IETF Logo Mail Archive

Re: [Id-event] I-D Action: draft-ietf-secevent-subject-identifiers-11.txt

Prachi Jain <prachi.jain1288@gmail.com> Wed, 13 July 2022 03:42 UTC

Return-Path: <prachi.jain1288@gmail.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADFCEC157B51 for <id-event@ietfa.amsl.com>; Tue, 12 Jul 2022 20:42:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.854
X-Spam-Level:
X-Spam-Status: No, score=-1.854 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uvUORH7efsZb for <id-event@ietfa.amsl.com>; Tue, 12 Jul 2022 20:42:36 -0700 (PDT)
Received: from mail-yw1-x1136.google.com (mail-yw1-x1136.google.com [IPv6:2607:f8b0:4864:20::1136]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5223C157B57 for <id-event@ietf.org>; Tue, 12 Jul 2022 20:42:36 -0700 (PDT)
Received: by mail-yw1-x1136.google.com with SMTP id 00721157ae682-31bf3656517so100200217b3.12 for <id-event@ietf.org>; Tue, 12 Jul 2022 20:42:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/BekGU4+uulmx+vof/sUdkvLOn7mo6b1qDtSTAzE8rY=; b=BS90bMeYxiw21/Uq0UybfGB0GyN0YaYqrsf1EXmP4zklDaMVsjWuFzw1gvoR36IS6O At9TIqD6D0hePVPYOMk6fifHJ6j7UQcplM4eV4FZcUP9WnT0PAl4EWYiUeVWwZFlTBmp N5tKwPeQDk8N42beWyceFM1u2v4rJc9uzyUD/zK9NZ1OFJaNflVwzeNQF6H89PwTbYD4 A1PDbQc8qSd4KAfEFSy65PRtYzgK8mLJ6Ooq7A2a1DA1JpJlRxhwiyC7QtJhAA4kEnq7 wZEjoJwtmxhAfo/wRRaXHvZutWZpTfsk588kq+k/cq2e41fj6QFRypthCDJ0O77lExbm q/ZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/BekGU4+uulmx+vof/sUdkvLOn7mo6b1qDtSTAzE8rY=; b=4SHYqrH3qfD31HnTzSTDLECK/yfI/wcLGiyYFi7+YnfnxyiXZuKmFVBGAjj9gfwyri 1x8v15XXFv84LFilv4w8pW3THhJeKufRt01cAvjCpNSMh+O/X7kUP0UJUQScy2+naKQh 0wBW4afwvU4OYBeilcLdevkKxt0IT9Iz9YGqKxH2EKpLJ7y41PtzLkksBhdBAtJQOihS kkOEybRNl3T1gpK/LTviwzXdq0wOPiwx4E6AkfZldfqiQSJQrLH69fwlReNsDv5R0OSX wskrtH1poNE+oNOKXOkQI7gbjNyCdAmItyXDM6c7eRI7kRbaE/J9StxVFDlDUmEZholT AwtA==
X-Gm-Message-State: AJIora+Hc0R9+pJCg3BOuXVRIysYZAqs07j7vPAyN4KHbqL8j/l7+bYe wuBIetnjy+wn2115ncI2GTnfrjX/VjyyJm8TmH4=
X-Google-Smtp-Source: AGRyM1sjJ87sVu5iV8Ta8yPGKzWaHELPNN3WjBcG5Nzfsi4pW4VPLk1j1ZsVLKyomgofuwN3V1QGB68e4x7dcULARj0=
X-Received: by 2002:a81:4507:0:b0:31c:9907:601b with SMTP id s7-20020a814507000000b0031c9907601bmr1838167ywa.5.1657683755893; Tue, 12 Jul 2022 20:42:35 -0700 (PDT)
MIME-Version: 1.0
References: <165057098708.9791.15663968524996247808@ietfa.amsl.com> <0c05d86964e544818799c817287ebe2e@oc11expo18.exchange.mit.edu> <D881C6F7-5A08-4692-AEF5-54E6B6EC7793@amazon.com> <6056BB4E-5094-4AF5-B2E9-435C4E7C7B3A@mit.edu> <AB291F3C-D908-43D1-99F2-C4E121A5DFA1@mit.edu> <CAA1-vB03xh=CsjbFxWed+zYJ-j9YM9reXwY3HmrB=8BHz_ndEQ@mail.gmail.com>
In-Reply-To: <CAA1-vB03xh=CsjbFxWed+zYJ-j9YM9reXwY3HmrB=8BHz_ndEQ@mail.gmail.com>
From: Prachi Jain <prachi.jain1288@gmail.com>
Date: Tue, 12 Jul 2022 22:42:24 -0500
Message-ID: <CAA1-vB3hip0hyegWL7Rm7xNMeAcYJWBtPFFUA3uRT9BcppC+Ag@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: "Backman, Annabelle" <richanna@amazon.com>, "id-event@ietf.org" <id-event@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006b863d05e3a79343"
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/ak-_K9a4nP9jae4NnIPrAzTZc2g>
Subject: Re: [Id-event] I-D Action: draft-ietf-secevent-subject-identifiers-11.txt
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2022 03:42:40 -0000

