Re: [Id-event] Subject Identifiers - Working Group Last Call
Denis <denis.ietf@free.fr> Thu, 27 May 2021 17:43 UTC
Return-Path: <denis.ietf@free.fr>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B25D23A0DB3 for <id-event@ietfa.amsl.com>; Thu, 27 May 2021 10:43:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.72
X-Spam-Level:
X-Spam-Status: No, score=-0.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.398, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rL6pyq9cmZCc for <id-event@ietfa.amsl.com>; Thu, 27 May 2021 10:43:00 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp03.smtpout.orange.fr [80.12.242.125]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 458173A0DA5 for <id-event@ietf.org>; Thu, 27 May 2021 10:42:59 -0700 (PDT)
Received: from [192.168.1.11] ([90.26.94.159]) by mwinf5d57 with ME id 9tir2500M3SJSnu03tisJX; Thu, 27 May 2021 19:42:56 +0200
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Thu, 27 May 2021 19:42:56 +0200
X-ME-IP: 90.26.94.159
To: Yaron Sheffer <yaronf.ietf@gmail.com>, Dick Hardt <dick.hardt@gmail.com>, SecEvent <id-event@ietf.org>
Cc: Roman Danyliw <rdd@cert.org>, Marius Scurtescu <marius.scurtescu@coinbase.com>, "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org>
References: <CAD9ie-uSbNHq=Mt3ohA=URf5rv2hz7YUdUMhOf80C_f=XBrGLA@mail.gmail.com> <36D66A89-D178-6047-B270-73AD540E7FAD@hxcore.ol>
From: Denis <denis.ietf@free.fr>
Message-ID: <81b58b05-97b6-d910-6b58-4b565ae6ea57@free.fr>
Date: Thu, 27 May 2021 19:42:59 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.10.0
MIME-Version: 1.0
In-Reply-To: <36D66A89-D178-6047-B270-73AD540E7FAD@hxcore.ol>
Content-Type: multipart/alternative; boundary="------------4DED7502B7A07390516416D1"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/b9yEjnK-QvkbHhL2BVtFX-kdQrk>
Subject: Re: [Id-event] Subject Identifiers - Working Group Last Call
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 May 2021 17:43:05 -0000
I believe that this document should be enhanced on three aspects that are currently not addressed. Section 3.1 (Identifier Formats versus Principal Types) states: Identifier Formats define how to encode identifying information for a subject.They do not define the type or nature of the subject itself. While this statement is correct, it should be remembered that the title of this document is: " Subject Identifiers for Security Event Tokens" and is not: " Subject Identifiers *Formats* for Security Event Tokens". Therefore it would be possible to add /*optional */attributes/characteristics to Subject Identifiers which relate to two different topics: -the granularity of the identification and -the correlation operations that may be either performed or prevented using some values contained in a specific format. * * *1. Granularity of the identification* A subject identifier may be able to identify an entity either individually or as a member of a group. In order to be able to make the difference, an */optional /class* attribute should be defined which may take one out of two values: * "*ind*" to indicate an individual identifier or * "*grp" *to indicate a group identifier. Examples: "format": "email", "class": "ind" "email": "tom.jones@example.com" "format": "email", "class": "grp" "email": "marketing@example.com" * * *2. Correlation operations that may be either performed or prevented* Currently, the Privacy Considerations section only addresses one correlation case where a JWT would have both "sub" and "sub_id" JWT claims. While it is appropriate to mention such a case, other correlation cases exist. These cases become visible if the "sub_id" contains an */optional/* subject identifier *type*attribute. A subject identifier *type*attribute would be able to support four values: *guid*, *shared*, *unique* and *tmp*. -a *guid* type indicates a globally unique identifier. Such subject identifier type allows service providers or other servers to link their accounts as soon as they use the same guid. -an issuer and subject pair (i.e. a subject identifier with the *iss_sub* format) where the subject identifier format would include : -a shared identifier type (*shared*) to indicate a subject identifier shared by several service providers (such subject identifier type allows service providers to link their accounts), or -a unique identifier type (*unique)*to indicate a subject identifier specific to a single service provider (such subject identifier type does not allow service providers or servers to link their accounts), or -a temporary identifier type (*tmp*) to indicate a subject identifier issued only once by the issuer(sometimes called session identifier). (such subject identifier type does not allow any service provider to perform any linkage between accounts, even on a single service provider). . _Examples_: "format": "opaque", "type": "guid" "id": "11112222333344445555" "format": "iss_sub", "type": "shared" "iss": "http://issuer.example.com/", "sub": "145234573" "format": "iss_sub", "type": "unique" "iss": "http://issuer.example.com/", "sub": "145234573" "format": "opaque", "type": "tmp" "id": "11112222333344445555" *3. Hierarchical group memberships, functional group memberships and roles.