IETF Logo Mail Archive

Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens

Mike Jones <Michael.Jones@microsoft.com> Wed, 01 March 2017 18:33 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 587CA12966F for <id-event@ietfa.amsl.com>; Wed, 1 Mar 2017 10:33:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.019
X-Spam-Level:
X-Spam-Status: No, score=-2.019 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1xLSLDNhVytZ for <id-event@ietfa.amsl.com>; Wed, 1 Mar 2017 10:33:07 -0800 (PST)
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-by2nam03on0120.outbound.protection.outlook.com [104.47.42.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54D51129671 for <id-event@ietf.org>; Wed, 1 Mar 2017 10:33:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=PIzCMvFZipRRW0E/OlvBDvGAi8S8D6Vr175Dkb1QRIw=; b=WTsqjgysRQWRCq4ic37lbrrAzv1YNZh3eo/6yuREV7RCXJ8IkWp0UPTMJCio9QWn9WG/3FV7AmzM7bSFfM4IwqsBdjFPqFOQpnF9FkhocxUCsOcpgwNL3u/784IFfbylidrwy9UA0LgtPPBOjOTIjFsbp5mMrK9pDnTZn1QtkOU=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0502.namprd21.prod.outlook.com (10.172.122.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.947.0; Wed, 1 Mar 2017 18:33:05 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.0947.007; Wed, 1 Mar 2017 18:33:05 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Phil Hunt <phil.hunt@oracle.com>, ID Events Mailing List <id-event@ietf.org>
Thread-Topic: [Id-event] Thread: Clarifying use of sub and iss in SET tokens
Thread-Index: AQHSkrmW5tqPJIY8NEisvT0PLETCCaGATnyQ
Date: Wed, 01 Mar 2017 18:33:04 +0000
Message-ID: <CY4PR21MB0504D95DD36626D488FC963BF5290@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <4611E3C8-9772-44EA-940D-077E1EA6247F@oracle.com>
In-Reply-To: <4611E3C8-9772-44EA-940D-077E1EA6247F@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: oracle.com; dkim=none (message not signed) header.d=none;oracle.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:e::36]
x-ms-office365-filtering-correlation-id: 097199bd-ce5d-4a88-eeb2-08d460d1668a
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:CY4PR21MB0502;
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0502; 7:gdOvxTPS1H6sOde4xT1V+Q6fqgySpLzYJ0moQxJmm6iF5WEU9RPjVa+lWX5YF9wqEr6FDMIQp35S7P00IrFd2TdT2RzIqvVte0AksVjEgXBikBZy+DJCRLrCKEUAP0a//lmF3EEnrBxyTXdBgE+SbKrVeArXnmDIxJY3mqSoWC+LgKeKzt5+65MC9iM3BiNMdJWIYSt6xWV3VtO47XFo4N6ZBdlcYg2Ws2IqdiM1Cknz4Ou2keFunl36nWwy36Qb2oGa2Y++0j4CpU7qFlMj2TixK0lspQABNB2C7AtCypiBV3vtbkS7kR38Tl72I1glyRPXhFYYYMiUiMfgAWGSJgX4oV7+NuzqYJXXzQ+CbS0=
x-microsoft-antispam-prvs: <CY4PR21MB05024257A9DE5DA5E3617D8AF5290@CY4PR21MB0502.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(21748063052155)(146099531331640)(201166117486090);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123558025)(20161123555025)(20161123564025)(20161123560025)(20161123562025)(6072148); SRVR:CY4PR21MB0502; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0502;
x-forefront-prvs: 0233768B38
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(39840400002)(39450400003)(39860400002)(39850400002)(39410400002)(377454003)(6436002)(25786008)(8936002)(229853002)(10290500002)(8676002)(790700001)(102836003)(53546006)(6116002)(5005710100001)(10090500001)(3280700002)(53936002)(6246003)(8990500004)(81166006)(77096006)(33656002)(86362001)(2906002)(1680700002)(38730400002)(3660700001)(53386004)(2900100001)(106116001)(7906003)(575784001)(122556002)(76176999)(54356999)(5660300001)(50986999)(86612001)(6506006)(236005)(74316002)(6306002)(99286003)(54896002)(9686003)(55016002)(189998001)(7736002)(7696004)(92566002)(2950100002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0502; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB0504D95DD36626D488FC963BF5290CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Mar 2017 18:33:04.9303 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0502
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/jlR3ULmMWvkl_NwcMF2qIKBrifE>
Subject: Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Mar 2017 18:33:09 -0000

