IETF Logo Mail Archive

Re: [Id-event] Options regarding SPAGs

Dick Hardt <dick.hardt@gmail.com> Sat, 20 March 2021 00:40 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3FB93A1574 for <id-event@ietfa.amsl.com>; Fri, 19 Mar 2021 17:40:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FSP8kIRA1_3Q for <id-event@ietfa.amsl.com>; Fri, 19 Mar 2021 17:40:36 -0700 (PDT)
Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3E9B3A1572 for <id-event@ietf.org>; Fri, 19 Mar 2021 17:40:35 -0700 (PDT)
Received: by mail-lj1-x22f.google.com with SMTP id f26so14011964ljp.8 for <id-event@ietf.org>; Fri, 19 Mar 2021 17:40:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=L9Qo2tsiwvB7xr0LPut9YcVo4dsgbcpN9puuho7v8Fs=; b=P6Gm2NtyjjTy1pWWP/LEUDepRkw5oSgoV3+t5mLaLOACVlMsP9JWg9T13kT/y4arMR DtD1CTVtZqnSkcbKvrNeuyezC0vQBOlBRv2VQutUzkmWMy217DrHqpF23rvybjz4kx4n 64KcIf2y0puNUIltZYlvPMUjGa+Bvv6tTyy29MlChUGvEKiFc0WNkcGtmHyGk7P5Co++ aSYIbaFqmXGfltMIpaDjQqWVmTedhJWcf3H2iEQzn4HRC3u3fYIjCutXcai6SYHKuHIM eyRr18Cw0pHiWfRxEkT1Hz5t4sjmo6ohktf4YzIgimSfYL5zY6wp1devRs0iJclAQLlX ZKDg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=L9Qo2tsiwvB7xr0LPut9YcVo4dsgbcpN9puuho7v8Fs=; b=oA532Lu8b0bmmGMyqEVIiUdRXW2/DcCdR3D0l7PYjLmScoOlHLxzFOjqreRfrT1UuL utlB+11J2eJlcJze/4QthY8pITxDquTEaTsH7EhAvtwSYroDWB3/7oKUrelwu1VjjpNM rfArenTdluRWFaEa2VgASwNX82eZu9uSGGsMlGdl8kdrqKd1KH5Vs9SnB02ySH/PjvZW bbkCfVvFCzv7iK0CKWe/MFT1Esw2O80BtJOEcAUkWmNogarI4kfakygzuSAEKQ4k9JJ7 2JsSIjJlV2fQMMavsP5sJdlG7tuuli5hGrfl/qF5MbpV91l2zaBRniRoFKGgytULJlvp XIFw==
X-Gm-Message-State: AOAM531CPmPoGtTRcaS6LOh29bNTLpeRM/4YvEVQcuIbVUrGnHq/fsxD kevXDQ0Elmi+LRYg5r5mXvz4PXQjb9jkYwvoLtY=
X-Google-Smtp-Source: ABdhPJwEqmYtyDyXPBNCBqZK2Qot2lZg64lfqDaYse+jb3tejIKmJkuWafyxQmkpHfoOkMuZVCydsMTrJ5Pfevam9RQ=
X-Received: by 2002:a2e:b051:: with SMTP id d17mr2353651ljl.255.1616200832351; Fri, 19 Mar 2021 17:40:32 -0700 (PDT)
MIME-Version: 1.0
References: <CAMCkG5vAnEyUeRjjRuyuk_mRQEXX2ZdZffGamzGg2+AzjMp9kQ@mail.gmail.com> <CAD9ie-tk53ztCTA8U2bNmaB9dd9x0bK6JNyN=kOU+=RJ8zEUCw@mail.gmail.com> <CAMCkG5v3FTnNz878Fg85hV1vYpVo1QO=AF49yvDOacw9bLw-vQ@mail.gmail.com> <CAD9ie-uzYxw=+5jzPAWL7L4iOBqVmZ2O5v8qhJQkFbHA-S9UFg@mail.gmail.com> <CAMCkG5uaVQu6nYtXqYTDv_ZTPxhR7ghu1NfPq7dZJD8y+i9v=Q@mail.gmail.com> <CAMCkG5voSEiucmbMumVhBUkVygruahnxhbDPkSuuzYMn200-Og@mail.gmail.com>
In-Reply-To: <CAMCkG5voSEiucmbMumVhBUkVygruahnxhbDPkSuuzYMn200-Og@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Fri, 19 Mar 2021 17:39:56 -0700
Message-ID: <CAD9ie-up5c28=GivrLjHt8cAz3CgDNacC+3usm-fOYXHVZST6A@mail.gmail.com>
To: Atul Tulshibagwale <atultulshi@google.com>
Cc: SecEvent <id-event@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007f834105bded14c4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/UyxImRqNTAINKwnmcHvu_D-nUZ0>
Subject: Re: [Id-event] Options regarding SPAGs
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Mar 2021 00:40:40 -0000

