IETF Logo Mail Archive

Re: [Id-event] Subject Categories in Subject Identifiers

Tim Cappalli <Tim.Cappalli@microsoft.com> Tue, 11 August 2020 15:44 UTC

Return-Path: <Tim.Cappalli@microsoft.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E105F3A1110 for <id-event@ietfa.amsl.com>; Tue, 11 Aug 2020 08:44:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.99
X-Spam-Level:
X-Spam-Status: No, score=-1.99 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YOkjSk9rfY1X for <id-event@ietfa.amsl.com>; Tue, 11 Aug 2020 08:44:06 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650123.outbound.protection.outlook.com [40.107.65.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9654B3A110D for <id-event@ietf.org>; Tue, 11 Aug 2020 08:44:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WKFVXYC4M2KqzfLkuF5D3zAr1LYhRaXvHsKnWtHEDeyrorEkr5ZdMGTiF5dtIw8+bdrHJiym2pzyr5HRgBxWpWRPl8JpYkEnQ+Cto3Ku+eNNZdybK0+kB7bJEY3IRvSCN5WPl7HXCUuf6CvAmAmQSG3vZLk8xIFFVs3EvRToX4MpvXhcQbcy/GG4J/E+J+OgeIP5icV7MwWfZY2OUC2M/E/VmoxEFc+t1fSGSp7dD+Tynl84/eta4X9A5xWbTFoKMjARLkz4rymzMlv4VSoMvQINRDye3baUsfFr0z+d+XsjXA4c+bLP+N7aTSb2THR2ocYHAaHhsyRdtVn4i2N9Fw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fbPeXZLVT7ZYTQvG0NhIgtJj9hNRLTy2MhJ28PxGN6Q=; b=cjW2IQQmOcMB6eUbZSg2iLhJ5iU3gWHeZhpUUZNqCqxnvh4Z4omux5M08wnbtVCgfaofjX0DBMrP7wSAchIgWFlSX0jKcdfXAbV3cDshmOmSWWpUt6REx9fai6yvW2JuUuLpIZejnoIUrHhMeLej/D3nGkGOvgDECtCtbKDEvhxgT7FjdsKPB+e4HYu7x1FUxteeTg3hTVfDGc8OHJewPogF1jIEjq91QCcU1wsWoa7lssiiqIosIhpKKyDzMP/3aqldqlOumf4oYFoN719N0gHrwSSgcJckJOSQzi4XHy6L4L0Tbw4TQ/8aNbhBMTlKdDKKFLzMjKwZakvgTgM1fQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fbPeXZLVT7ZYTQvG0NhIgtJj9hNRLTy2MhJ28PxGN6Q=; b=ZSXXLC91AzS+p/0Id0Su9lRzMub2cwLT1uYYE16EJ+oYMG5mH2NSuu+MtGNufz9zC1S/UyoGL4Zsbp26kT4rLtTdU0Oip0i4NsSLyZMRthqetOmvMIxSL1bw1ZLb47JI8q4psnxbuqi6YBo+Ig86YgwZaCJKNvHpZYVPag/nt9M=
Received: from MN2PR00MB0893.namprd00.prod.outlook.com (2603:10b6:208:fd::15) by BL0PR00MB0769.namprd00.prod.outlook.com (2603:10b6:208:1c4::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3321.0; Tue, 11 Aug 2020 15:44:04 +0000
Received: from MN2PR00MB0893.namprd00.prod.outlook.com ([fe80::d51b:b73f:f1be:eba3]) by MN2PR00MB0893.namprd00.prod.outlook.com ([fe80::d51b:b73f:f1be:eba3%4]) with mapi id 15.20.3321.000; Tue, 11 Aug 2020 15:44:04 +0000
From: Tim Cappalli <Tim.Cappalli@microsoft.com>
To: Phil Hunt <phil.hunt@independentid.com>, Atul Tulshibagwale <atultulshi=40google.com@dmarc.ietf.org>
CC: ID Events Mailing List <id-event@ietf.org>, Dick Hardt <dick.hardt@gmail.com>
Thread-Topic: [Id-event] Subject Categories in Subject Identifiers
Thread-Index: AQHWWTAqoif/LYUQT0uaDTnz4y2rg6kF01WAgAAn+YCAABLXgIAtKrkB
Date: Tue, 11 Aug 2020 15:44:04 +0000
Message-ID: <MN2PR00MB0893B4D1347E71A7B18AFD8095451@MN2PR00MB0893.namprd00.prod.outlook.com>
References: <CAMCkG5uxCRUPKgbM-XsWmykpvSbjpXybWew=brs4GTNwmQQyQQ@mail.gmail.com> <CAD9ie-tXCtxQK9XPX6JBMnY2Byi=STGh7gzwMho88KqH6zG_vw@mail.gmail.com> <CAMCkG5s3zgR=cMdXQ=Ct+KTcUFpLVNL2+DxUpMzx66NAG6o+bQ@mail.gmail.com>, <5C854271-BC02-47EE-814C-D8270681BF33@independentid.com>
