10 Jul 2020 18:24:09 -0700 (PDT)
MIME-Version: 1.0
References: <BY5PR00MB0676DAA4C5ECC281853BDA15F5650@BY5PR00MB0676.namprd00.prod.outlook.com> <3B0F8089-26CD-46F6-ACC4-B239358BF051@amazon.com>
In-Reply-To: <3B0F8089-26CD-46F6-ACC4-B239358BF051@amazon.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Fri, 10 Jul 2020 18:23:33 -0700
Message-ID: <CAD9ie-tCTy8SCDOtt=9iF4UOTQdmZZwP_1xfepgG=QXXhGQ5KA@mail.gmail.com>
To: "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org>
Cc: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>, "id-event@ietf.org" <id-event@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007b04c705aa205041"
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/Smv6iRpBMjUZUFXCPYG47NjEu8k>
Subject: Re: [Id-event] Review of draft-ietf-secevent-subject-identifiers-05 by Michael Jones
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Jul 2020 01:24:14 -0000
<personal hat> Email canonicalization is a big can of worms. I think adding in what is standardized per Mike's suggestion is useful. Below is a suggested revision for the second sentence. 3.2.1. Email Canonicalization Many email providers will treat multiple email addresses as equivalent. *While the domain portion of the an RFC 5322 email address is consistently treated as case-insensitive per RFC 1034, some providers treat local part of the email address as case-insensitive, and consider "user@example.com <user@example.com>", "User@example.com <User@example.com>", and "USER@example.com <USER@example.com>" as equivalent email addresses. * <snip> On Fri, Jul 10, 2020 at 2:57 PM Richard Backman, Annabelle <richanna= 40amazon.com@dmarc.ietf.org> wrote: > Thanks for the review, Mike. I had a few follow up questions [richanna] > inline [/richanna]. > > > > – > > Annabelle Backman (she/her) > > AWS Identity > > https://aws.amazon.com/identity/ > > > > > > *From: *Id-event <id-event-bounces@ietf.org> on behalf of Mike Jones > <Michael.Jones=40microsoft.com@dmarc.ietf.org> > *Date: *Thursday, July 9, 2020 at 8:55 PM > *To: *"id-event@ietf.org" <id-event@ietf.org> > *Subject: *[EXTERNAL] [Id-event] Review of > draft-ietf-secevent-subject-identifiers-05 by Michael Jones > > > > *CAUTION*: This email originated from outside of the organization. Do not > click links or open attachments unless you can confirm the sender and know > the content is safe. > > > > I did a cover-to-cover read of > draft-ietf-secevent-subject-identifiers-05. My resulting review comments > follow, grouped into substantive and editorial sections. > > > > SUBSTANTIVE COMMENTS > > > > Abstract – Remove [JSON], [JWT], and [SET] references. Past IESG reviews > of other specs have told me that citations are not allowed in abstracts, > since they need to stand alone without the rest of the specification. > > > > 2. Notational Conventions > > > > Copy > https://tools.ietf.org/html/draft-ietf-secevent-http-poll-12#section-1.2 > and make it a Definitions or Terminology sub-section under the current > Notational Conventions section. > > > > 3. Subject Identifiers – The language “Every Subject Identifier Type MUST > have a unique name registered…” is surprisingly different that the > corresponding JWT spec language with also allows Private identifiers and > Collision-Resistant identifiers. Why not also allow them here? > > > > [richanna] > > Funnily enough, this exact thing came up on the OIDF SSE call this week. > 😃 > [/richanna] > > > > 3. Subject Identifiers – The term “payload claims” is confusing. Please > change this term to “Subject Identification Claims” throughout the > specification. > > > > [richanna] > > Agreed on not using “payload claims”. Replacement is TBD, but I think we > can and should avoid the word “claim” here, since that is a very specific > thing in the JWT world. > [/richanna] > > > > 3.1. Account Subject Identifier Type – Figure 1 – This figure is confusing > because it makes it seem like “subject_type” and “uri” are top-level JWT > claims. Please correct this possible confusion by adding "sub_id": to > the example. The updated example would look like this: > > > > "sub_id": { > > "subject_type": "account", > > "uri": "acct:example.user@service.example.com", > > } > > > > Also add "sub_id": to all other examples, such as those in 3.2, 3.3, 3.4, > etc. > > > [richanna] > Subject Identifiers can occur outside of JWTs, and not only as the value > of the JWT “sub_id” claim. Adding context representing one use case for > Subject Identifiers makes these examples unnecessarily