IETF Logo Mail Archive

Re: [Id-event] Subject Identifiers - Working Group Last Call

Denis <denis.ietf@free.fr> Thu, 27 May 2021 17:43 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B25D23A0DB3 for <id-event@ietfa.amsl.com>; Thu, 27 May 2021 10:43:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.72
X-Spam-Level:
X-Spam-Status: No, score=-0.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.398, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rL6pyq9cmZCc for <id-event@ietfa.amsl.com>; Thu, 27 May 2021 10:43:00 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp03.smtpout.orange.fr [80.12.242.125]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 458173A0DA5 for <id-event@ietf.org>; Thu, 27 May 2021 10:42:59 -0700 (PDT)
Received: from [192.168.1.11] ([90.26.94.159]) by mwinf5d57 with ME id 9tir2500M3SJSnu03tisJX; Thu, 27 May 2021 19:42:56 +0200
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Thu, 27 May 2021 19:42:56 +0200
X-ME-IP: 90.26.94.159
To: Yaron Sheffer <yaronf.ietf@gmail.com>, Dick Hardt <dick.hardt@gmail.com>, SecEvent <id-event@ietf.org>
Cc: Roman Danyliw <rdd@cert.org>, Marius Scurtescu <marius.scurtescu@coinbase.com>, "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org>
References: <CAD9ie-uSbNHq=Mt3ohA=URf5rv2hz7YUdUMhOf80C_f=XBrGLA@mail.gmail.com> <36D66A89-D178-6047-B270-73AD540E7FAD@hxcore.ol>
From: Denis <denis.ietf@free.fr>
Message-ID: <81b58b05-97b6-d910-6b58-4b565ae6ea57@free.fr>
Date: Thu, 27 May 2021 19:42:59 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.10.0
MIME-Version: 1.0
In-Reply-To: <36D66A89-D178-6047-B270-73AD540E7FAD@hxcore.ol>
Content-Type: multipart/alternative; boundary="------------4DED7502B7A07390516416D1"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/b9yEjnK-QvkbHhL2BVtFX-kdQrk>
Subject: Re: [Id-event] Subject Identifiers - Working Group Last Call
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 May 2021 17:43:05 -0000

I believe that this document should be enhanced on three aspects that 
are currently not addressed.

Section 3.1 (Identifier Formats versus Principal Types) states:

    Identifier Formats define how to encode identifying information for
    a subject.They do not define the type or nature of the subject itself. 

  While this statement is correct, it should be remembered that the 
title of this document is:

" Subject Identifiers for Security Event Tokens"

and is not:

" Subject Identifiers *Formats* for Security Event Tokens".

Therefore it would be possible to add /*optional 
*/attributes/characteristics to Subject Identifiers which relate to two 
different topics:

-the granularity of the identification and
-the correlation operations that may be either performed or prevented 
using some values contained in a specific format.
*
*
*1. Granularity of the identification*

A subject identifier may be able to identify an entity either 
individually or as a member of a group.

In order to be able to make the difference, an */optional /class* 
attribute should be defined which may take one out of two values:

  * "*ind*" to indicate an individual identifier or
  * "*grp" *to indicate a group identifier.

Examples:

  "format": "email",
"class": "ind"
"email": "tom.jones@example.com"

"format": "email",
"class": "grp"
"email": "marketing@example.com"
*
*
*2. Correlation operations that may be either performed or prevented*

Currently, the Privacy Considerations section only addresses one 
correlation case where a JWT would have both "sub" and "sub_id" JWT claims.
While it is appropriate to mention such a case, other correlation cases 
exist.

These cases become visible if the "sub_id" contains an */optional/* 
subject identifier *type*attribute.

A subject identifier *type*attribute would be able to support four 
values: *guid*, *shared*, *unique* and *tmp*.

-a *guid* type indicates a globally unique identifier. Such subject 
identifier type allows service providers or other servers to link their 
accounts
         as soon as they use the same guid.