In-Reply-To: <5C854271-BC02-47EE-814C-D8270681BF33@independentid.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-08-11T15:44:02.865Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;
authentication-results: independentid.com; dkim=none (message not signed) header.d=none;independentid.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [100.0.202.188]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 03d6c543-da1b-4742-0c0a-08d83e0d604e
x-ms-traffictypediagnostic: BL0PR00MB0769:
x-microsoft-antispam-prvs: <BL0PR00MB0769BE2A5B5CD32DBD33BAA195451@BL0PR00MB0769.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: px0/8Qsv28mMp70bEmYWTCCLXwiRyTlk/MgLGbgtVvknKYFyB9m1lwjwX/vd7bHE3hw2o4yw+EhvxF5E3clf2ifGFy4u6o1RNYcjD1DaXrRkwHJACdRUUiC9PhmYWNg4OutAfoMrOlEgi2HqshmUTz5y8YIsQKkfY+XBlUfMCtCX5CgTKDpWmK+MYLKbIQ+MUE/v0SfLI4pMkRgb5Ml46u+EVLmBNp8TD0E8PjhYXAcmPDo1Li4hL8AGZozZhNfZ14wGktvmOFF6X412lyhEfaQKDSNlfB9fQtEa2nO/3/7jOBkNVTd+7tlC0+y7GOiTjK4/dCelzHGDCvsKJpZRPSzgY+GNV8zJr6bfZk9Pz6yRJfjBeUfmvDADV11R0kU790dnd7FnDngA8czKPcNX5fX3hNj5j0FqMsCyklLAcKsLHGBj3cBbZ3NOhoYi9pQBqbAKSDBpk44k8dNTuM3jFg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR00MB0893.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(136003)(366004)(376002)(346002)(396003)(8936002)(82950400001)(82960400001)(8676002)(71200400001)(6506007)(186003)(52536014)(26005)(478600001)(7696005)(10290500003)(86362001)(966005)(83380400001)(8990500004)(5660300002)(55016002)(9686003)(33656002)(54906003)(2906002)(316002)(110136005)(19627405001)(66446008)(64756008)(66556008)(66476007)(4326008)(76116006)(166002)(53546011)(66946007)(99710200001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: lUzXDui+/f4QHmTYGN0y3TyR7mcTCbB0yyR4iOg2Cs+rcHhO2Hg0hDBpyMbeJPz6AbNllbjIZ/qfgeetDIc4i7wgAZas4zh4Ydu+u+fcSSuXoH8EOIIQZrk1SFOBH5LBxV7Y7wyBqc8Y/n8hRo7B27SCjXBBBSMy6Ll70lqr6FulPCbjhTFTdF1KYT6UeoXDdC3lTfdYQrLv96IUHSY82UCf5c3+YrWfvOJZlrLAu/Vra8HnzbPNh4oW1NOim2ITBHGqPuVPfl7KhaFjfXH/mYX/GS2BJTMLdPrCl1fDELH2yiDxz6ts8uSICDdUola02EHX7XzMkdtABlOXBRXG8hSylt+CPoKLMb2Iv1aNW08c+Oy8vyBYVGJzHc9Ing4CQX6EZxpravYkU5Yyyhz8UZ6F/0oPQFOtFPCb89hIdP1CV/KOU+nFf+BTD+HQqmoRBnCGARkuf7Ld0tVfsttAqkuel/r62RG04wnkh+L/RFM6zfkrj603P9+E7u1ftxyiUHppp93OceK+ItNF5btI5odpGjmWuatT03+qMYgxul3svzXTD23qCu/lISFklESDOUG2d0TIiybyOpETVH/b5g==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MN2PR00MB0893B4D1347E71A7B18AFD8095451MN2PR00MB0893namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR00MB0893.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 03d6c543-da1b-4742-0c0a-08d83e0d604e
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Aug 2020 15:44:04.3210 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 9u69jNePD3tOX4zIRsxTkDRrr0qZ1LBW7hwhYz0gT8zQ/Ed85yYa77HZKG+xKxl6uzl7JQEZcMidJoiD8DHl1Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR00MB0769
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/Qjy_XyudEC5HrZ__Aa7wewd5tGI>
Subject: Re: [Id-event] Subject Categories in Subject Identifiers
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Aug 2020 15:44:09 -0000