Thanks for the update Atul!

Glad to see a crisper solution.
ᐧ

On Fri, Mar 19, 2021 at 5:33 PM Atul Tulshibagwale <atultulshi@google.com>
wrote:

> Hi all,
> Based on recent discussions and consensus in the OpenID SSE working group,
> I'd like to note that the SSE draft no longer requires the use of SPAGs in
> subject identifiers. Other changes to the subject identifiers discussed in
> the SSE WG have already been reflected in the updated draft from Annabelle.
>
> We have instead settled on a new notion of "Complex Subject Types", which
> can contain multiple subject identifiers, each with a unique name. These
> names include things like "tenant" and "org_unit" instead of the generic
> "spag_id" that we had thought of earlier. If you'd like to take a look at
> the draft that introduces the new complex subject types, you can see it
> here:
> https://bitbucket.org/openid/risc/src/caep-draft-01/openid-sse-profile-1_0.txt
>
> Thanks,
> Atul
>
>
> On Tue, Dec 15, 2020 at 3:41 PM Atul Tulshibagwale <atultulshi@google.com>
> wrote:
>
>> Hi Dick,
>> Ideally, we would be able to discuss the complexity of SecEvent tokens
>> and whether SPAG belongs in a subject-identifier separately. However in
>> this case they seem somewhat intertwined. Nevertheless, I'm limiting my
>> response with the assumption that there is only one subject claim in a
>> SecEvent.
>>
>> Right now, restricting a SecEvent to be about one SPAG can work for the
>> events we have real use-cases for in SSE. We will still need SPAG as a
>> subject type of its own for control plane SecEvents, but we can define that
>> in the SSE spec if it is too specialized of a use case for the general
>> SecEvents Subject Identifiers spec.
>>
>> That said, I'd like us to focus on what it means to have a "spag_id"
>> claim within a subject identifier. The way I see it, SPAGs basically
>> capture the namespace separation for referring to subjects that may
>> otherwise be ambiguous.
>>
>> If we do not allow for adding SPAGs to the spec, we are basically saying
>> to multi-tenanted hosts that need such separation to always use the
>> "iss-sub" subject_type and form their own pseudo-standard of how to
>> differentiate between subject principals that belong to different SPAGs. I
>> can think of transmitters defining a URL pattern for the "iss" claim that
>> can be parsed to figure out the sub-organization that the "sub" is about.
>> It'll work, but the opportunity to standardize something that many
>> transmitters and receivers need is lost.
>>
>> So, even if we do not think we should add SPAGs to the spec right now, I
>> feel we should not preclude higher-level specs from adding such common
>> claims as SPAGs (i.e. the option #2 in my first email).
>>
>> Thanks,
>> Atul
>>
>> On Thu, Dec 10, 2020 at 3:47 PM Dick Hardt <dick.hardt@gmail.com> wrote:
>>
>>> Hi Atul
>>>
>>> I echo Phil's concerns wrt. multi subject SecEvents.
>>>
>>> FYI: I am more interested in understanding the use cases so that we can
>>> explore the various solutions than review your proposed changes. A SAML
>>> subject type makes sense to me as it is another subject identifier that is
>>> commonly used.
>>>
>>> wrt. SPAG -- another option would be to wrap the secevent object in a
>>> SPAG object -- this would also enable binding multiple secevents together.
>>>
>>> Given what I understand of the use case, where one channel is being used
>>> to exchange SecEvents that belong to different transmitters and senders,
