Re: [Id-event] I-D Action: draft-ietf-secevent-subject-identifiers-11.txt
Prachi Jain <prachi.jain1288@gmail.com> Wed, 13 July 2022 03:42 UTC
Return-Path: <prachi.jain1288@gmail.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADFCEC157B51 for <id-event@ietfa.amsl.com>; Tue, 12 Jul 2022 20:42:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.854
X-Spam-Level:
X-Spam-Status: No, score=-1.854 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uvUORH7efsZb for <id-event@ietfa.amsl.com>; Tue, 12 Jul 2022 20:42:36 -0700 (PDT)
Received: from mail-yw1-x1136.google.com (mail-yw1-x1136.google.com [IPv6:2607:f8b0:4864:20::1136]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5223C157B57 for <id-event@ietf.org>; Tue, 12 Jul 2022 20:42:36 -0700 (PDT)
Received: by mail-yw1-x1136.google.com with SMTP id 00721157ae682-31bf3656517so100200217b3.12 for <id-event@ietf.org>; Tue, 12 Jul 2022 20:42:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/BekGU4+uulmx+vof/sUdkvLOn7mo6b1qDtSTAzE8rY=; b=BS90bMeYxiw21/Uq0UybfGB0GyN0YaYqrsf1EXmP4zklDaMVsjWuFzw1gvoR36IS6O At9TIqD6D0hePVPYOMk6fifHJ6j7UQcplM4eV4FZcUP9WnT0PAl4EWYiUeVWwZFlTBmp N5tKwPeQDk8N42beWyceFM1u2v4rJc9uzyUD/zK9NZ1OFJaNflVwzeNQF6H89PwTbYD4 A1PDbQc8qSd4KAfEFSy65PRtYzgK8mLJ6Ooq7A2a1DA1JpJlRxhwiyC7QtJhAA4kEnq7 wZEjoJwtmxhAfo/wRRaXHvZutWZpTfsk588kq+k/cq2e41fj6QFRypthCDJ0O77lExbm q/ZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/BekGU4+uulmx+vof/sUdkvLOn7mo6b1qDtSTAzE8rY=; b=4SHYqrH3qfD31HnTzSTDLECK/yfI/wcLGiyYFi7+YnfnxyiXZuKmFVBGAjj9gfwyri 1x8v15XXFv84LFilv4w8pW3THhJeKufRt01cAvjCpNSMh+O/X7kUP0UJUQScy2+naKQh 0wBW4afwvU4OYBeilcLdevkKxt0IT9Iz9YGqKxH2EKpLJ7y41PtzLkksBhdBAtJQOihS kkOEybRNl3T1gpK/LTviwzXdq0wOPiwx4E6AkfZldfqiQSJQrLH69fwlReNsDv5R0OSX wskrtH1poNE+oNOKXOkQI7gbjNyCdAmItyXDM6c7eRI7kRbaE/J9StxVFDlDUmEZholT AwtA==
X-Gm-Message-State: AJIora+Hc0R9+pJCg3BOuXVRIysYZAqs07j7vPAyN4KHbqL8j/l7+bYe wuBIetnjy+wn2115ncI2GTnfrjX/VjyyJm8TmH4=
X-Google-Smtp-Source: AGRyM1sjJ87sVu5iV8Ta8yPGKzWaHELPNN3WjBcG5Nzfsi4pW4VPLk1j1ZsVLKyomgofuwN3V1QGB68e4x7dcULARj0=
X-Received: by 2002:a81:4507:0:b0:31c:9907:601b with SMTP id s7-20020a814507000000b0031c9907601bmr1838167ywa.5.1657683755893; Tue, 12 Jul 2022 20:42:35 -0700 (PDT)
MIME-Version: 1.0
References: <165057098708.9791.15663968524996247808@ietfa.amsl.com> <0c05d86964e544818799c817287ebe2e@oc11expo18.exchange.mit.edu> <D881C6F7-5A08-4692-AEF5-54E6B6EC7793@amazon.com> <6056BB4E-5094-4AF5-B2E9-435C4E7C7B3A@mit.edu> <AB291F3C-D908-43D1-99F2-C4E121A5DFA1@mit.edu> <CAA1-vB03xh=CsjbFxWed+zYJ-j9YM9reXwY3HmrB=8BHz_ndEQ@mail.gmail.com>
In-Reply-To: <CAA1-vB03xh=CsjbFxWed+zYJ-j9YM9reXwY3HmrB=8BHz_ndEQ@mail.gmail.com>
From: Prachi Jain <prachi.jain1288@gmail.com>
Date: Tue, 12 Jul 2022 22:42:24 -0500
Message-ID: <CAA1-vB3hip0hyegWL7Rm7xNMeAcYJWBtPFFUA3uRT9BcppC+Ag@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: "Backman, Annabelle" <richanna@amazon.com>, "id-event@ietf.org" <id-event@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006b863d05e3a79343"
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/ak-_K9a4nP9jae4NnIPrAzTZc2g>
Subject: Re: [Id-event] I-D Action: draft-ietf-secevent-subject-identifiers-11.txt
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2022 03:42:40 -0000
