[Id-event] Draft-06 issue re: subject principal grouping
Atul Tulshibagwale <atultulshi@google.com> Wed, 30 September 2020 00:28 UTC
Return-Path: <atultulshi@google.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1EE33A144E for <id-event@ietfa.amsl.com>; Tue, 29 Sep 2020 17:28:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y-PiC2Jf8RDw for <id-event@ietfa.amsl.com>; Tue, 29 Sep 2020 17:28:57 -0700 (PDT)
Received: from mail-yb1-xb32.google.com (mail-yb1-xb32.google.com [IPv6:2607:f8b0:4864:20::b32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1DC643A144A for <id-event@ietf.org>; Tue, 29 Sep 2020 17:28:57 -0700 (PDT)
Received: by mail-yb1-xb32.google.com with SMTP id v60so5031051ybi.10 for <id-event@ietf.org>; Tue, 29 Sep 2020 17:28:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=a19lpZA4vP/bhmCUQN3FG4QgRD5l75iA4mSjKRYOEGU=; b=s9+oQumEXDb3wmLp8HTaOYL5StKjasMVLPfagFKLatQiOMukttxvJjE8puULyMOHrd 6FpSWnREFYSsB0oSboPou55MGsOc4V9ddAw7CSnCkKclhiEnvChaVrUZ+K6aA51JUp3K unUpNSEoz/P5b9X19XfTP1TNQjOFtLuDqQI+rfAzqfwoZRmTVezDHU8mkLrNhzHp+5Dt NxXl6EchSJhvLw22G9U8LL+pbKb1zBmVL09Cr7KL/KFbEJ9uc9jRxxB7LnHZ2QVbLIP8 PEpBDVy4XvrlsXkf30DUmFmkaoW4axI8A0QTbxERrVMzksvwqjIV4GChNDRZsJaPcemm TKsw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=a19lpZA4vP/bhmCUQN3FG4QgRD5l75iA4mSjKRYOEGU=; b=aEFVml8+wuN424JqyKg1JQIHjRl1qY4bA2Wcg7ybXEpNB4FLjxN4gZ33oa4VLw1T1r sau7WTdy/V9m6lDmi+TH0dH/B9fvid4HOllXEt03cif2TCgNeE6KE0PBC5PYr36OJx6s ZgSr5QUcWpfY8EPO996+1HgwiN5scpmYgBi6SI7I9CjJe0vw3K7D9P5IzquS5wxx9zg7 asOHGEyiJcdEtq/9V3eopT367w5dipqLK7MjA+ul5mzGFFrT5jzXSg9+OHevOXU3zKFx L2TFbSLGH45maDCFsoGfzwiBNSQmaiO4HEdPHvaddltlGV2x6L7gDTAeP6minX6snnwF uzHw==
X-Gm-Message-State: AOAM531+D6dc1BIV0Vyb4IKMNB9rD9EiPEV3vQWJG8sZoeK5zEFB4hhd U4SrXmG6ylP7aBBIA5XCckpjoPHGdKUUQNTcvaV5V8CRRJ4=
X-Google-Smtp-Source: ABdhPJz7p/1LhPwr7Lla2J9IftVgTSbkPTihyTQutgxCYuszdamKBt+vdFBsF+0zOgMH91Rb6bShHqk7f4PFd1M8FwQ=
X-Received: by 2002:a25:aa2e:: with SMTP id s43mr9243928ybi.500.1601425735764; Tue, 29 Sep 2020 17:28:55 -0700 (PDT)
MIME-Version: 1.0
From: Atul Tulshibagwale <atultulshi@google.com>
Date: Tue, 29 Sep 2020 17:28:44 -0700
Message-ID: <CAMCkG5u5YjqNrQu=Uth7F=QPvAy9-BwBCoQcMXd=ihMFjcHcmw@mail.gmail.com>
To: SecEvent <id-event@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001ddc0805b07cfce4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/ePAfCDjBhe8CVtkCIzzlUHstChw>
Subject: [Id-event] Draft-06 issue re: subject principal grouping
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Sep 2020 00:28:59 -0000
Hi Annabelle,
After reviewing the draft 06
<https://github.com/richanna/secevent/blob/master/draft-ietf-secevent-subject-identifiers.txt>
(document dated Sep 04), there's one issue that I feel needs to be
addressed:
The sentence on line 246 ("A Subject Identifier MUST NOT contain any
members...") has the consequence that if we need to add claims in a
specific subject identifier type (e.g. email), then we will need to define
new subject identifier types.
As discussed earlier, I am interested in adding a "Subject Principal
Administrative Grouping" or SPAG as a property of any subject identifier.
This is important because the same principal may appear in different
administrative groupings, and without the disambiguation, it will be
impossible to figure out which SPAG the event that includes a subject
identifier applies to.
For example, if the user "a@b.com" is present in two tenants of a service
that acts as a SSE Receiver. Say the tenant names in which this user occurs
is "B.com" and "C.com". This can happen if "a@b.com" is an employee of the
tenant B.com, but is on a contract for a project that is run by the tenant
"C.com".
If the event received only has the subject:
"subject" : {
"subject_type" : "email",
"email" : "a@b.com"
}
Then it will be impossible for the receiver to determine whether the event
applies to the tenant B.com or C.com. If on the other hand, an optional
claim "spag_id" is added, then the subject looks like:
"subject" : {
"subject_type" : "email",
"email" : "a@b.com",
"spag_id" : "B.com"
}
This disambiguates the particular grouping that the event applies to.
So, I feel there are at least two ways of addressing this concern:
1. Include SPAGs as a concept in the Subject Identifiers spec and allow
a "spag_id" claim in any subject identifier
2. Drop the requirement on line 246, and allow subject identifiers to
have additional claims, which may be defined elsewhere.
Thanks,
Atul
- [Id-event] Draft-06 issue re: subject principal g… Atul Tulshibagwale
- Re: [Id-event] Draft-06 issue re: subject princip… Justin Richer
- Re: [Id-event] Draft-06 issue re: subject princip… Atul Tulshibagwale
- Re: [Id-event] Draft-06 issue re: subject princip… Yaron Sheffer
- Re: [Id-event] Draft-06 issue re: subject princip… Atul Tulshibagwale
- Re: [Id-event] Draft-06 issue re: subject princip… Atul Tulshibagwale
- Re: [Id-event] Draft-06 issue re: subject princip… Atul Tulshibagwale
- Re: [Id-event] Draft-06 issue re: subject princip… Dick Hardt
- Re: [Id-event] Draft-06 issue re: subject princip… Atul Tulshibagwale
- Re: [Id-event] Draft-06 issue re: subject princip… Dick Hardt