-an issuer and subject pair (i.e. a subject identifier with the 
*iss_sub* format) where the subject identifier format would include :

        -a shared identifier type (*shared*) to indicate a subject
        identifier shared by several service providers
                 (such subject identifier type allows service providers
        to link their accounts), or

        -a unique identifier type (*unique)*to indicate a subject
        identifier specific to a single service provider
                 (such subject identifier type does not allow service
        providers or servers to link their accounts), or

-a temporary identifier type (*tmp*) to indicate a subject identifier 
issued only once by the issuer(sometimes called session identifier).
         (such subject identifier type does not allow any service 
provider to perform any linkage between accounts, even on a single 
service provider). .

_Examples_:

"format": "opaque",
"type": "guid"
"id": "11112222333344445555"

"format": "iss_sub",
"type": "shared"
"iss": "http://issuer.example.com/",
"sub": "145234573"

"format": "iss_sub",
"type": "unique"
"iss": "http://issuer.example.com/",
"sub": "145234573"

"format": "opaque",
"type": "tmp"
"id": "11112222333344445555"

*3. Hierarchical group memberships, functional group memberships and 
roles.*

Examples of group identifiers are : hierarchical group memberships, 
functional group memberships and roles.
It would be useful to define one format for these common groups: one or 
more character strings separated by the character slash.
for both hierarchical (*hgrp*) and functional group memberships (*fgrp*) 
and roles (*role*):
_
_
_Examples_:

"format": "hgrp",
"hgrp": "marketing/customer relationships"

"format": "fgrp",
"fgrp": " university/science/teacher"

"format": "role",
"role": "auditor"


*4. Two nits:*

    (...) ways. (e.g., a host might be identified by an IP or MAC address,
    while a user might be identified by an email address) Furthermore,

The punctuation point should be moved after the closing parenthesis.

    7.1.Confidentiality and Integrity

    This specification does not define any mechanism for ensuring the
    confidentiality or integrityi of a Subject Identifier.

Change "integrityi" into "integrity".

Denis

> Thank you Dick and the authors.
>
> With my co-chair hat off, I support progressing this document. I also 
> have a couple comments:
>
> 3.2.2: The text refers twice to "alias" subject IDs, but the format is 
> now named "aliases".
>
> Fig. 14 seems to be in conflict with the requirement to have a single 
> subject for the JWT ("a JWT has one and only one JWT Subject"). Yes, 
> maybe Elizabeth has a second email address, but we cannot assume that 
> applications have this kind of logic. Similarly, the subject-related 
> discussion in Sec. 4.2 (which is arguably a bit vague) as well as Fig. 
> 18 seems to allow two different subjects within the JWT.
>
> Thanks,
>
>                 Yaron
>
> *From: *Dick Hardt <dick.hardt@gmail.com>
> *Date: *Wednesday, May 26, 2021 at 23:22
> *To: *SecEvent <id-event@ietf.org>
> *Cc: *Yaron Sheffer <yaronf.ietf@gmail.com>, Richard Backman, 
> Annabelle <richanna=40amazon.com@dmarc.ietf.org>, Roman Danyliw 
> <rdd@cert.org>, Marius Scurtescu <marius.scurtescu@coinbase.com>
> *Subject: *Subject Identifiers - Working Group Last Call
>
> Hello WG
>
> Thanks to Annabelle (and Marius) for the latest update:
>
> https://datatracker.ietf.org/doc/html/draft-ietf-secevent-subject-identifiers-08 
> <https://datatracker.ietf.org/doc/html/draft-ietf-secevent-subject-identifiers-08>
>
> Yaron and I would like to make another working group last call on this 
> draft. We are hopeful there will be enough feedback on this draft from 
> people that have reviewed it for us to recommend the draft progressing 
> to the next step.
>
> Please review and respond if you are supportive of this draft, and if 
> you are not supportive, please clarify your concerns.
>
> Dick and Yaron
>
> Image removed by sender.ᐧ
>
>
> _______________________________________________
> Id-event mailing list
> Id-event@ietf.org
> https://www.ietf.org/mailman/listinfo/id-event

v2.23.0 | Report a Bug | By Email