IETF Logo Mail Archive

Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens

Justin Richer <jricher@mit.edu> Sat, 04 March 2017 22:56 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B1C9120724 for <id-event@ietfa.amsl.com>; Sat, 4 Mar 2017 14:56:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OPDxHaSPBggi for <id-event@ietfa.amsl.com>; Sat, 4 Mar 2017 14:56:17 -0800 (PST)
Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75A00126BF6 for <id-event@ietf.org>; Sat, 4 Mar 2017 14:56:17 -0800 (PST)
X-AuditID: 1209190d-92fff70000001fdb-c7-58bb460f290a
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id D0.7D.08155.F064BB85; Sat, 4 Mar 2017 17:56:15 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id v24MuETe023714; Sat, 4 Mar 2017 17:56:15 -0500
Received: from [192.168.128.57] (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v24MuDVS021169 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sat, 4 Mar 2017 17:56:14 -0500
To: Phil Hunt <phil.hunt@oracle.com>, ID Events Mailing List <id-event@ietf.org>
References: <4611E3C8-9772-44EA-940D-077E1EA6247F@oracle.com>
From: Justin Richer <jricher@mit.edu>
Message-ID: <7f44a710-0545-157c-b75e-d46853cf2e06@mit.edu>
Date: Sat, 04 Mar 2017 17:56:01 -0500
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1
MIME-Version: 1.0
In-Reply-To: <4611E3C8-9772-44EA-940D-077E1EA6247F@oracle.com>
Content-Type: multipart/alternative; boundary="------------45C7887BAA7F81E056CB878C"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrBIsWRmVeSWpSXmKPExsUixCmqrMvvtjvC4OtuM4uOBd1MFgvmN7I7 MHksWfKTyePj01ssAUxRXDYpqTmZZalF+nYJXBk9/beZCvYXVnSfnM7ewLgisIuRk0NCwERi x45/jF2MXBxCAm1MEsfbp7JBOBsYJa5PvcsO4dxikmh+soIZpEVYwFuifW47UAsHh4hApMTT hdwgYSEBW4lzZ8+ygthsAqoS09e0MIHYvAJWErcmzWcHsVkEVCTm3l0NFhcViJHY238fqkZQ 4uTMJywgNqeAncTVbzPB5jALhElcX/2HdQIj3ywkZbOQpCBsW4k7c3czQ9jyEs1bZ0PZuhKL tq1gRxZfwMi2ilE2JbdKNzcxM6c4NVm3ODkxLy+1SNdILzezRC81pXQTIziAJXl3MP6763WI UYCDUYmHl4Frd4QQa2JZcWXuIUZJDiYlUV4ufqAQX1J+SmVGYnFGfFFpTmrxIUYJDmYlEd5J FkA53pTEyqrUonyYlDQHi5I4r7hGY4SQQHpiSWp2ampBahFMVoaDQ0mCd6ILUKNgUWp6akVa Zk4JQpqJgxNkOA/QcFGQGt7igsTc4sx0iPwpRkUpcV5DkIQASCKjNA+uF5RgEt4eNn3FKA70 ijDvdpAqHmBygut+BTSYCWiwn8xOkMEliQgpqQZGDSX+WW6bCxpc64UilZPmLdz/TMmRe8XS c1Z//RKq113epcmuulvOrDCj+c3PmexMj0UMK84KXJBMZPn+qm6/41Gmy1YmIYfmHFl0N0/o 9cfZxXOStXvmLpb2Xflk13GrtRoO3e815+/c89Mj/hrnhiu+KtyrDZfVmOw0L2J4Pt9tXazf oUQPJZbijERDLeai4kQAvblLvAsDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/WIDg0ihP2RHHfAzoWrrufX4eSqI>
Subject: Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Mar 2017 22:56:19 -0000

3:

Put "iss" and "sub" inside the event when they apply to the event, even 
if they're the same as the "iss" and "sub" of the event token itself.

  -- Justin

On 3/1/2017 1:27 PM, Phil Hunt wrote:
> In the comments on idtoken-07, Yaron raised concerns around the 
> confusion of “iss” of the subject of the event vs. issuer of the 
> event.  The current text says that if there is a need to distinguish 
> between “iss” of the “sub” vs. “iss” of the event, then the event 
> should place the “iss” of the subject in the event payload area.
>
> I agree this does seem awkward.
>
> I have been thinking a related concern, that a SET could be confused 
> as an access token if it has a “sub” value.  If we stop using “sub” 
> then we’re potentially causing web access management systems to reject 
> SETs as invalid access tokens — this is theoretically a GOOD THING.
>
> PLEASE INDICATE 1 or 2, or provide additional discussion.
>
> Two options:
>
> 1. Leave as is.
>
> 2.  Create a new attribute object, “esub” (event subject) which is a 
> JSON object that contains the attributes needed to identify the 
> subject.  For example:
>
> We currently have:
>>     {
>>       "jti": "fb4e75b5411e4e19b6c0fe87950f7749",
>>
>>       "sub": "248289761001",
>>       "iat": 1458496025,
>>       "iss": "https://my.examplemed.com <https://my.examplemed.com/>",
>>       "aud": [
>>         "https://rp.example.com"
>>       ],
>>       "events": {
>>         "https://openid.net/heart/specs/consent.html":{
>>           "iss":"https://connect.example.com",
>>           "consentUri":[
>>             "https://terms.examplemed.com/labdisclosure.html#Agree"
>>           ]
>>         }
>>       }
>>     }
>
> Could be represented as:
>     {
>       "jti": "fb4e75b5411e4e19b6c0fe87950f7749",
>
>       “esub": {
>         “sub”:"248289761001”,
>         "iss":"https://connect.example.com”
>       }
>       "iat": 1458496025,
>       "iss": "https://my.examplemed.com <https://my.examplemed.com/>",
>       "aud": [
>         "https://rp.example.com"
>       ],
>       "events": {
>         "https://openid.net/heart/specs/consent.html":{
>           "consentUri":[
>             "https://terms.examplemed.com/labdisclosure.html#Agree"
>           ]
>         }
>       }
>     }
>
> Comments:
> * “sub” remains untouched in the sense that it retains the meaning 
> used in traditional access tokens.
> * “esub” contains the full information to address the subject.  No 
> need to look around for a second “iss” (which may or may not be there)
>
> To do this would require defining “esub” and sub-attributes like, 
> “iss”, “sub” (which follow current defs), and probably “uri” for those 
> entities that are referenceable as a URI.  Examples of URI subjects:
> *  in implicit federation (from RISC):   
> “uri”:”mailto:phil.hunt@yahoo.com”
> *  in SCIM where resources have URIs: 
>  “uri”:”https://scim.example.com/Users/44f6142df96bd6ab61e7521d9"
>
> One catch. Profiling specs would not be able to define new ways of 
> addressing subjects with esub.
>
> Phil
>
> Oracle Corporation, Identity Cloud Services & Identity Standards
> @independentid
> www.independentid.com <http://www.independentid.com>
> phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Id-event mailing list
> Id-event@ietf.org
> https://www.ietf.org/mailman/listinfo/id-event

v2.23.0 | Report a Bug | By Email