complicated. I > suggested on Phil’s review that we could add examples of Subject > Identifiers being used in context (e.g., as a “sub_id” claim or embedded > within a SET event payload) earlier in the doc, and move away from using > “claim” to refer to the members within a Subject Identifier JSON object. > Would that address your concern? > [/richanna] > > 3.2.1 Email Canonicalization – Please add a note that the domain portion > of an RFC 5322 addr-spec already must be treated in a case-insensitive > manner, per RFC 1034. > > > > [richanna] > It strikes me as weird to pull this into the doc. If we changed the second > sentence of 3.2.1 to specify the local part, e.g., “some providers treat > the local part of email addresses as case-insensitive” would that address > your concern? > [/richanna] > > > > 3.3. Phone Number Subject Identifier – Please change all instances of > “phone-number” to “phone_number” to match the JWT claim of the same name. > This occurs multiple times throughout the specification. > > > > 3.4. Issuer and Subject Subject Type Identifier – Add a note that this is > the way that subjects are identified in OpenID Connect ID Tokens. > > > > 5.1. Identifier Correlation – Add this phrase to the end of the last > sentence “or when correlation is essential to the use case”. > > > > 6. Security Considerations – Talk about integrity-protecting SETs. Borrow > or reference security considerations from the other SecEvent specs. > > > > 7.1. Security Even Subject Identifier Types Registry – Please add a > suggestion to IANA that this registry be located at > https://www.iana.org/assignments/secevent/. > > > > 7.1.1. Registration Template – Add underscore “_” to the set of acceptable > characters. > > > > 7.1.1. Registration Template – Change Controller – Remove OpenID > statements and replace them by IETF specifications and “IETF”. > > > > 7.1.1. Registration Template – Defining Document(s) – Also add > “prohibited” to the list of conditions to be described. > > > > 7.1.3. Guidance for Expert Reviewers – State that multiple Expert > Reviewers should be appointed. You can borrow language about that from RFC > 7519.. > > > > 7.2. JSON Web Token Claims Registration – Change “established by [SET]” to > “established by “[JWT]”. > > > > Acknowledgements – Also acknowledge the SecEvent working group and its > members. > > > > EDITORIAL COMMENTS > > > > 1. Introduction – Change “section 1.2” to “Section 1.2” (and similarly > change to Title Case for any other occurrences of “section”, “figure”, or > “table”). > > > > 1. Introduction – Add a comma after “but not limited to”. > > > > 1. Introduction – Add a comma after “for example”. > > > > 2. Notational Conventions – Update to use RFC 8417 language. > > > > 3. Subject Identifiers – Change “which” to “that” in “which are to be > interpreted” > > > > 3.1. Account Subject Identifier Type – Figure 1 – It’s odd to have a > period ending a sentence fragment. Delete the period at the end of the > figure caption. Do this for all other figures when the caption is also a > sentence fragment, such as Figure 2, Figure 3, Figure 4, etc. > > > > 4.1. "sub_id" Claim – Change "sub_id" to <spanx > style="verb">sub_id</spanx> in the source so that the formatting is > correctly applied across all output representations. Similarly, use spanx > style verb for all other instances of literals in the specification. > > > > 4.1. "sub_id" Claim – Likewise, change `sub` to <spanx > style="verb">sub</spanx> and `sub_id` to <spanx > style="verb">sub_id</spanx>. Search for other similar instances of uses of > " ' or ` in the spec and correct them to spanx style verb. > > > > 4.2. “sub_id” and “iss-sub” Subject Identifiers – This section seems to > repeat information in Section 3.4 (Issuer and Subject Subject Identifier > Type). Please consolidate them. > > > > 8.1. Normative References – IANA.JWT.Claims – Delete the odd text “n.d.,”. > > > > 8.1. Normative References – Choose one of [JWT] or [RFC7519] and delete > the other one. > > > > 8.1. Informative References – Change [OIDC] to the standard reference name > [OpenID.Core]. > > > > -- Mike > > > > > _______________________________________________ > Id-event mailing list > Id-event@ietf.org > https://www.ietf.org/mailman/listinfo/id-event >
- [Id-event] Review of draft-ietf-secevent-subject-… Mike Jones
- Re: [Id-event] Review of draft-ietf-secevent-subj… Richard Backman, Annabelle
- Re: [Id-event] Review of draft-ietf-secevent-subj… Dick Hardt