IETF Logo Mail Archive

Re: [Id-event] I-D Action: draft-ietf-secevent-subject-identifiers-11.txt

Prachi Jain <prachi.jain1288@gmail.com> Mon, 25 July 2022 00:30 UTC

Return-Path: <prachi.jain1288@gmail.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C21E7C06B8EF for <id-event@ietfa.amsl.com>; Sun, 24 Jul 2022 17:30:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.855
X-Spam-Level:
X-Spam-Status: No, score=-1.855 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EGEpd1XdBCFR for <id-event@ietfa.amsl.com>; Sun, 24 Jul 2022 17:30:40 -0700 (PDT)
Received: from mail-yb1-xb33.google.com (mail-yb1-xb33.google.com [IPv6:2607:f8b0:4864:20::b33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6790AC065A9C for <id-event@ietf.org>; Sun, 24 Jul 2022 17:30:40 -0700 (PDT)
Received: by mail-yb1-xb33.google.com with SMTP id c131so17403615ybf.9 for <id-event@ietf.org>; Sun, 24 Jul 2022 17:30:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0COfg1L9fEY9Ydt8JNmX46pgzVfzrEuAZMgqQgZG9d0=; b=TGjvKvSNnYZ82s1srBa3bGxrY31JG20AGuKPr2ZrmF4yl0ZlL90pgSR6KXpKXXvTZL Vhgrgs9JSWFKwfdo8JXKKYs/Qkq8SdKXuwglDQkdMlbOuTGSun++13ygsGAzBP7dlEnZ UOGECPrHYy4o2kmYm+0wosXwNq6FudcIH7g1lecW1zk7x5dfU7dFPgDCQfhB9408dNX+ fiGnQjnAGusLTvbAssvWLf/HnojQ+wsKKKdP2JvAdrQhsQK3EFb3jJpdc9eLz7or62hY 5wVOy4qzCMEJV4zVNcXfDO/9AimRfo7dfGP5OguuoQX3xlMrOGbHLzvQGbUb1FMtBqtg RODw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0COfg1L9fEY9Ydt8JNmX46pgzVfzrEuAZMgqQgZG9d0=; b=VXcekVVJliqQKlMne5C6UgWbKou2H7qdjIrojqiOsJt7SojytjnaCiet0uEyiFTRTF ZilMDjuaYlwJFpSsvsyPvuPam+kRvPQbblbXc5jv8/5XR44y/XPUrgADxGlY5g6IJVtf BGmkAmQ/ammJfnN7mU7xtmDJ3jVQHtc+8//P/X9Fcz7jaOgccA92SwAckRXOJvwqe2uO Ie09VQAS04hpMnlTQfbETqurDzf2Sft+tdy47FkYGI0l16je0bW6BS7tRCbxMT+Tyahs rHlXuay6i0PEZnawtZ+MYGnbeHt+Hsu1r8OGX/1MUwmuuZHYo08ZdRl3KfHakehQxkjT /4PQ==
X-Gm-Message-State: AJIora+ZfeJ344trvfyuvhBnOZmyFT1PrHl8ea5L/gXO1EFd5xpvhwCQ hmqIq+cq6lW4sSjeK+7H2USthPnfiKxrZgd76hk=
X-Google-Smtp-Source: AGRyM1uThAwr4ORDtqHSSTZ8khC4xqI1WYyzyqjWMiVD0odB+2EzvKm4Ze6j6Q1Wozb7m4PJXAhPOiUvOHU4cBQSXKs=
X-Received: by 2002:a25:2595:0:b0:670:3a85:78a2 with SMTP id l143-20020a252595000000b006703a8578a2mr6921469ybl.389.1658709038075; Sun, 24 Jul 2022 17:30:38 -0700 (PDT)
MIME-Version: 1.0
References: <165057098708.9791.15663968524996247808@ietfa.amsl.com> <0c05d86964e544818799c817287ebe2e@oc11expo18.exchange.mit.edu> <D881C6F7-5A08-4692-AEF5-54E6B6EC7793@amazon.com> <6056BB4E-5094-4AF5-B2E9-435C4E7C7B3A@mit.edu> <AB291F3C-D908-43D1-99F2-C4E121A5DFA1@mit.edu> <CAA1-vB03xh=CsjbFxWed+zYJ-j9YM9reXwY3HmrB=8BHz_ndEQ@mail.gmail.com> <CAA1-vB3hip0hyegWL7Rm7xNMeAcYJWBtPFFUA3uRT9BcppC+Ag@mail.gmail.com> <7781E80F-F81A-4F61-B5A8-DFA71546680C@mit.edu> <CAA1-vB0zG4dAGHRVFqhjN+gzbb_Fh7XVYkt=WQq3VTTG0jxpgQ@mail.gmail.com>
In-Reply-To: <CAA1-vB0zG4dAGHRVFqhjN+gzbb_Fh7XVYkt=WQq3VTTG0jxpgQ@mail.gmail.com>
From: Prachi Jain <prachi.jain1288@gmail.com>
Date: Sun, 24 Jul 2022 19:30:27 -0500
Message-ID: <CAA1-vB1hu6U6A5VaL3PxoXhkEtR_0NUtpd-Gr0UF70ho+okiRg@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: "Backman, Annabelle" <richanna@amazon.com>, "id-event@ietf.org" <id-event@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000012df05e4964b69"
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/ZHjlniGgTYBjE4rFLFgHrj9VSKw>
Subject: Re: [Id-event] I-D Action: draft-ietf-secevent-subject-identifiers-11.txt
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jul 2022 00:30:41 -0000

