Re: [Id-event] "aud" vs. receiver issue raised in WGLC
Marius Scurtescu <mscurtescu@google.com> Mon, 23 October 2017 22:58 UTC
Return-Path: <mscurtescu@google.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC1B913A415 for <id-event@ietfa.amsl.com>; Mon, 23 Oct 2017 15:58:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.618
X-Spam-Level:
X-Spam-Status: No, score=-0.618 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_10_20=0.093, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EQy_ckb14TLT for <id-event@ietfa.amsl.com>; Mon, 23 Oct 2017 15:58:50 -0700 (PDT)
Received: from mail-it0-x236.google.com (mail-it0-x236.google.com [IPv6:2607:f8b0:4001:c0b::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67D7413A902 for <id-event@ietf.org>; Mon, 23 Oct 2017 15:58:50 -0700 (PDT)
Received: by mail-it0-x236.google.com with SMTP id o135so7886853itb.0 for <id-event@ietf.org>; Mon, 23 Oct 2017 15:58:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=1TsnOA0BKIwiPdGDbJib9BJMrvUF0dbXvY9RhGs5Wuc=; b=PFL/42Yo/7+BRYKtnhfZ4olQfFL+ZCtseWUK3Y0mpWsJLvelMbO1aKG0bYR3CCp2Dk dYnxejwkniFBjF803rvq19y7DKR3RXGLjzV5DbQzUJMfcZJhSZgd9x4mD3Dw1MKyoFpG TtxHgfKWRk0CxBXm6v1KriWNs/Auz11ok5c7CD6O2NT//p7FBilG5KIO6eMxTgt9gPzs Vz0zYTBxD/IBy5hsGzq2NsY0HWanyM6hHSfY4Zfs48xeVCskZEJC16pG71ppeVA18KTx OUDXO8In7p1hKzMcLc29nmc44+HkpR5NmyZPwHBCiGC2nkUMfvkc32CL2aLkF1PxNipX lF/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=1TsnOA0BKIwiPdGDbJib9BJMrvUF0dbXvY9RhGs5Wuc=; b=XCCTGwL+gkq2fwjn33AKEIDMS9K2LGiYPuaH0Qug4otb4/CJqcDZ1VCZ0vhS53ty5B fKHhFIXtEpExd9zeCLs46yAOWbGhbJ4LjvL7uSoujjrSyV8WUqZtQF9EBX5x61H6aCHc NxndrNsTM1YJdVTk1RehEYrfDC5NVuO6kAKH3Op16DjUry+vO0i8Zdyju0h/t4ZqEzP5 la/IUkZMwgrn51qq2UBRawhQ2fWLVMfm9Ph9wja9caTUPsRpeaQOHoH1I3eA7NF2W6xx jyET3ZuiqYPHLV8slWxXUxnAXpA7JWtxGi83OyBLJIYKeHRLf9o1w4byWEUpO4WlKv7O KDvA==
X-Gm-Message-State: AMCzsaWJWTLfYicfMb2FE+FGSsE8Jo9AZpp3xxugPQkT3VJJGwzxAmtF JiXpTYFUnr3WkRgSGoOLgXQ/J8afmAU/6BtQIjGJ4Q==
X-Google-Smtp-Source: ABhQp+RAsDM+OaIB6b5D3+CRwZ2yxf5GpTycqL9k3Br9TiLQ8FsEH1Vuw50rm8kRULlj6iV8wcW+ZpsVrWzKlwYtKLU=
X-Received: by 10.36.178.85 with SMTP id h21mr12132997iti.118.1508799529139; Mon, 23 Oct 2017 15:58:49 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.34.9 with HTTP; Mon, 23 Oct 2017 15:58:28 -0700 (PDT)
In-Reply-To: <7DAF5B83-F6DB-4015-A011-AB6E13C46B81@oracle.com>
References: <e6649728-f94a-93f5-9885-c948a5b0ed49@gmail.com> <CAGdjJpJtfV9q2iaL-uao1b7XpQjx5uJrX=fnoM36POXLFYrqow@mail.gmail.com> <fa06137b-516f-4a57-8ed5-08cd2cc63af6@sit.fraunhofer.de> <71FA69AE-F8F6-45AB-9550-36BC9395DE32@gmail.com> <684D9C6F-C59A-4850-9A1B-24A026278A62@oracle.com> <CAGdjJpLYxzUqOGxZ9oTLiCzZAwffTEqjxBYNtZO09nF6RnzOAA@mail.gmail.com> <7DAF5B83-F6DB-4015-A011-AB6E13C46B81@oracle.com>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Mon, 23 Oct 2017 15:58:28 -0700
Message-ID: <CAGdjJpJtP7w-wL3Pj=QODOjc9m15z0Ssd+8bwxX684c-t1bbiQ@mail.gmail.com>
To: Phil Hunt <phil.hunt@oracle.com>
Cc: ID Events Mailing List <id-event@ietf.org>
Content-Type: multipart/alternative; boundary="f403045d9a14f98c2c055c3ec323"
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/kHCsdFIlzTN1R_LpqNNfF19MrOk>
Subject: Re: [Id-event] "aud" vs. receiver issue raised in WGLC
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Oct 2017 22:58:53 -0000
I think "aud" should point to the Receiver, the outsourcing is irrelevant. Nothing needs to change here IMO. Marius On Mon, Oct 23, 2017 at 3:55 PM, Phil Hunt <phil.hunt@oracle.com> wrote: > It seems reasonable to further clarify that the definition of a receiver > could be improved. > > I propose to change from: > > Event Receiver > An Event Receiver is an entity that receives SETs through some > distribution method. > > > To: > > Event Receiver > An Event Receiver is an entity that receives SETs through some > distribution method. An Event Receiver MAY be a different > > entity than that described by the “aud” claim. > > > Phil > > Oracle Corporation, Identity Cloud Services Architect > @independentid > www.independentid.com > phil.hunt@oracle.com > > On Oct 23, 2017, at 2:38 PM, Marius Scurtescu <mscurtescu@google.com> > wrote: > > I think "aud" is perfectly fine. > > IMO it should make no difference for the Transmitter that the event is > actually handled by an outsourced entity, the RP trusts that entity and the > event is generated and targeted