Hi Justin, Your changes look good to me and I created another PR <https://github.com/richanna/secevent/pull/9> incorporating your updates and some. Again thank you for creating the PR. I cannot merge since I don't have write access to the repo. @Backman, Annabelle <richanna@amazon.com> Can you please review and merge the changes? I will publish draft-12 as soon as datatracker opens. -Prachi On Tue, Jul 12, 2022 at 10:36 AM Prachi Jain <prachi.jain1288@gmail.com> wrote: > Thanks for submitting the PR, Justin. Appreciate it !! > I will take a look later today and publish if no changes need to be made. > > -Prachi > > On Tue, Jul 12, 2022 at 10:30 AM Justin Richer <jricher@mit.edu> wrote: > >> I haven’t heard anything from the editors on this, so I went ahead and >> created a PR to restore the DID language that was accepted during WGLC, as >> well as add a generic URI format, as discussed in the email thread below. >> >> https://github.com/richanna/secevent/pull/8 >> >> I would encourage the editors to accept this change and publish a new >> version once the datatracker opens again, and hopefully we can move this >> document forward to its next review stages. >> >> — Justin >> >> On May 31, 2022, at 4:25 PM, Justin Richer <jricher@mit.edu> wrote: >> >> Annabelle and I have had a chance to discuss this directly, but I wanted >> to take a moment to record my response here for the group as well. I >> believe we now understand each other that the `did` format should be >> restored, alongside a generic `uri` format, with overall guidance on where >> and how to use each. Namely, use the most specific semantically appropriate >> format that you can. The reasons for my stance, and what I believe are the >> conclusions we agreed to, are discussed inline below: >> >> On May 18, 2022, at 6:29 PM, Backman, Annabelle <richanna@amazon.com> >> wrote: >> >> There appear to be some issues with -11: >> >> 1. The definition for `did` was removed, but not the `did` entry in >> the format registry >> 2. No replacement `url` format was added. >> >> >> Justin, my understanding is that your concerns are directed at the >> proposal to *replace* `did` with `url`, and thus would not be addressed >> by adding the missing `url` format. Is that correct? Assuming that is the >> case... >> >> >> My concerns with the removal of `did` would NOT be addressed by the >> addition of a generic `url` or `uri` format. The primary reason for this, >> and to me a primary driver for the subject identifiers work, is that the >> subject identifier format defines not only the syntax of the identifier but >> also its semantic content. I do not believe that it is appropriate to >> remove the semantic information from the format and push it all down into >> the lower layer. >> >> >> Replacing `did` with `url` doesn't push the semantic information >> anywhere; the semantic information is there in the lower layer already. >> Having a separate `did` format pulls that information up into the subject >> identifier format layer, encoding the same information twice. That >> significantly complicates processing and could hurt interoperability. >> >> >> In fact, it does the opposite. One could make the argument that because >> we have “mailto:” URLs (rfc2368) and “tel:” URLs (rfc3966) then we don’t >> actually need the `email_address` or `phone_number` formats either, since >> we could just encode all that in the URL itself. And then there’s no need >> for an `opaque` because you could easily use a `urn` to solve that problem. >> Even the issuer/subject pair COULD be formatted as a single URL, if someone >> just sat down and made a syntax for it (and people argued for exactly that >> in OIDC, but it didn’t get anywhere). >> >> So, in that world, why even bother with the subject identifiers? Let me >> tell you why: >> >> When I’m creating a subject identifier block in my application, I know >> what kind of identifier it is. I want to tell the receiver that I >> specifically know what kind of identifier it is. The syntax for formatting >> the identifier itself is incidental to this — particularly if that syntax >> is itself a URL. >> >> >> Consider the scenario where we have both `url` and `did` format types. An >> issuer might encode a DID using