Re: [Id-event] I-D Action: draft-ietf-secevent-http-push-05.txt

"Richard Backman, Annabelle" <> Mon, 11 March 2019 20:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 80747131163; Mon, 11 Mar 2019 13:02:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -11.801
X-Spam-Status: No, score=-11.801 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4ic51seN5go5; Mon, 11 Mar 2019 13:02:47 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 385B0131135; Mon, 11 Mar 2019 13:02:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;;; q=dns/txt; s=amazon201209; t=1552334567; x=1583870567; h=from:to:subject:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=BjNJIOMSSvYEKrgPncEzshdsO+L33fhlqENzgVLadkE=; b=HPPMjLUT1eF6bngnm+XaSIcsSJ+UyVce6eP/GpuWSVLhiuMex2adDtpp R2Mh5DmEfvo4VrTE4gVV7wOut73BZhrrwUhnqIwCzQPl0v360sPvUERDl pUjQ2sM1qbztIUkwKXClLUDWgKx4g8yZv58FUjM69PaWFWCZLnvlMkEkV k=;
X-IronPort-AV: E=Sophos;i="5.58,468,1544486400"; d="scan'208";a="384883217"
Received: from (HELO ([]) by with ESMTP/TLS/DHE-RSA-AES256-SHA; 11 Mar 2019 20:02:45 +0000
Received: from ( []) by (8.14.7/8.14.7) with ESMTP id x2BK2fHs095170 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 11 Mar 2019 20:02:44 GMT
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1367.3; Mon, 11 Mar 2019 20:02:43 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1367.3; Mon, 11 Mar 2019 20:02:43 +0000
Received: from ([]) by ([]) with mapi id 15.00.1367.000; Mon, 11 Mar 2019 20:02:43 +0000
From: "Richard Backman, Annabelle" <>
To: "" <>, "" <>
Thread-Topic: [Id-event] I-D Action: draft-ietf-secevent-http-push-05.txt
Thread-Index: AQHU2Do4sHvht9MWG0Cx4YcEEIW5TKYGZPmA
Date: Mon, 11 Mar 2019 20:02:43 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Precedence: Bulk
Archived-At: <>
Subject: Re: [Id-event] I-D Action: draft-ietf-secevent-http-push-05.txt
X-Mailman-Version: 2.1.29
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 11 Mar 2019 20:02:54 -0000

Hello all,

This update contains the corrections and suggestions provided during WGLC, plus those Mike shared with the list this past weekend.

Here is the change log from -02 to -03:

   o  Made minor editorial corrections.

   o  Updated example request with a correct SET header and signature.

   o  Revised TLS guidance to allow implementers to provide
      confidentiality protection via JWE.

   o  Revised TLS guidance to require *at least* TLS 1.2.

   o  Revised TLS guidance to recommend supporting the newest version of
      TLS that meets security requirements.

   o  Revised SET Delivery Error Code format to allow the same set of
      characters as is allowed in error codes in RFC6749.

   o  Added mention of HTTP Poll spec to list of other streaming specs
      in appendix.

   o  Added validation step requiring SET Recipient to verify that the
      SET is one which the SET Transmitter is expected to send to the
      SET Recipient.

   o  Changed responding to errors with an appropriate HTTP status code
      from optional to recommended.

   o  Changed Error Codes registry change policy from Expert Review to
      First Come First Served; added guidance that error codes are meant
      to be consumed by automated systems.

   o  Added text making clear that it is up to SET Recipients whether or
      not they will accept SETs where the SET Issuer is different from
      the SET Transmitter.

   o  Reworded guidance around signing and/or encrypting SETs for
      integrity protection.

   o  Renamed TLS "Support Considerations" section to "Confidentiality
      of SETs".

   o  Reworded guidance around subject identifier selection and privacy

Annabelle Richard Backman
AWS Identity

On 3/11/19, 11:42 AM, "Id-event on behalf of" < on behalf of> wrote:

    A New Internet-Draft is available from the on-line Internet-Drafts directories.
    This draft is a work item of the Security Events WG of the IETF.
            Title           : Push-Based Security Event Token (SET) Delivery Using HTTP
            Authors         : Annabelle Backman
                              Michael B. Jones
                              Marius Scurtescu
                              Morteza Ansari
                              Anthony Nadalin
    	Filename        : draft-ietf-secevent-http-push-05.txt
    	Pages           : 20
    	Date            : 2019-03-11
       This specification defines how a Security Event Token (SET) may be
       delivered to an intended recipient using HTTP POST.  The SET is
       transmitted in the body of an HTTP POST request to an endpoint
       operated by the recipient, and the recipient indicates successful or
       failed transmission via the HTTP response.
    The IETF datatracker status page for this draft is:
    There are also htmlized versions available at:
    A diff from the previous version is available at:
    Please note that it may take a couple of minutes from the time of submission
    until the htmlized version and diff are available at
    Internet-Drafts are also available by anonymous FTP at:
    Id-event mailing list