to the RP and not to the current outsourced > processor. > > Marius > > On Mon, Oct 23, 2017 at 10:57 AM, Phil Hunt <phil.hunt@oracle.com> wrote: > >> >> All, >> >> I am reviewing the previous feedback from WGLC and will be bringing up >> any unresolved issues for quick discussion/confirmation… >> >> Following up on Marius and Henk’s comment, I am concerned that “aud” has >> a very specific meaning and is often tied to a security domain definition. >> We should not necessarily say this is the receiver though it often turns >> out to be. For example a RP (“aud”) has outsourced events processing to a >> third party (the so called receiver). >> >> I am happy with the current claim set, but maybe some text explaining >> that a receiver does not have to be the aud is appropriate? I don’t see >> any benefit to having a receiver claim as this could complicate processing >> more than its worth. >> >> There are a few other comments in this thread, but this one seemed the >> most unresolved. >> >> Phil >> >> >> On Aug 3, 2017, at 8:03 AM, Henk Birkholz <henk.birkholz@sit.fraunhofer. >> de> wrote: >> >> Hello, >> >> to me, the "audience" claim seems to be a good choice here. >> >> Viele Grüße, >> >> Henk >> >> On 08/02/2017 11:45 PM, Marius Scurtescu wrote: >> >> The abstract mentions "issuer" and "receiver" in the last sentence. >> "receiver" does not sound right (that should be used in the context of a >> transmitter), but I don't have a better suggestion. Audience? >> The last paragraph of section 1 mentions "subscriber". I think it should >> be either "receiver" or "audience". >> The explanation for figure 1 states that the issuer denotes the >> transmitter. If the issuer and the transmitter are assumed to be the same >> entity, then the transmitter definition in section 1.2 should make that >> clear. >> Figure 3, I think the "sub" claim should be nested in the event, next to >> the issuer that provides the correct context. The "iss" and "sub" >> definitions in 2.1 also touch on this, providing conflicting advice. >> Section 2,1, definition of "nbf". The definition says that this is the >> event time. I see two problems: >> - the name suggest "not before", not exactly the same as event time >> - there can be multiple events >> maybe this claim should be dropped? >> Section 2.1, definition of "exp". Omitting this claim is the short term >> solution to the confusion issue. Why not mention that and that it SHOULD >> NOT be used? >> Section 2.1, definition of "events". It states that all events must refer >> to the same logical event. Lately in discussions we reached the conclusion >> that all events in a SET should be defined in the same profile, which is a >> stronger requirement. I think this definition should mention that. >> Regarding events and profiles. There was a proposal to add a new claim to >> uniquely identify the profile. I think we need to discuss that. >> Figure 5. Maybe a signed example would be better, especially that the >> next paragraph mentions that signatures or encryption should be used. >> Section 4.5, second paragraph. Mentions that "nonce" is also required, >> but that is not actually true. Id Tokens issued at the token endpoint for >> example will not have it. I suggest we drop the whole paragraph. >> Marius >> On Mon, Jul 31, 2017 at 1:40 PM, Yaron Sheffer <yaronf.ietf@gmail.com < >> mailto:yaronf.ietf@gmail.com <yaronf.ietf@gmail.com>>> wrote: >> This is to announce working group last call on this draft >> (https://urldefense.proofpoint.com/v2/url?u=https-3A__ >> datatracker.ietf.org_doc_draft-2Dietf-2Dsecevent-2Dtoken_&d= >> DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5b >> iRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=UUydIFEV9SQ_lw_LNE4 >> lvS7pQLXEZEWA2F1i7bfAuUY&s=9SIT98RlAb1C9Md1W54IRl6cxjlKfjqT99u5-Ojw4Fw&e= >> <https://urldefense.proofpoint.com/v2/url? >> u=https-3A__datatracker.ietf.org_doc_draft-2Dietf-2Dseceven >> t-2Dtoken_&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057 >> SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m= >> UUydIFEV9SQ_lw_LNE4lvS7pQLXEZEWA2F1i7bfAuUY&s=9SIT98RlAb1C9M >> d1W54IRl6cxjlKfjqT99u5-Ojw4Fw&e= >). >> Please send your comments to the list. Even if you are perfectly >> happy with the draft, please let us know that you support its >> publication as-is by posting to the list. >> Because