Hi All,

Version 12 has been published :)
Thanks again for making the changes, @Justin Richer.

-Prachi

On Wed, Jul 13, 2022 at 11:18 AM Prachi Jain <prachi.jain1288@gmail.com>
wrote:

> That's the plan, Justin.
> I have the repository forked and ready. I will publish as soon as
> datatracker opens. Thank you for the advice. Appreciate it !! Sorry, I am
> still learning the ropes here 🙂
>
> -Prachi
>
> On Wed, Jul 13, 2022 at 11:14 AM Justin Richer <jricher@mit.edu> wrote:
>
>> Prachi,
>>
>> It’s unfortunate that you don’t have access to Annabelle’s GitHub
>> repository, but hopefully she can get you added. If not, you can always
>> fork the repository and keep the code there if she’s unavailable to add you
>> to the permissions list. Additionally, you can take the XML file and upload
>> it as a new version directly, without merging it in GitHub (though having a
>> record in GitHub is preferable).
>>
>>  — Justin
>>
>> On Jul 12, 2022, at 11:42 PM, Prachi Jain <prachi.jain1288@gmail.com>
>> wrote:
>>
>> Hi Justin,
>>
>> Your changes look good to me and I created another PR
>> <https://github.com/richanna/secevent/pull/9> incorporating your updates
>> and some. Again thank you for creating the PR. I cannot merge since I don't
>> have write access to the repo.
>> @Backman, Annabelle <richanna@amazon.com>  Can you please review and
>> merge the changes? I will publish draft-12 as soon as datatracker opens.
>>
>>
>> -Prachi
>>
>>
>>
>> On Tue, Jul 12, 2022 at 10:36 AM Prachi Jain <prachi.jain1288@gmail.com>
>> wrote:
>>
>>> Thanks for submitting the PR, Justin. Appreciate it !!
>>> I will take a look later today and publish if no changes need to be
>>> made.
>>>
>>> -Prachi
>>>
>>> On Tue, Jul 12, 2022 at 10:30 AM Justin Richer <jricher@mit.edu> wrote:
>>>
>>>> I haven’t heard anything from the editors on this, so I went ahead and
>>>> created a PR to restore the DID language that was accepted during WGLC, as
>>>> well as add a generic URI format, as discussed in the email thread below.
>>>>
>>>> https://github.com/richanna/secevent/pull/8
>>>>
>>>> I would encourage the editors to accept this change and publish a new
>>>> version once the datatracker opens again, and hopefully we can move this
>>>> document forward to its next review stages.
>>>>
>>>>  — Justin
>>>>
>>>> On May 31, 2022, at 4:25 PM, Justin Richer <jricher@mit.edu> wrote:
>>>>
>>>> Annabelle and I have had a chance to discuss this directly, but I
>>>> wanted to take a moment to record my response here for the group as well. I
>>>> believe we now understand each other that the `did` format should be
>>>> restored, alongside a generic `uri` format, with overall guidance on where
>>>> and how to use each. Namely, use the most specific semantically appropriate
>>>> format that you can. The reasons for my stance, and what I believe are the
>>>> conclusions we agreed to, are discussed inline below:
>>>>
>>>> On May 18, 2022, at 6:29 PM, Backman, Annabelle <richanna@amazon.com>
>>>> wrote:
>>>>
>>>> There appear to be some issues with -11:
>>>>
>>>>    1. The definition for `did` was removed, but not the `did` entry in
>>>>    the format registry
>>>>    2. No replacement `url` format was added.
>>>>
>>>>
>>>> Justin, my understanding is that your concerns are directed at the
>>>> proposal to *replace* `did` with `url`, and thus would not be
>>>> addressed by adding the missing `url` format. Is that correct? Assuming
>>>> that is the case...
>>>>
>>>>
>>>> My concerns with the removal of `did` would NOT be addressed by the
>>>> addition of a generic `url` or `uri` format. The primary reason for this,
>>>> and to me a primary driver for the subject identifiers work, is that the
>>>> subject identifier format defines not only the syntax of the identifier but
>>>> also its semantic content. I do not believe that it is appropriate to
>>>> remove the semantic information from the format and push it all down into
>>>> the lower layer.
>>>>
>>>>
>>>> Replacing `did` with `url` doesn't push the semantic information
>>>> anywhere; the semantic information is there in the lower layer already.
>>>> Having a separate `did` format pulls that information up into the subject
>>>> identifier format layer, encoding the same information twice. That