Hey Phil, sorry for the delay on this. We've been discussing this in the OpenID SSE group as well.

We have concerns about receivers/RPs in CAEP/RISC needing to understand what are essentially identical event types just to delineate a user vs a device subject (as an example). There are also scalability concerns with having to send multiple events to convery this information. The scale we're talking about here is hundreds of millions of "subjects" (users, devices, sessions, applications, workloads).

For a basic revocation use case, if we don't have the ability to include multiple subjects and include a subject category, instead of an RP/receiver needing to know about a single event type of "all-sessions-revoked", we now need a minimum of 4 event types (device-session-revoked, user-session-revoked, session-revoked, all-sessions-revoked). This grows exponentially with new event types and makes it difficult to maintain in large scale environments with thousands of RPs/receivers.


We had discussed potentially using the subject_alias option, but we can't due to the user and device not being the same "entity".
3.5 > "Each Subject Identifier in the array MUST identify the same entity."

Here's an example of what we're trying to signal:

{
  "iss": "https://sts.windows.net/2d1ae189-3d85-44cf-8437-26fba424feaf/",
  "jti": "756E69717565206964656E746966696572",
  "iat": 1597158239,
  "aud": "https://outlook.office365.com/",
  "events": {
    "https://schemas.openid.net/secevent/caep/event-type/all-sessions-revoked": {
      "subject": [
        {
          "subject_type": "email",
          "email": "tim@microsoft.com",
          "subject_category": "user"
        },
        {
          "subject_type": "iss-sub",
          "iss": "https://sts.windows.net/2d1ae189-3d85-44cf-8437-26fba424feaf/",
          "sub": "404ea68b-8b82-4e8c-876e-e936995238a3",
          "subject_category": "device"
        },
        {
          "subject_type": "iss-sub",
          "iss": "https://sts.windows.net/2d1ae189-3d85-44cf-8437-26fba424feaf/",
          "sub": "07bdd8df-3bcd-4562-9ffc-5e355f7e8ba1",
          "subject_category": "device"
        },
        {
          "subject_type": "iss-sub",
          "iss": "https://sts.windows.net/2d1ae189-3d85-44cf-8437-26fba424feaf/",
          "sub": "573d9c1c-b4e0-4cac-8927-6d43691fa898",
          "subject_category": "user"
        }
      ]
    }
  }
}



Proposal:

Add a subject category with the following defined options:

  *   user
  *   device
  *   session
  *   application
  *   workload

If multiple subjects are present, it is expected that the event applies to all of the subjects to the extent that it makes sense to the event type.


Open question and discussion items:

1) Can "subject" be an array of multiple subjects that are not the same entity?

1a) If so, how should alias be combined with multiple subjects? In the example above, both user subjects would be aliases of each other.

2) If no category is provided, what should be the default?

tim



________________________________
From: Id-event <id-event-bounces@ietf.org> on behalf of Phil Hunt <phil.hunt@independentid.com>
Sent: Monday, July 13, 2020 17:55
To: Atul Tulshibagwale <atultulshi=40google.com@dmarc.ietf.org>
Cc: ID Events Mailing List <id-event@ietf.org>; Dick Hardt <dick.hardt@gmail.com>
Subject: Re: [Id-event] Subject Categories in Subject Identifiers

Why is the category not part of the eventuri / event definition?  Why have one event that applies to a session, a device, a person, and an account at the same time as opposed to 4 different event uris?

It feels like you may be trying define a  combined, multi-purpose event to cover many actual events. Is that the goal?

My expectation for defining SETs and eventuris was that the eventuri conveys 90% of the information content of a SET. The subject identifier indicates who or what the event is about and the occasional use of payload claims to provide “useful” additional information (like a counter).  E.g. if you want to convey how many account resets and not just the fact the account was reset. It makes sense to re-use the same URI even though the actions taken on the 3rd reset might be different then on the first.

