Re: [Id-event] New Version Notification for draft-ietf-secevent-subject-identifiers-06.txt

["Richard Backman, Annabelle" <richanna@amazon.com>]

Hello Security Events working group,

A couple weeks ago I published this update to the Subject Identifiers draft based on feedback from the recent email discussions. Unfortunately I failed to notice that a notification of the update did not go out to the working group mailing list – sorry about that!

In addition to various editorial fixes, I made a few more substantial edits based on working group feedback:

  1.  Expanded the introduction section with several examples of subject identifiers in use, and a section describing the difference between a subject identifier type – the type of identifier used to identify a subject, e.g., email address, phone number, SHA-256 thumbprint – and a subject type – the type of thing your subject principal is, e.g., user, group, server.

     *   In making these changes, I realized I made a grave error in naming the type member “subject_type”. I did not change its name in this draft, as I wanted to discuss this on list before doing so.

  2.  Removed the word “claim” except when used in reference to a JWT claim.

     *   Noticed while writing this that I missed a couple uses in the abstract. Oops.

  3.  Introduced some normative requirements around the use of both `sub` and `sub_id` in the same JWT: "implementations MUST NOT rely on both claims to determine the subject,” though falling back to one if the other isn’t understood (e.g., sub_id has an unknown subject identifier type) is allowed.

  4.  Added security considerations. Interested in feedback on this. The security considerations really depend on the context in which subject identifiers are used, so I’m trying to strike a balance between referencing likely relevant considerations and providing useful information without copying in a bunch of content that may or may not apply.


–
Annabelle Backman (she/her)
AWS Identity
https://aws.amazon.com/identity/

On Sep 4, 2020, at 6:34 PM, internet-drafts@ietf.org<mailto:internet-drafts@ietf.org> wrote:

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.



A new version of I-D, draft-ietf-secevent-subject-identifiers-06.txt
has been successfully submitted by Annabelle Backman and posted to the
IETF repository.

Name:           draft-ietf-secevent-subject-identifiers
Revision:       06
Title:          Subject Identifiers for Security Event Tokens
Document date:  2020-09-04
Group:          Individual Submission
Pages:          19
URL:            https://www.ietf.org/id/draft-ietf-secevent-subject-identifiers-06.txt
Status:         https://datatracker.ietf.org/doc/draft-ietf-secevent-subject-identifiers/
Htmlized:       https://datatracker.ietf.org/doc/html/draft-ietf-secevent-subject-identifiers
Htmlized:       https://tools.ietf.org/html/draft-ietf-secevent-subject-identifiers-06
Diff:           https://www.ietf.org/rfcdiff?url2=draft-ietf-secevent-subject-identifiers-06

Abstract:
  Security events communicated within Security Event Tokens may support
  a variety of identifiers to identify the subject and/or other
  principals related to the event.  This specification formalizes the
  notion of subject identifiers as named sets of well-defined claims
  describing the subject, a mechanism for representing subject
  identifiers within a JSON object such as a JSON Web Token (JWT) or
  Security Event Token (SET), and a registry for defining and
  allocating names for these claim sets.




Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org<http://tools.ietf.org>.

The IETF Secretariat