>>>> significantly complicates processing and could hurt interoperability.
>>>>
>>>>
>>>> In fact, it does the opposite. One could make the argument that because
>>>> we have “mailto:” URLs (rfc2368) and “tel:” URLs (rfc3966) then we
>>>> don’t actually need the `email_address` or `phone_number` formats either,
>>>> since we could just encode all that in the URL itself. And then there’s no
>>>> need for an `opaque` because you could easily use a `urn` to solve that
>>>> problem. Even the issuer/subject pair COULD be formatted as a single URL,
>>>> if someone just sat down and made a syntax for it (and people argued for
>>>> exactly that in OIDC, but it didn’t get anywhere).
>>>>
>>>> So, in that world, why even bother with the subject identifiers? Let me
>>>> tell you why:
>>>>
>>>> When I’m creating a subject identifier block in my application, I know
>>>> what kind of identifier it is. I want to tell the receiver that I
>>>> specifically know what kind of identifier it is. The syntax for formatting
>>>> the identifier itself is incidental to this — particularly if that syntax
>>>> is itself a URL.
>>>>
>>>>
>>>> Consider the scenario where we have both `url` and `did` format types.
>>>> An issuer might encode a DID using either format type; do processors that
>>>> expect DIDs need to support both? If so then we've just made their lives
>>>> harder. More likely, some would support both and some wouldn't, leading to
>>>> unnecessary pain for parties that have to interoperate across processors
>>>> and/or issuers.
>>>>
>>>>
>>>> We’d expect to use `did` here. I would not expect a processor to
>>>> support both formats if they’re specifically looking for DIDs.
>>>>
>>>>
>>>> Now consider the scenario where we just have `url`. A processor that
>>>> accepts DID URLs (possibly alongside other non-URL identifier formats) and
>>>> no other URL types will see the `url` format, assume the value is a DID,
>>>> and attempt to validate it or otherwise process it as a DID. Note that this
>>>> step is necessary even if we have a `did` format, as it's always possible
>>>> that the issuer provided a malformed subject identifier. Likewise, a
>>>> processor that expects some other type of URL (e.g., an https URL) will
>>>> have to parse the URL and confirm it has the expected scheme, and depending
>>>> on the use case may also need to apply other security checks (e.g.,
>>>> matching against allowed origins, ensuring that the URL doesn't contain a
>>>> username or password, etc.).
>>>>
>>>>
>>>> This is exactly why we shouldn’t have just `url` without other layers.
>>>> If I’m processing a URL as an identifier, I may or may not want to do
>>>> specific things with that URL. Or it might simply just be an identifier
>>>> string, like someone’s homepage. I would be much more comfortable if the
>>>> `url` format did not have any additional processing implied, but that more
>>>> specific formats could require such processing, as you’d expect a DID to do
>>>> in most cases.
>>>>
>>>> I think the malformed subject identifier example is a strawman - any
>>>> identifier could be “malformed”. But instead of allowing the processor to
>>>> have a much more limited check of “is this a DID?”, we now have to have a
>>>> wider check of “is this a URL, is it a kind I know how to process, and is
>>>> there more processing that I need to do with it?”, and that’s where all of
>>>> the problems in the above example come in to play.
>>>>
>>>>
>>>> In the case where a processor accepts both DIDs and some other type of
>>>> URL, they have to parse and validate the URL and then branch based on the
>>>> scheme, instead of just branching based on the identifier format.
>>>>
>>>>
>>>> Could a processor figure out that there was a DID url inside of a `url`
>>>> block? Sure — but those are semantically different identifiers, just like
>>>> if I had put a `mailto:` URL inside of a `url` block, I would not
>>>> expect that to be treated with any particular equivalence to the same email
>>>> address in an `email_address` block. And I think the draft can actually be
>>>> explicit about that distinction:
>>>>
>>>>  - there’s no guarantee of equivalence between the information in
>>>> different formats
>>>>  - you should use the most specific format for the information you’re