* Examples of group identifiers are : hierarchical group memberships, functional group memberships and roles. It would be useful to define one format for these common groups: one or more character strings separated by the character slash. for both hierarchical (*hgrp*) and functional group memberships (*fgrp*) and roles (*role*): _ _ _Examples_: "format": "hgrp", "hgrp": "marketing/customer relationships" "format": "fgrp", "fgrp": " university/science/teacher" "format": "role", "role": "auditor" *4. Two nits:* (...) ways. (e.g., a host might be identified by an IP or MAC address, while a user might be identified by an email address) Furthermore, The punctuation point should be moved after the closing parenthesis. 7.1.Confidentiality and Integrity This specification does not define any mechanism for ensuring the confidentiality or integrityi of a Subject Identifier. Change "integrityi" into "integrity". Denis > Thank you Dick and the authors. > > With my co-chair hat off, I support progressing this document. I also > have a couple comments: > > 3.2.2: The text refers twice to "alias" subject IDs, but the format is > now named "aliases". > > Fig. 14 seems to be in conflict with the requirement to have a single > subject for the JWT ("a JWT has one and only one JWT Subject"). Yes, > maybe Elizabeth has a second email address, but we cannot assume that > applications have this kind of logic. Similarly, the subject-related > discussion in Sec. 4.2 (which is arguably a bit vague) as well as Fig. > 18 seems to allow two different subjects within the JWT. > > Thanks, > > Yaron > > *From: *Dick Hardt <dick.hardt@gmail.com> > *Date: *Wednesday, May 26, 2021 at 23:22 > *To: *SecEvent <id-event@ietf.org> > *Cc: *Yaron Sheffer <yaronf.ietf@gmail.com>, Richard Backman, > Annabelle <richanna=40amazon.com@dmarc.ietf.org>, Roman Danyliw > <rdd@cert.org>, Marius Scurtescu <marius.scurtescu@coinbase.com> > *Subject: *Subject Identifiers - Working Group Last Call > > Hello WG > > Thanks to Annabelle (and Marius) for the latest update: > > https://datatracker.ietf.org/doc/html/draft-ietf-secevent-subject-identifiers-08 > <https://datatracker.ietf.org/doc/html/draft-ietf-secevent-subject-identifiers-08> > > Yaron and I would like to make another working group last call on this > draft. We are hopeful there will be enough feedback on this draft from > people that have reviewed it for us to recommend the draft progressing > to the next step. > > Please review and respond if you are supportive of this draft, and if > you are not supportive, please clarify your concerns. > > Dick and Yaron > > Image removed by sender.ᐧ > > > _______________________________________________ > Id-event mailing list > Id-event@ietf.org > https://www.ietf.org/mailman/listinfo/id-event
- [Id-event] Subject Identifiers - Working Group La… Dick Hardt
- Re: [Id-event] Subject Identifiers - Working Grou… Yaron Sheffer
- Re: [Id-event] Subject Identifiers - Working Grou… Denis
- Re: [Id-event] Subject Identifiers - Working Grou… Dave Tonge
- Re: [Id-event] Subject Identifiers - Working Grou… Justin Richer
- Re: [Id-event] Subject Identifiers - Working Grou… Richard Backman, Annabelle
- Re: [Id-event] [UNVERIFIED SENDER] Re: Subject Id… Richard Backman, Annabelle
- Re: [Id-event] [UNVERIFIED SENDER] Re: Subject Id… Yaron Sheffer
- Re: [Id-event] [UNVERIFIED SENDER] Re: Subject Id… Richard Backman, Annabelle
- Re: [Id-event] [UNVERIFIED SENDER] Re: Subject Id… Tim Cappalli
- Re: [Id-event] [UNVERIFIED SENDER] Re: Subject Id… Justin Richer
- Re: [Id-event] [UNVERIFIED SENDER] Re: Subject Id… Dick Hardt
- Re: [Id-event] Subject Identifiers - Working Grou… Denis
- Re: [Id-event] Subject Identifiers - Working Grou… Backman, Annabelle
- Re: [Id-event] Subject Identifiers - Working Grou… Denis
- Re: [Id-event] Subject Identifiers - Working Grou… Backman, Annabelle
- Re: [Id-event] Subject Identifiers - Working Grou… Denis
- Re: [Id-event] Subject Identifiers - Working Grou… Backman, Annabelle
- Re: [Id-event] Subject Identifiers - Working Grou… Denis
- Re: [Id-event] Subject Identifiers - Working Grou… Aaron Parecki
- Re: [Id-event] Subject Identifiers - Working Grou… Denis