IETF Logo Mail Archive

Re: [Id-event] [UNVERIFIED SENDER] Re: Subject Identifiers - Working Group Last Call

"Richard Backman, Annabelle" <richanna@amazon.com> Mon, 14 June 2021 23:30 UTC

Return-Path: <prvs=7921bc9d8=richanna@amazon.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F4073A1320 for <id-event@ietfa.amsl.com>; Mon, 14 Jun 2021 16:30:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.293
X-Spam-Level:
X-Spam-Status: No, score=-10.293 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yPRCmL8PYcoK for <id-event@ietfa.amsl.com>; Mon, 14 Jun 2021 16:30:31 -0700 (PDT)
Received: from smtp-fw-2101.amazon.com (smtp-fw-2101.amazon.com [72.21.196.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0EA923A131B for <id-event@ietf.org>; Mon, 14 Jun 2021 16:30:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1623713432; x=1655249432; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=Yu1gtoQQzyZV0EW0YrvqO/eRrXJaokIJsCg+JBc+6Uw=; b=JEuk86SZl1NdYk1b36exUxnUp+SDDTetYfEzhCq7j7IqgBF4Vpo/BGkK 5oPbkcc8CH4S9p1/PxLgHyU87769R0YE9YEtrGf38gKplgk/okpnFgQ7m JxQlCQ4rwldT2uo3MXmIrRHh5Jr2NCjZsrW7lGQre0UJvnON8vQQosbTr s=;
X-IronPort-AV: E=Sophos;i="5.83,273,1616457600"; d="scan'208,217";a="115801930"
Thread-Topic: [Id-event] [UNVERIFIED SENDER] Re: Subject Identifiers - Working Group Last Call
Received: from iad12-co-svc-p1-lb1-vlan2.amazon.com (HELO email-inbound-relay-1e-c7c08562.us-east-1.amazon.com) ([10.43.8.2]) by smtp-border-fw-2101.iad2.amazon.com with ESMTP; 14 Jun 2021 23:30:30 +0000
Received: from EX13MTAUWB001.ant.amazon.com (iad55-ws-svc-p15-lb9-vlan3.iad.amazon.com [10.40.159.166]) by email-inbound-relay-1e-c7c08562.us-east-1.amazon.com (Postfix) with ESMTPS id F3C01240AA7; Mon, 14 Jun 2021 23:30:27 +0000 (UTC)
Received: from EX13D11UWC004.ant.amazon.com (10.43.162.101) by EX13MTAUWB001.ant.amazon.com (10.43.161.249) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Mon, 14 Jun 2021 23:30:25 +0000
Received: from EX13D11UWC004.ant.amazon.com (10.43.162.101) by EX13D11UWC004.ant.amazon.com (10.43.162.101) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Mon, 14 Jun 2021 23:30:24 +0000
Received: from EX13D11UWC004.ant.amazon.com ([10.43.162.101]) by EX13D11UWC004.ant.amazon.com ([10.43.162.101]) with mapi id 15.00.1497.018; Mon, 14 Jun 2021 23:30:24 +0000
From: "Richard Backman, Annabelle" <richanna@amazon.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
CC: Roman Danyliw <rdd@cert.org>, Marius Scurtescu <marius.scurtescu@coinbase.com>, SecEvent <id-event@ietf.org>, Dick Hardt <dick.hardt@gmail.com>
Thread-Index: AQHXYFOVWRz/NsDbVkKHYnixJmv6e6sUKdgA
Date: Mon, 14 Jun 2021 23:30:24 +0000
Message-ID: <3973D651-4737-488D-BF91-38C3A1B36770@amazon.com>
References: <CAD9ie-uSbNHq=Mt3ohA=URf5rv2hz7YUdUMhOf80C_f=XBrGLA@mail.gmail.com> <36D66A89-D178-6047-B270-73AD540E7FAD@hxcore.ol> <9D6C9473-5C24-41E0-89EA-2C1E0D616876@amazon.com> <B74CF773-7D33-4E78-86B9-9CD03E1E84F5@gmail.com>
In-Reply-To: <B74CF773-7D33-4E78-86B9-9CD03E1E84F5@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.120.23.2.7)
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.43.160.137]
Content-Type: multipart/alternative; boundary="_000_3973D6514737488DBF9138C3A1B36770amazoncom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/k_uKJBMmQf4ykQY8RfgwNGt7y7o>
Subject: Re: [Id-event] [UNVERIFIED SENDER] Re: Subject Identifiers - Working Group Last Call
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Jun 2021 23:30:36 -0000

Maybe change the “sub” to “liz@example.com<mailto:liz@example.com>” so that readers will understand this is the same person?

That's…such a simple change that would make it much clearer. Brilliant. 😀

—
Annabelle Backman (she/her)
richanna@amazon.com<mailto:richanna@amazon.com>




On Jun 13, 2021, at 5:56 AM, Yaron Sheffer <yaronf.ietf@gmail.com<mailto:yaronf.ietf@gmail.com>> wrote:

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.


