Re: [Id-event] Draft-06 issue re: subject principal grouping
Atul Tulshibagwale <atultulshi@google.com> Thu, 01 October 2020 16:02 UTC
Return-Path: <atultulshi@google.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34FB53A10DC for <id-event@ietfa.amsl.com>; Thu, 1 Oct 2020 09:02:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PBRCpupcv2js for <id-event@ietfa.amsl.com>; Thu, 1 Oct 2020 09:02:30 -0700 (PDT)
Received: from mail-yb1-xb31.google.com (mail-yb1-xb31.google.com [IPv6:2607:f8b0:4864:20::b31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 496303A10C2 for <id-event@ietf.org>; Thu, 1 Oct 2020 09:02:30 -0700 (PDT)
Received: by mail-yb1-xb31.google.com with SMTP id f70so4388965ybg.13 for <id-event@ietf.org>; Thu, 01 Oct 2020 09:02:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=rmwat8ZHZDmHWxRH1QBzu6CYKnzH3j0q8LpdDl1JCZI=; b=craxfTMN3N3pp2JTsjJIvOZYGVNWa7VgE2/oh3fdCUcQVQDRrUKz06uCO0bgZM06/S DSjR5VkCg7HpQpET6VyrgsKTDQBV34udC/4+gAXO9XHFIyjbpOF0bUXm+tEWlqyPrdo4 CTULP0ZwnjwGkeySMKI6gdkCY9HgOhpVsSoz3zv/HBZ/EEx2ILlXZue9AaFbcas3LJr+ xVzML1jJpUR7JYW0fYoYUL/FJfH4oBaixvNoX438sgUXIIaDeMNEDBCN8oGntImJVNem uqwCdygL0OrWddCg07zrAMiaIyzXmK9AcNlW0bM1mG3rdC+z3QbA9RmZ4bkA4Y3jrgYI d9hQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=rmwat8ZHZDmHWxRH1QBzu6CYKnzH3j0q8LpdDl1JCZI=; b=cyX311gvmt7WotKdtAwfHmslDZXupSUMOGE8LoA4nGGLpUV5DeuaYTctQRpSu7Cv0p ozBgY2HqZNRi9+ZCTmNtI4fzAmenS/Pn7UBpgd4420Z/hFzam/6G2SR+oKQPsrp7rHNE 1ROmBpT9uWjODJ64/OS4oKUCpwrHPbEfiUdXzepRbuxtrTRNWG7ewokqrKxuPU+gpdP7 Co7XEuduti6NFX4tiNkrfdYpI/JovEGOhw03RAoYXSj4HlD19gop5dE02iI6B1wuBi45 gez0S6Mlc1Jaw7YqMX1u+UHvFU693SZGEVFDFLwu366oZPPBJquKu3e/Cdx94/8p+NvC tLjQ==
X-Gm-Message-State: AOAM532gDcELDrO0u2aqMxZHAUPGF1nTqCAAX9BjEc24LdGLQnrgE4ud 1OWyVp5CcBQfzqrvWCCtOPSKl/j9b+U9wPSgtb7Qcw==
X-Google-Smtp-Source: ABdhPJyUfaPTuilC3I6mxogwN7aateI3DXcyRUtWIbH4Xny9eHAsdfiq2t55rNYwcrSWDD5QhyLAGoj1eUMALU7+vdQ=
X-Received: by 2002:a25:bd93:: with SMTP id f19mr9950430ybh.155.1601568149125; Thu, 01 Oct 2020 09:02:29 -0700 (PDT)
MIME-Version: 1.0
References: <CAMCkG5u5YjqNrQu=Uth7F=QPvAy9-BwBCoQcMXd=ihMFjcHcmw@mail.gmail.com> <33AA53B6-D6E1-498C-AC47-470ABB558BDB@mit.edu>
In-Reply-To: <33AA53B6-D6E1-498C-AC47-470ABB558BDB@mit.edu>
From: Atul Tulshibagwale <atultulshi@google.com>
Date: Thu, 01 Oct 2020 09:02:18 -0700
Message-ID: <CAMCkG5u6dVe7qKLfXhiesUNan2VwvRUFXxppzUnpT=7HQ7W_3A@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: SecEvent <id-event@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009d943105b09e2456"
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/emsBSgqFRTu8L6jCsNKu6WKVNrI>
Subject: Re: [Id-event] Draft-06 issue re: subject principal grouping
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Oct 2020 16:02:32 -0000
Hi Justin, Agree with the theme of the language proposed in your email. I'd like to propose something similar, like: "Each subject_type may define required fields. Subject identifiers MUST include all fields required by the subject_type, but MAY contain other fields, either defined as optional fields within this Subject Identifiers specification or elsewhere. A receiver MUST ignore fields in a Subject Identifier that it does not understand." Atul On Wed, Sep 30, 2020 at 1:51 PM Justin Richer <jricher@mit.edu> wrote: > Atul, > > I raised this in my review as well. I think the goal of the restriction > was to make the subject identifier objects compact and easily processed > without getting a bunch of arbitrary stuff strung onto them, but I think > the MUST NOT might go too far toward that. > > > I would like to see the requirement relaxed but also have guidance as to > how and when to add additional members to the object. Maybe the > subject_type field determines the REQUIRED fields and their semantics, but > extensions MAY add new fields? And that a receiver MUST ignore fields they > don’t understand? > > > > — Justin > > On Sep 29, 2020, at 8:28 PM, Atul Tulshibagwale < > atultulshi=40google.com@dmarc.ietf.org> wrote: > > Hi Annabelle, > After reviewing the draft 06 > <https://github.com/richanna/secevent/blob/master/draft-ietf-secevent-subject-identifiers.txt> > (document dated Sep 04), there's one issue that I feel needs to be > addressed: > > The sentence on line 246 ("A Subject Identifier MUST NOT contain any > members...") has the consequence that if we need to add claims in a > specific subject identifier type (e.g. email), then we will need to define > new subject identifier types. > > As discussed earlier, I am interested in adding a "Subject Principal > Administrative Grouping" or SPAG as a property of any subject identifier. > This is important because the same principal may appear in different > administrative groupings, and without the disambiguation, it will be > impossible to figure out which SPAG the event that includes a subject > identifier applies to. > > For example, if the user "a@b.com" is present in two tenants of a service > that acts as a SSE Receiver. Say the tenant names in which this user occurs > is "B.com" and "C.com". This can happen if "a@b.com" is an employee of > the tenant B.com, but is on a contract for a project that is run by the > tenant "C.com". > > If the event received only has the subject: > "subject" : { > "subject_type" : "email", > "email" : "a@b.com" > } > > Then it will be impossible for the receiver to determine whether the event > applies to the tenant B.com or C.com. If on the other hand, an optional > claim "spag_id" is added, then the subject looks like: > > "subject" : { > "subject_type" : "email", > "email" : "a@b.com", > "spag_id" : "B.com" > } > > This disambiguates the particular grouping that the event applies to. > > So, I feel there are at least two ways of addressing this concern: > > 1. Include SPAGs as a concept in the Subject Identifiers spec and > allow a "spag_id" claim in any subject identifier > 2. Drop the requirement on line 246, and allow subject identifiers to > have additional claims, which may be defined elsewhere. > > Thanks, > Atul > > _______________________________________________ > Id-event mailing list > Id-event@ietf.org > https://www.ietf.org/mailman/listinfo/id-event > > >
- [Id-event] Draft-06 issue re: subject principal g… Atul Tulshibagwale
- Re: [Id-event] Draft-06 issue re: subject princip… Justin Richer
- Re: [Id-event] Draft-06 issue re: subject princip… Atul Tulshibagwale
- Re: [Id-event] Draft-06 issue re: subject princip… Yaron Sheffer
- Re: [Id-event] Draft-06 issue re: subject princip… Atul Tulshibagwale
- Re: [Id-event] Draft-06 issue re: subject princip… Atul Tulshibagwale
- Re: [Id-event] Draft-06 issue re: subject princip… Atul Tulshibagwale
- Re: [Id-event] Draft-06 issue re: subject princip… Dick Hardt
- Re: [Id-event] Draft-06 issue re: subject princip… Atul Tulshibagwale
- Re: [Id-event] Draft-06 issue re: subject princip… Dick Hardt