Hi Justin,

Your changes look good to me and I created another PR
<https://github.com/richanna/secevent/pull/9> incorporating your updates
and some. Again thank you for creating the PR. I cannot merge since I don't
have write access to the repo.
@Backman, Annabelle <richanna@amazon.com>  Can you please review and merge
the changes? I will publish draft-12 as soon as datatracker opens.


-Prachi



On Tue, Jul 12, 2022 at 10:36 AM Prachi Jain <prachi.jain1288@gmail.com>
wrote:

> Thanks for submitting the PR, Justin. Appreciate it !!
> I will take a look later today and publish if no changes need to be made.
>
> -Prachi
>
> On Tue, Jul 12, 2022 at 10:30 AM Justin Richer <jricher@mit.edu> wrote:
>
>> I haven’t heard anything from the editors on this, so I went ahead and
>> created a PR to restore the DID language that was accepted during WGLC, as
>> well as add a generic URI format, as discussed in the email thread below.
>>
>> https://github.com/richanna/secevent/pull/8
>>
>> I would encourage the editors to accept this change and publish a new
>> version once the datatracker opens again, and hopefully we can move this
>> document forward to its next review stages.
>>
>>  — Justin
>>
>> On May 31, 2022, at 4:25 PM, Justin Richer <jricher@mit.edu> wrote:
>>
>> Annabelle and I have had a chance to discuss this directly, but I wanted
>> to take a moment to record my response here for the group as well. I
>> believe we now understand each other that the `did` format should be
>> restored, alongside a generic `uri` format, with overall guidance on where
>> and how to use each. Namely, use the most specific semantically appropriate
>> format that you can. The reasons for my stance, and what I believe are the
>> conclusions we agreed to, are discussed inline below:
>>
>> On May 18, 2022, at 6:29 PM, Backman, Annabelle <richanna@amazon.com>
>> wrote:
>>
>> There appear to be some issues with -11:
>>
>>    1. The definition for `did` was removed, but not the `did` entry in
>>    the format registry
>>    2. No replacement `url` format was added.
>>
>>
>> Justin, my understanding is that your concerns are directed at the
>> proposal to *replace* `did` with `url`, and thus would not be addressed
>> by adding the missing `url` format. Is that correct? Assuming that is the
>> case...
>>
>>
>> My concerns with the removal of `did` would NOT be addressed by the
>> addition of a generic `url` or `uri` format. The primary reason for this,
>> and to me a primary driver for the subject identifiers work, is that the
>> subject identifier format defines not only the syntax of the identifier but
>> also its semantic content. I do not believe that it is appropriate to
>> remove the semantic information from the format and push it all down into
>> the lower layer.
>>
>>
>> Replacing `did` with `url` doesn't push the semantic information
>> anywhere; the semantic information is there in the lower layer already.
>> Having a separate `did` format pulls that information up into the subject
>> identifier format layer, encoding the same information twice. That
>> significantly complicates processing and could hurt interoperability.
>>
>>
>> In fact, it does the opposite. One could make the argument that because
>> we have “mailto:” URLs (rfc2368) and “tel:” URLs (rfc3966) then we don’t
>> actually need the `email_address` or `phone_number` formats either, since
>> we could just encode all that in the URL itself. And then there’s no need
>> for an `opaque` because you could easily use a `urn` to solve that problem.
>> Even the issuer/subject pair COULD be formatted as a single URL, if someone
>> just sat down and made a syntax for it (and people argued for exactly that
>> in OIDC, but it didn’t get anywhere).
>>