either format type; do processors that >> expect DIDs need to support both? If so then we've just made their lives >> harder. More likely, some would support both and some wouldn't, leading to >> unnecessary pain for parties that have to interoperate across processors >> and/or issuers. >> >> >> We’d expect to use `did` here. I would not expect a processor to support >> both formats if they’re specifically looking for DIDs. >> >> >> Now consider the scenario where we just have `url`. A processor that >> accepts DID URLs (possibly alongside other non-URL identifier formats) and >> no other URL types will see the `url` format, assume the value is a DID, >> and attempt to validate it or otherwise process it as a DID. Note that this >> step is necessary even if we have a `did` format, as it's always possible >> that the issuer provided a malformed subject identifier. Likewise, a >> processor that expects some other type of URL (e.g., an https URL) will >> have to parse the URL and confirm it has the expected scheme, and depending >> on the use case may also need to apply other security checks (e.g., >> matching against allowed origins, ensuring that the URL doesn't contain a >> username or password, etc.). >> >> >> This is exactly why we shouldn’t have just `url` without other layers. If >> I’m processing a URL as an identifier, I may or may not want to do specific >> things with that URL. Or it might simply just be an identifier string, like >> someone’s homepage. I would be much more comfortable if the `url` format >> did not have any additional processing implied, but that more specific >> formats could require such processing, as you’d expect a DID to do in most >> cases. >> >> I think the malformed subject identifier example is a strawman - any >> identifier could be “malformed”. But instead of allowing the processor to >> have a much more limited check of “is this a DID?”, we now have to have a >> wider check of “is this a URL, is it a kind I know how to process, and is >> there more processing that I need to do with it?”, and that’s where all of >> the problems in the above example come in to play. >> >> >> In the case where a processor accepts both DIDs and some other type of >> URL, they have to parse and validate the URL and then branch based on the >> scheme, instead of just branching based on the identifier format. >> >> >> Could a processor figure out that there was a DID url inside of a `url` >> block? Sure — but those are semantically different identifiers, just like >> if I had put a `mailto:` URL inside of a `url` block, I would not expect >> that to be treated with any particular equivalence to the same email >> address in an `email_address` block. And I think the draft can actually be >> explicit about that distinction: >> >> - there’s no guarantee of equivalence between the information in >> different formats >> - you should use the most specific format for the information you’re >> trying to convey >> >> >> Are there other scenarios where the issuer or processor encounters more >> significant pain if we just have `url` versus if we have `url` and `did`? >> >> >> Yes, I think the entire act of punting everything to the lower layer >> causes nothing BUT pain. This confusion stems from the fact that both URIs >> and the subject identifier formats both specify some level of semantic and >> syntactic constraint. However, mixing them in the way proposed is deeply >> problematic and would be disastrous in practice. >> >> As such, the subject identifiers format should continue to provide >> semantic information about its contents, just like it has in the past >> before draft -10, and not simply turn into a meaningless way to put URLs >> into a JSON object. >> >> — Justin >> >> >> — >> Annabelle Backman (she/her) >> richanna@amazon.com >> >> >> >> >> On Apr 26, 2022, at 5:36 PM, Justin Richer <jricher@mit.edu> wrote: >> >> CAUTION: This email originated from outside of the organization. Do not >> click links or open attachments unless you can confirm the sender and know >> the content is safe. >> >> >> >> I strongly disagree with the editor's removal of "did" from the spec and >> the reasons for doing so.pushing the semantic information off into a lower >> layer is not helpful in terms of complexity nor application. Now an >> application will need to parse the various url's to know what they are >> instead of being told in the data structure what's in there. >> >> -Justin >> ________________________________________ >> From: Id-event [id-event-bounces@ietf.org] on behalf of >> internet-drafts@ietf.org [internet-drafts@ietf.org] >> Sent: Thursday, April 21, 2022 3:56 PM >> To: i-d-announce@ietf.org >> Cc: id-event@ietf.org >> Subject: [Id-event] I-D Action: >> draft-ietf-secevent-subject-identifiers-11.txt >> >> A New Internet-Draft is available from the on-line Internet-Drafts >> directories. >> This draft is a work item of the Security Events WG of the IETF. >> >> Title : Subject Identifiers for Security Event Tokens >> Authors : Annabelle Backman >> Marius Scurtescu >> Prachi Jain >> Filename : draft-ietf-secevent-subject-identifiers-11.txt >> Pages : 22 >> Date : 2022-04-21 >> >> Abstract: >> Security events communicated within Security Event Tokens may support >> a variety of identifiers to identify subjects related to the event. >> This specification formalizes the notion of subject identifiers as >> structured information that describe a subject, and named formats >> that define the syntax and semantics for encoding subject identifiers >> as JSON objects. It also defines a registry for defining and >> allocating names for such formats, as well as the sub_id JSON Web >> Token (JWT) claim. >> >> >> The IETF datatracker status page for this draft is: >> https://datatracker.ietf.org/doc/draft-ietf-secevent-subject-identifiers/ >> >> There is also an htmlized version available at: >> >> https://datatracker.ietf.org/doc/html/draft-ietf-secevent-subject-identifiers-11 >> >> A diff from the previous version is available at: >> >> https://www.ietf.org/rfcdiff?url2=draft-ietf-secevent-subject-identifiers-11 >> >> >> Internet-Drafts are also available by rsync at rsync.ietf.org >> ::internet-drafts >> >> >> _______________________________________________ >> Id-event mailing list >> Id-event@ietf.org >> https://www.ietf.org/mailman/listinfo/id-event >> >> _______________________________________________ >> Id-event mailing list >> Id-event@ietf.org >> https://www.ietf.org/mailman/listinfo/id-event >> >> >> >> _______________________________________________ >> Id-event mailing list >> Id-event@ietf.org >> https://www.ietf.org/mailman/listinfo/id-event >> >> >> _______________________________________________ >> Id-event mailing list >> Id-event@ietf.org >> https://www.ietf.org/mailman/listinfo/id-event >> >
- [Id-event] I-D Action: draft-ietf-secevent-subjec… internet-drafts
- Re: [Id-event] I-D Action: draft-ietf-secevent-su… Justin Richer
- Re: [Id-event] I-D Action: draft-ietf-secevent-su… Backman, Annabelle
- Re: [Id-event] I-D Action: draft-ietf-secevent-su… Justin Richer
- Re: [Id-event] I-D Action: draft-ietf-secevent-su… Justin Richer
- Re: [Id-event] I-D Action: draft-ietf-secevent-su… Prachi Jain
- Re: [Id-event] I-D Action: draft-ietf-secevent-su… Prachi Jain
- Re: [Id-event] I-D Action: draft-ietf-secevent-su… Justin Richer
- Re: [Id-event] I-D Action: draft-ietf-secevent-su… Prachi Jain
- Re: [Id-event] I-D Action: draft-ietf-secevent-su… Prachi Jain