IMO, a wide number of event uris paired with lightweight SETs means policy systems and SET routers can make quick decisions on where and how to act upon an event for a particular subject.

Phillip Hunt
phil.hunt@independentid.com<mailto:phil.hunt@independentid.com>



On Jul 13, 2020, at 1:47 PM, Atul Tulshibagwale <atultulshi=40google.com@dmarc.ietf.org<mailto:atultulshi=40google.com@dmarc.ietf.org>> wrote:

To address Mike's point I'm clarifying the proposal syntax here.

I'm proposing that we add a "categories" claim to subject identifiers, regardless of the subject-identifier type (i.e. a common claim), with the following text:
Subject Categories

   Subjects may be categorized as users, devices or sessions.  To
   specify the category of a subject, a "category" claim MAY be
   included.  If present, the claim MUST have a value that is one of:

   user  Specifies that the subject category is a user.

   device  Specifies that the subject category is a device.

   session  Specifies that the subject category is a session.

To address Dick's question:
I suppose one could think of it either way. I am neutral to adding it within subject identifiers or at a higher-level in the event that includes the subject identifier claim. This was also a point of discussion in the SSE working group, so I'll let others comment on this. This may be dropped if no one has strong reasons to include it in the subject identifiers claim.

Thanks,
Atul

On Mon, Jul 13, 2020 at 11:25 AM Dick Hardt <dick.hardt@gmail.com<mailto:dick.hardt@gmail.com>> wrote:
Hi Atul

I don't follow why this statement is true:

"Since this is a property of the subject rather than the event"

I would come to the opposite conclusion.

[https://mailfoogae.appspot.com/t?sender=aZGljay5oYXJkdEBnbWFpbC5jb20%3D&type=zerocontent&guid=a0c347c8-a1ba-4e79-9053-3777ea432a51]ᐧ

On Mon, Jul 13, 2020 at 9:10 AM Atul Tulshibagwale <atultulshi=40google.com@dmarc.ietf.org<mailto:40google.com@dmarc.ietf.org>> wrote:
Hi all,
Subject Identifiers will be used in various specifications about events pertaining to those subject identifiers. In order to determine the scope of the event, it is important to know what the transmitter of the event that includes the subject identifier refers to.

For example, when a subject identifier specifies a phone number as the identifier, is the transmitter of the event that includes such a subject identifier specifying the user or the device represented by the subject identifier.

Since this is a property of the subject rather than the event, it should be logically included in the subject identifier spec. Therefore, I'm proposing that we include a "subject category" claim within the subject identifier. The subject category could have one of the following values:

  *   User
  *   Device
  *   Session

The above values are sufficient for the SSE profile, but other values may be possible (although such a possibility is not a part of my proposal<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Frichanna%2Fsecevent%2Fpull%2F1&data=02%7C01%7Ctim.cappalli%40microsoft.com%7C7bcfca04cdaa4d4e5a8708d8277794dc%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637302741847522566&sdata=Y6lYo3GB6OZ2Nl661DPdAqcdKk%2BSVOxXOjbGL%2FWSX84%3D&reserved=0>)..

Thanks,
Atul

_______________________________________________
Id-event mailing list
Id-event@ietf.org<mailto:Id-event@ietf.org>
https://www.ietf.org/mailman/listinfo/id-event<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fid-event&data=02%7C01%7Ctim.cappalli%40microsoft.com%7C7bcfca04cdaa4d4e5a8708d8277794dc%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637302741847532516&sdata=TsKEtiF7LqED8Cqqx9T0ZFIRtBZaBz1dSt02gtMWAA4%3D&reserved=0>
_______________________________________________
Id-event mailing list
Id-event@ietf.org<mailto:Id-event@ietf.org>
https://www.ietf.org/mailman/listinfo/id-event<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fid-event&data=02%7C01%7Ctim.cappalli%40microsoft.com%7C7bcfca04cdaa4d4e5a8708d8277794dc%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637302741847532516&sdata=TsKEtiF7LqED8Cqqx9T0ZFIRtBZaBz1dSt02gtMWAA4%3D&reserved=0>
_______________________________________________
Id-event mailing list
Id-event@ietf.org<mailto:Id-event@ietf.org>
https://www.ietf.org/mailman/listinfo/id-event

v2.23.0 | Report a Bug | By Email