Leave this as-is.  Adding additional claims that have the same meanings as existing claims but that use different syntax is needless complexity.

Like JWTs, we should keep SETs as simple as possible.  Also like JWTs, particular events will use the claims that they need.  This is as it should be.

                                                                -- Mike

From: Id-event [mailto:id-event-bounces@ietf.org] On Behalf Of Phil Hunt
Sent: Wednesday, March 1, 2017 10:28 AM
To: ID Events Mailing List <id-event@ietf.org>
Subject: [Id-event] Thread: Clarifying use of sub and iss in SET tokens

In the comments on idtoken-07, Yaron raised concerns around the confusion of “iss” of the subject of the event vs. issuer of the event.  The current text says that if there is a need to distinguish between “iss” of the “sub” vs. “iss” of the event, then the event should place the “iss” of the subject in the event payload area.

I agree this does seem awkward.

I have been thinking a related concern, that a SET could be confused as an access token if it has a “sub” value.  If we stop using “sub” then we’re potentially causing web access management systems to reject SETs as invalid access tokens — this is theoretically a GOOD THING.

PLEASE INDICATE 1 or 2, or provide additional discussion.

Two options:

1. Leave as is.

2.  Create a new attribute object, “esub” (event subject) which is a JSON object that contains the attributes needed to identify the subject.  For example:

We currently have:

   {

     "jti": "fb4e75b5411e4e19b6c0fe87950f7749",



     "sub": "248289761001",

     "iat": 1458496025,

     "iss": "https://my.examplemed.com<https://my.examplemed.com/>",

     "aud": [

       "https://rp.example.com"

     ],

     "events": {

       "https://openid.net/heart/specs/consent.html":{

         "iss":"https://connect.example.com",

         "consentUri":[

           "https://terms.examplemed.com/labdisclosure.html#Agree"

         ]

       }

     }

   }

Could be represented as:

   {

     "jti": "fb4e75b5411e4e19b6c0fe87950f7749",



     “esub": {

       “sub”:"248289761001”,

       "iss":"https://connect.example.com”

     }

     "iat": 1458496025,

     "iss": "https://my.examplemed.com<https://my.examplemed.com/>",

     "aud": [

       "https://rp.example.com"

     ],

     "events": {

       "https://openid.net/heart/specs/consent.html":{

         "consentUri":[

           "https://terms.examplemed.com/labdisclosure.html#Agree"

         ]

       }

     }

   }

Comments:
* “sub” remains untouched in the sense that it retains the meaning used in traditional access tokens.
* “esub” contains the full information to address the subject.  No need to look around for a second “iss” (which may or may not be there)

To do this would require defining “esub” and sub-attributes like, “iss”, “sub” (which follow current defs), and probably “uri” for those entities that are referenceable as a URI.  Examples of URI subjects:
*  in implicit federation (from RISC):   “uri”:”mailto:phil.hunt@yahoo.com”
*  in SCIM where resources have URIs:  “uri”:”https://scim.example.com/Users/44f6142df96bd6ab61e7521d9"

One catch. Profiling specs would not be able to define new ways of addressing subjects with esub.

Phil

Oracle Corporation, Identity Cloud Services & Identity Standards
@independentid
www.independentid.com<http://www.independentid.com>
phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>

v2.23.0 | Report a Bug | By Email