>> So, in that world, why even bother with the subject identifiers? Let me
>> tell you why:
>>
>> When I’m creating a subject identifier block in my application, I know
>> what kind of identifier it is. I want to tell the receiver that I
>> specifically know what kind of identifier it is. The syntax for formatting
>> the identifier itself is incidental to this — particularly if that syntax
>> is itself a URL.
>>
>>
>> Consider the scenario where we have both `url` and `did` format types. An
>> issuer might encode a DID using either format type; do processors that
>> expect DIDs need to support both? If so then we've just made their lives
>> harder. More likely, some would support both and some wouldn't, leading to
>> unnecessary pain for parties that have to interoperate across processors
>> and/or issuers.
>>
>>
>> We’d expect to use `did` here. I would not expect a processor to support
>> both formats if they’re specifically looking for DIDs.
>>
>>
>> Now consider the scenario where we just have `url`. A processor that
>> accepts DID URLs (possibly alongside other non-URL identifier formats) and
>> no other URL types will see the `url` format, assume the value is a DID,
>> and attempt to validate it or otherwise process it as a DID. Note that this
>> step is necessary even if we have a `did` format, as it's always possible
>> that the issuer provided a malformed subject identifier. Likewise, a
>> processor that expects some other type of URL (e.g., an https URL) will
>> have to parse the URL and confirm it has the expected scheme, and depending
>> on the use case may also need to apply other security checks (e.g.,
>> matching against allowed origins, ensuring that the URL doesn't contain a
>> username or password, etc.).
>>
>>
>> This is exactly why we shouldn’t have just `url` without other layers. If
>> I’m processing a URL as an identifier, I may or may not want to do specific
>> things with that URL. Or it might simply just be an identifier string, like
>> someone’s homepage. I would be much more comfortable if the `url` format
>> did not have any additional processing implied, but that more specific
>> formats could require such processing, as you’d expect a DID to do in most
>> cases.
>>
>> I think the malformed subject identifier example is a strawman - any
>> identifier could be “malformed”. But instead of allowing the processor to
>> have a much more limited check of “is this a DID?”, we now have to have a
>> wider check of “is this a URL, is it a kind I know how to process, and is
>> there more processing that I need to do with it?”, and that’s where all of
>> the problems in the above example come in to play.
>>
>>
>> In the case where a processor accepts both DIDs and some other type of
>> URL, they have to parse and validate the URL and then branch based on the
>> scheme, instead of just branching based on the identifier format.
>>
>>
>> Could a processor figure out that there was a DID url inside of a `url`
>> block? Sure — but those are semantically different identifiers, just like
>> if I had put a `mailto:` URL inside of a `url` block, I would not expect
>> that to be treated with any particular equivalence to the same email
>> address in an `email_address` block. And I think the draft can actually be
>> explicit about that distinction:
>>
>>  - there’s no guarantee of equivalence between the information in
>> different formats
>>  - you should use the most specific format for the information you’re
>> trying to convey
>>
>>
>> Are there other scenarios where the issuer or processor encounters more
>> significant pain if we just have `url` versus if we have `url` and `did`?
>>
>>
>> Yes, I think the entire act of punting everything to the lower layer
>> causes nothing BUT pain. This confusion stems from the fact that both URIs