>>>> trying to convey
>>>>
>>>>
>>>> Are there other scenarios where the issuer or processor encounters more
>>>> significant pain if we just have `url` versus if we have `url` and `did`?
>>>>
>>>>
>>>> Yes, I think the entire act of punting everything to the lower layer
>>>> causes nothing BUT pain. This confusion stems from the fact that both URIs
>>>> and the subject identifier formats both specify some level of semantic and
>>>> syntactic constraint. However, mixing them in the way proposed is deeply
>>>> problematic and would be disastrous in practice.
>>>>
>>>> As such, the subject identifiers format should continue to provide
>>>> semantic information about its contents, just like it has in the past
>>>> before draft -10, and not simply turn into a meaningless way to put URLs
>>>> into a JSON object.
>>>>
>>>>  — Justin
>>>>
>>>>
>>>> —
>>>> Annabelle Backman (she/her)
>>>> richanna@amazon.com
>>>>
>>>>
>>>>
>>>>
>>>> On Apr 26, 2022, at 5:36 PM, Justin Richer <jricher@mit.edu> wrote:
>>>>
>>>> CAUTION: This email originated from outside of the organization. Do not
>>>> click links or open attachments unless you can confirm the sender and know
>>>> the content is safe.
>>>>
>>>>
>>>>
>>>> I strongly disagree with the editor's removal of "did" from the spec
>>>> and the reasons for doing so.pushing the semantic information off into a
>>>> lower layer is not helpful in terms of complexity nor application. Now an
>>>> application will need to parse the various url's to know what they are
>>>> instead of being told in the data structure what's in there.
>>>>
>>>> -Justin
>>>> ________________________________________
>>>> From: Id-event [id-event-bounces@ietf.org] on behalf of
>>>> internet-drafts@ietf.org [internet-drafts@ietf.org]
>>>> Sent: Thursday, April 21, 2022 3:56 PM
>>>> To: i-d-announce@ietf.org
>>>> Cc: id-event@ietf.org
>>>> Subject: [Id-event] I-D Action:
>>>> draft-ietf-secevent-subject-identifiers-11.txt
>>>>
>>>> A New Internet-Draft is available from the on-line Internet-Drafts
>>>> directories.
>>>> This draft is a work item of the Security Events WG of the IETF.
>>>>
>>>>        Title           : Subject Identifiers for Security Event Tokens
>>>>        Authors         : Annabelle Backman
>>>>                          Marius Scurtescu
>>>>                          Prachi Jain
>>>>        Filename        : draft-ietf-secevent-subject-identifiers-11.txt
>>>>        Pages           : 22
>>>>        Date            : 2022-04-21
>>>>
>>>> Abstract:
>>>>   Security events communicated within Security Event Tokens may support
>>>>   a variety of identifiers to identify subjects related to the event.
>>>>   This specification formalizes the notion of subject identifiers as
>>>>   structured information that describe a subject, and named formats
>>>>   that define the syntax and semantics for encoding subject identifiers
>>>>   as JSON objects.  It also defines a registry for defining and
>>>>   allocating names for such formats, as well as the sub_id JSON Web
>>>>   Token (JWT) claim.
>>>>
>>>>
>>>> The IETF datatracker status page for this draft is:
>>>>
>>>> https://datatracker.ietf.org/doc/draft-ietf-secevent-subject-identifiers/
>>>>
>>>> There is also an htmlized version available at:
>>>>
>>>> https://datatracker.ietf.org/doc/html/draft-ietf-secevent-subject-identifiers-11
>>>>
>>>> A diff from the previous version is available at:
>>>>
>>>> https://www.ietf.org/rfcdiff?url2=draft-ietf-secevent-subject-identifiers-11
>>>>
>>>>
>>>> Internet-Drafts are also available by rsync at rsync.ietf.org
>>>> ::internet-drafts
>>>>
>>>>
>>>> _______________________________________________
>>>> Id-event mailing list
>>>> Id-event@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/id-event
>>>>
>>>> _______________________________________________
>>>> Id-event mailing list
>>>> Id-event@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/id-event
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Id-event mailing list
>>>> Id-event@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/id-event
>>>>
>>>>
>>>> _______________________________________________
>>>> Id-event mailing list
>>>> Id-event@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/id-event
>>>>
>>>
>>

v2.23.0 | Report a Bug | By Email