of the summer holidays, this last call is open for 3 weeks, >> until Aug. 21. >> Thanks, >> Dick and Yaron >> _______________________________________________ >> Id-event mailing list >> Id-event@ietf.org <mailto:Id-event@ietf.org <Id-event@ietf.org>> >> https://urldefense.proofpoint.com/v2/url?u=https-3A__www. >> ietf.org_mailman_listinfo_id-2Devent&d=DwIGaQ&c=RoP1YumCXCg >> aWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPE >> ivzjWwlNKe4C_lLIGk&m=UUydIFEV9SQ_lw_LNE4lvS7pQLXEZEWA2F1i7bfAuUY&s= >> jX1QgcFI8umtt8pEkthXa3uL_TsJINLVTXORUpSDnvA&e= <https:// >> urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_ >> mailman_listinfo_id-2Devent&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8P >> QcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe >> 4C_lLIGk&m=UUydIFEV9SQ_lw_LNE4lvS7pQLXEZEWA2F1i7bfAuUY&s= >> jX1QgcFI8umtt8pEkthXa3uL_TsJINLVTXORUpSDnvA&e= > >> _______________________________________________ >> Id-event mailing list >> Id-event@ietf.org >> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.iet >> f.org_mailman_listinfo_id-2Devent&d=DwIGaQ&c=RoP1YumCXCgaWHv >> lZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivz >> jWwlNKe4C_lLIGk&m=UUydIFEV9SQ_lw_LNE4lvS7pQLXEZEWA2F1i7bfAuU >> Y&s=jX1QgcFI8umtt8pEkthXa3uL_TsJINLVTXORUpSDnvA&e= >> >> >> _______________________________________________ >> Id-event mailing list >> Id-event@ietf.org >> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.iet >> f.org_mailman_listinfo_id-2Devent&d=DwIGaQ&c=RoP1YumCXCgaWHv >> lZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivz >> jWwlNKe4C_lLIGk&m=UUydIFEV9SQ_lw_LNE4lvS7pQLXEZEWA2F1i7bfAuU >> Y&s=jX1QgcFI8umtt8pEkthXa3uL_TsJINLVTXORUpSDnvA&e= >> >> >> >> >> _______________________________________________ >> Id-event mailing list >> Id-event@ietf.org >> https://www.ietf.org/mailman/listinfo/id-event >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_id-2Devent&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=qgzi6hIQUdXUCZu3X2lrQFAdGZO2O9szzwPah2M8LX0&s=kr9e2Ob_q0g5BinjBOLJAjrZeWIcrCNx9O1jax-Bs8o&e=> >> >> > >
- [Id-event] WG Last Call for draft-ietf-secevent-t… Yaron Sheffer
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Mike Jones
- Re: [Id-event] WG Last Call for draft-ietf-seceve… John Bradley
- Re: [Id-event] WG Last Call for draft-ietf-seceve… William Denniss
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Phil Hunt
- Re: [Id-event] WG Last Call for draft-ietf-seceve… M.Lizar@OCG
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Nat Sakimura
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Phil Hunt
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Adam Dawes
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Richard Backman, Annabelle
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Phil Hunt
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Richard Backman, Annabelle
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Phil Hunt
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Richard Backman, Annabelle
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Marius Scurtescu
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Henk Birkholz
- [Id-event] "aud" vs. receiver issue raised in WGLC Phil Hunt
- Re: [Id-event] "aud" vs. receiver issue raised in… Mike Jones
- Re: [Id-event] "aud" vs. receiver issue raised in… Marius Scurtescu
- Re: [Id-event] "aud" vs. receiver issue raised in… Phil Hunt
- Re: [Id-event] "aud" vs. receiver issue raised in… Marius Scurtescu
- Re: [Id-event] "aud" vs. receiver issue raised in… Phil Hunt
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Mike Jones
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Mike Jones
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Mike Jones
- Re: [Id-event] "aud" vs. receiver issue raised in… Marius Scurtescu
- Re: [Id-event] "aud" vs. receiver issue raised in… Phil Hunt (IDM)
- Re: [Id-event] "aud" vs. receiver issue raised in… Marius Scurtescu
- Re: [Id-event] "aud" vs. receiver issue raised in… Phil Hunt (IDM)
- Re: [Id-event] "aud" vs. receiver issue raised in… Mike Jones
- Re: [Id-event] "aud" vs. receiver issue raised in… Phil Hunt
- Re: [Id-event] WG Last Call for draft-ietf-seceve… Benjamin Kaduk
- Re: [Id-event] "aud" vs. receiver issue raised in… Mike Jones
- Re: [Id-event] "aud" vs. receiver issue raised in… Phil Hunt