Hi Annabelle,

I totally accept your two examples, and I suggest you consider including them in the text. But Fig. 14 (quoted below in full) does not clarify this intent IMO.

Existing Fig. 14:

  {
     "iss": "issuer.example.com<http://issuer.example.com/>",
     "sub": "user@example.com<mailto:user@example.com>",
     "sub_id": {
       "format": "email",
       "email": "elizabeth@example.com<mailto:elizabeth@example.com>"
     }
   }

Maybe change the “sub” to “liz@example.com<mailto:liz@example.com>” so that readers will understand this is the same person?

Thanks,
                Yaron

From: "Richard Backman, Annabelle" <richanna@amazon.com<mailto:richanna@amazon.com>>
Date: Saturday, June 12, 2021 at 01:26
To: Yaron Sheffer <yaronf.ietf@gmail.com<mailto:yaronf.ietf@gmail.com>>
Cc: Dick Hardt <dick.hardt@gmail.com<mailto:dick.hardt@gmail.com>>, SecEvent <id-event@ietf.org<mailto:id-event@ietf.org>>, Roman Danyliw <rdd@cert.org<mailto:rdd@cert.org>>, Marius Scurtescu <marius.scurtescu@coinbase.com<mailto:marius.scurtescu@coinbase.com>>
Subject: Re: [UNVERIFIED SENDER] Re: Subject Identifiers - Working Group Last Call

Sorry for the delayed response!

Section 4.1 requires that both `sub` and `sub_id` claims identify the same subject. The only way to enforce that programmatically would be to require them to have the same value. Since the existing `sub` claim is unformatted and generally unconstrained, I don't see how we could do that. Here are a couple examples of cases where that breaks down:


  1.  I have been using phone numbers for `sub`, but have been omitting country codes because I only operate in the US. I want to migrate to `sub_id`, but the "phone_number" format requires me to prefix my identifiers with "+1".
  2.  I'm a client of an IdP, and use the IdP's subject identifier in JWTs sent back to the IdP. To work around the fact that `sub` is a single scalar string, I concatenate the IdP issuer and subject together with a "#", and use that as the `sub` in my tokens, with my issuer as the `iss`. I want to switch to using `sub_id`, using the `iss_sub` format, so the JWT can have my issuer, but the subject can have the IdP's issuer.

—
Annabelle Backman (she/her)
richanna@amazon.com<mailto:richanna@amazon.com>




On May 27, 2021, at 5:46 AM, Yaron Sheffer <yaronf.ietf@gmail.com<mailto:yaronf.ietf@gmail.com>> wrote:

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.


Thank you Dick and the authors.

With my co-chair hat off, I support progressing this document. I also have a couple comments:

3.2.2: The text refers twice to "alias" subject IDs, but the format is now named "aliases".

Fig. 14 seems to be in conflict with the requirement to have a single subject for the JWT ("a JWT has one and only one JWT Subject"). Yes, maybe Elizabeth has a second email address, but we cannot assume that applications have this kind of logic. Similarly, the subject-related discussion in Sec. 4.2 (which is arguably a bit vague) as well as Fig. 18 seems to allow two different subjects within the JWT.

Thanks,
                Yaron

From: Dick Hardt <dick.hardt@gmail.com<mailto:dick.hardt@gmail.com>>
Date: Wednesday, May 26, 2021 at 23:22
To: SecEvent <id-event@ietf.org<mailto:id-event@ietf.org>>
Cc: Yaron Sheffer <yaronf.ietf@gmail.com<mailto:yaronf.ietf@gmail.com>>, Richard Backman, Annabelle <richanna=40amazon.com@dmarc.ietf.org<mailto:richanna=40amazon.com@dmarc.ietf.org>>, Roman Danyliw <rdd@cert.org<mailto:rdd@cert.org>>, Marius Scurtescu <marius.scurtescu@coinbase.com<mailto:marius.scurtescu@coinbase.com>>
Subject: Subject Identifiers - Working Group Last Call
Hello WG

Thanks to Annabelle (and Marius) for the latest update:

https://datatracker.ietf.org/doc/html/draft-ietf-secevent-subject-identifiers-08

Yaron and I would like to make another working group last call on this draft. We are hopeful there will be enough feedback on this draft from people that have reviewed it for us to recommend the draft progressing to the next step.

Please review and respond if you are supportive of this draft, and if you are not supportive, please clarify your concerns.

Dick and Yaron

[Image removed by sender.]ᐧ

_______________________________________________
Id-event mailing list
Id-event@ietf.org<mailto:Id-event@ietf.org>
https://www.ietf.org/mailman/listinfo/id-event

v2.23.0 | Report a Bug | By Email