>>> wrapping the SecEvent preserves the semantics of a SecEvent, and the SPAG
>>> wrapper identifiers the SPAG on the channel. Would that not work?
>>>
>>> /Dick
>>> ᐧ
>>>
>>> On Fri, Dec 4, 2020 at 4:41 PM Atul Tulshibagwale <atultulshi@google.com>
>>> wrote:
>>>
>>>> Hi Dick,
>>>> #4 may not always be an option if the event has more than one subject
>>>> claim (e.g. for an event like "device transfer").
>>>>
>>>> Regarding other additions:
>>>> *Subject Categories*:
>>>> Earlier, I had proposed that a subject identifier of any subject_type
>>>> have an optional common claim named "subject_category", which could
>>>> identify the type of subject principal the subject identifier refers to.
>>>> However, since the future of this request in the Subject Identifiers spec
>>>> wasn't clear, we decided to add a new "subject_type" in the SSE spec,
>>>> called "user-device-session". The SSE spec draft defines the algorithm to
>>>> figure out the category of the subject principal based on the content of
>>>> this subject identifier.
>>>>
>>>> As a result of this new subject type definition in the SSE spec draft,
>>>> "subject_category" is no longer a requirement for the SSE work. However,
>>>> since the SSE spec is still being drafted, if the Subject Identifiers spec
>>>> has the ability to add a subject category claim to any subject_type, then
>>>> we can possibly change the SSE spec to make use of it.
>>>>
>>>> *SAML Subject Type*:
>>>> I had proposed that a SAML subject type be introduced in the Subject
>>>> Identifiers. This will help us send and receive events relating to a
>>>> specific SAML-based federated session. I thought this would be a common
>>>> subject type of interest to the Subject Identifiers spec. However, we have
>>>> now added it as a subject type in the SSE draft spec. If the Subject
>>>> Identifiers draft were to include this, it would be very easy for us to
>>>> remove this from the SSE draft spec.
>>>>
>>>> BTW a good way to look at all my proposed changes to the Subject
>>>> Identifiers draft is by reviewing my pull request here:
>>>> https://github.com/richanna/secevent/pull/1
>>>>
>>>> Thanks,
>>>> Atul
>>>>
>>>>
>>>> On Thu, Dec 3, 2020 at 5:43 PM Dick Hardt <dick.hardt@gmail.com> wrote:
>>>>
>>>>> I think there is also a fourth option:
>>>>>
>>>>> 4. a SPAG identifier can be placed in a separate top level object or
>>>>> top level property
>>>>>
>>>>> Atul: in the other thread, you mentioned that there were other
>>>>> additions that the OpenID Shared Signals and Events WG is interested in.
>>>>> Would you enumerate them as well so that we can address all potential
>>>>> issues?
>>>>>
>>>>>
>>>>> ᐧ
>>>>>
>>>>> On Thu, Dec 3, 2020 at 3:04 PM Atul Tulshibagwale <atultulshi=
>>>>> 40google.com@dmarc.ietf.org> wrote:
>>>>>
>>>>>> Hi all,
>>>>>> Based on Dick's request, I'd like to summarize the situation with
>>>>>> SPAGs here.
>>>>>>
>>>>>> *Background*:
>>>>>> The present Subject Identifiers draft
>>>>>> <https://github.com/richanna/secevent/blob/1fd045d251ff3c6be9a500c6a78d895be3c6b2bf/draft-ietf-secevent-subject-identifiers.txt>
>>>>>> forbids a subject identifier of a specific subject_type from having any
>>>>>> claims that are not described in the subject_type. This prevents
>>>>>> higher-level specs from proposing any additional claims to be included in
>>>>>> subject identifiers of subject types that are defined in the Subject
>>>>>> Identifier spec.