>> and the subject identifier formats both specify some level of semantic and
>> syntactic constraint. However, mixing them in the way proposed is deeply
>> problematic and would be disastrous in practice.
>>
>> As such, the subject identifiers format should continue to provide
>> semantic information about its contents, just like it has in the past
>> before draft -10, and not simply turn into a meaningless way to put URLs
>> into a JSON object.
>>
>>  — Justin
>>
>>
>> —
>> Annabelle Backman (she/her)
>> richanna@amazon.com
>>
>>
>>
>>
>> On Apr 26, 2022, at 5:36 PM, Justin Richer <jricher@mit.edu> wrote:
>>
>> CAUTION: This email originated from outside of the organization. Do not
>> click links or open attachments unless you can confirm the sender and know
>> the content is safe.
>>
>>
>>
>> I strongly disagree with the editor's removal of "did" from the spec and
>> the reasons for doing so.pushing the semantic information off into a lower
>> layer is not helpful in terms of complexity nor application. Now an
>> application will need to parse the various url's to know what they are
>> instead of being told in the data structure what's in there.
>>
>> -Justin
>> ________________________________________
>> From: Id-event [id-event-bounces@ietf.org] on behalf of
>> internet-drafts@ietf.org [internet-drafts@ietf.org]
>> Sent: Thursday, April 21, 2022 3:56 PM
>> To: i-d-announce@ietf.org
>> Cc: id-event@ietf.org
>> Subject: [Id-event] I-D Action:
>> draft-ietf-secevent-subject-identifiers-11.txt
>>
>> A New Internet-Draft is available from the on-line Internet-Drafts
>> directories.
>> This draft is a work item of the Security Events WG of the IETF.
>>
>>        Title           : Subject Identifiers for Security Event Tokens
>>        Authors         : Annabelle Backman
>>                          Marius Scurtescu
>>                          Prachi Jain
>>        Filename        : draft-ietf-secevent-subject-identifiers-11.txt
>>        Pages           : 22
>>        Date            : 2022-04-21
>>
>> Abstract:
>>   Security events communicated within Security Event Tokens may support
>>   a variety of identifiers to identify subjects related to the event.
>>   This specification formalizes the notion of subject identifiers as
>>   structured information that describe a subject, and named formats
>>   that define the syntax and semantics for encoding subject identifiers
>>   as JSON objects.  It also defines a registry for defining and
>>   allocating names for such formats, as well as the sub_id JSON Web
>>   Token (JWT) claim.
>>
>>
>> The IETF datatracker status page for this draft is:
>> https://datatracker.ietf.org/doc/draft-ietf-secevent-subject-identifiers/
>>
>> There is also an htmlized version available at:
>>
>> https://datatracker.ietf.org/doc/html/draft-ietf-secevent-subject-identifiers-11
>>
>> A diff from the previous version is available at:
>>
>> https://www.ietf.org/rfcdiff?url2=draft-ietf-secevent-subject-identifiers-11
>>
>>
>> Internet-Drafts are also available by rsync at rsync.ietf.org
>> ::internet-drafts
>>
>>
>> _______________________________________________
>> Id-event mailing list
>> Id-event@ietf.org
>> https://www.ietf.org/mailman/listinfo/id-event
>>
>> _______________________________________________
>> Id-event mailing list
>> Id-event@ietf.org
>> https://www.ietf.org/mailman/listinfo/id-event
>>
>>
>>
>> _______________________________________________
>> Id-event mailing list
>> Id-event@ietf.org
>> https://www.ietf.org/mailman/listinfo/id-event
>>
>>
>> _______________________________________________
>> Id-event mailing list
>> Id-event@ietf.org
>> https://www.ietf.org/mailman/listinfo/id-event
>>
>

v2.23.0 | Report a Bug | By Email