>>>>>>
>>>>>> *SPAGs*:
>>>>>> Subject Principal Administrative Groupings or SPAGs are an addition
>>>>>> to the OpenID "Shared Signals and Events Profile of SETs"
>>>>>> <https://bitbucket.org/openid/risc/src/caep-draft-01/openid-sse-profile-2_0.txt>,
>>>>>> which is a revision of the "RISC Profile of SETs
>>>>>> <https://bitbucket.org/openid/risc/src/master/openid-risc-profile-1_0.txt>".
>>>>>> The present draft of the SecEvents Subject Identifiers spec is derived from
>>>>>> a section in this RISC Profile. The SSE Profile now refers to the SecEvents
>>>>>> Subject Identifiers draft.
>>>>>>
>>>>>> SPAGs are required to address the following needs:
>>>>>>
>>>>>>    1. Disambiguate a subject identifier if it belongs to more than
>>>>>>    one sub-organizations. For example, if the subject claim in an event is of
>>>>>>    the subject type "email", then a SPAG may be used to specify the
>>>>>>    sub-organization the specified email should be scoped down to. A dynamic
>>>>>>    organization may have the same email in multiple sub-organizations, and the
>>>>>>    event may apply to only one such sub organization.
>>>>>>    2. Provide a lighter weight mechanism to start and stop event
>>>>>>    streams for sub-organizations. These could be OUs or dynamic groups within
>>>>>>    an organization, or separate tenants in a multi-tenanted transmitter or
>>>>>>    receiver.
>>>>>>
>>>>>> *Requirements from Subject Identifiers*:
>>>>>>
>>>>>>    1. A SPAG may be specified as an additional attribute of a
>>>>>>    subject identifier with any subject type, in order to disambiguate and
>>>>>>    scope the event with that subject identifier.
>>>>>>    2. A SPAG may be a new subject type of its own when it is used in
>>>>>>    an event that specifies the starting or stopping of a stream.
>>>>>>
>>>>>> *Options*:
>>>>>> The following options are possible to address this requirement.
>>>>>>
>>>>>>    1. *Minimal Change to the present Subject Identifiers draft*:
>>>>>>    Remove the words "or not described" on line 247
>>>>>>    <https://github.com/richanna/secevent/blob/1fd045d251ff3c6be9a500c6a78d895be3c6b2bf/draft-ietf-secevent-subject-identifiers.txt#L247>.
>>>>>>    This way a higher-level spec that needs to add additional attributes to all
>>>>>>    subject identifiers used in that spec can add them and specify the
>>>>>>    additional attributes' optional or required nature. In this option, SPAGs
>>>>>>    will be defined in the SSE profile spec.
>>>>>>    2. *Include SPAGs in the Subject Identifiers spec*: Include
>>>>>>    language for SPAGs proposed earlier in this list, so that:
>>>>>>       1. Subject Principals and SPAGs are defined in the Subject
>>>>>>       Identifiers spec
>>>>>>       2. An additional attribute named "spag_id" is added as an
>>>>>>       optional attribute of any subject_type.
>>>>>>       3. An additional subject_type "spag" is defined (this is used
>>>>>>       primarily for "control plane" events.)
>>>>>>    3. *Do both 1. and 2*: With this, we will address the issue that
>>>>>>    higher-level specs cannot insert additional attributes in predefined
>>>>>>    subject types, and define SPAGs within the Subject Identifiers spec.
>>>>>>
>>>>>> Thanks,
>>>>>> Atul
>>>>>>
>>>>>> _______________________________________________
>>>>>> Id-event mailing list
>>>>>> Id-event@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/id-event
>>>>>>
>>>>>

v2.23.0 | Report a Bug | By Email