IETF Logo Mail Archive

Re: [Id-event] "aud" vs. receiver issue raised in WGLC

Phil Hunt <phil.hunt@oracle.com> Mon, 23 October 2017 23:15 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0B7713AB3E for <id-event@ietfa.amsl.com>; Mon, 23 Oct 2017 16:15:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.971
X-Spam-Level:
X-Spam-Status: No, score=-1.971 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xqtwidSnrKIo for <id-event@ietfa.amsl.com>; Mon, 23 Oct 2017 16:15:16 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5566713A415 for <id-event@ietf.org>; Mon, 23 Oct 2017 16:15:16 -0700 (PDT)
Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v9NNFEtT023442 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 23 Oct 2017 23:15:14 GMT
Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by aserv0021.oracle.com (8.14.4/8.14.4) with ESMTP id v9NNFDvF010241 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 23 Oct 2017 23:15:14 GMT
Received: from abhmp0001.oracle.com (abhmp0001.oracle.com [141.146.116.7]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id v9NNFDId017224; Mon, 23 Oct 2017 23:15:13 GMT
Received: from [192.168.1.23] (/70.70.142.148) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 23 Oct 2017 16:15:13 -0700
From: Phil Hunt <phil.hunt@oracle.com>
Message-Id: <5FF78162-D0FF-4742-90BF-9A12BA299D06@oracle.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E1C8445F-0968-490B-B79B-B78E8D13A936"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Mon, 23 Oct 2017 16:15:11 -0700
In-Reply-To: <CAGdjJpJtP7w-wL3Pj=QODOjc9m15z0Ssd+8bwxX684c-t1bbiQ@mail.gmail.com>
Cc: ID Events Mailing List <id-event@ietf.org>
To: Marius Scurtescu <mscurtescu@google.com>
References: <e6649728-f94a-93f5-9885-c948a5b0ed49@gmail.com> <CAGdjJpJtfV9q2iaL-uao1b7XpQjx5uJrX=fnoM36POXLFYrqow@mail.gmail.com> <fa06137b-516f-4a57-8ed5-08cd2cc63af6@sit.fraunhofer.de> <71FA69AE-F8F6-45AB-9550-36BC9395DE32@gmail.com> <684D9C6F-C59A-4850-9A1B-24A026278A62@oracle.com> <CAGdjJpLYxzUqOGxZ9oTLiCzZAwffTEqjxBYNtZO09nF6RnzOAA@mail.gmail.com> <7DAF5B83-F6DB-4015-A011-AB6E13C46B81@oracle.com> <CAGdjJpJtP7w-wL3Pj=QODOjc9m15z0Ssd+8bwxX684c-t1bbiQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3273)
X-Source-IP: aserv0021.oracle.com [141.146.126.233]
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/l_PcX92wdDTxAeh2_efjYaWMzsQ>
Subject: Re: [Id-event] "aud" vs. receiver issue raised in WGLC
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Oct 2017 23:15:19 -0000

It’s quite relevant to those with distributed architectures.

If an Event Stream requires that SETs need to be encrypted (using JWE), the SETs needs to be encrypted so the “receiver" can read it.  Regardless, “aud” should be interpreted by the traditional JWT method which suggests the security domain the event is for.  For example, a web site relying party does not have the capability to process (or issue) events itself (eg. because of a distributed architecture). The relying party assigns another entity the role of Event Receiver (or Transmitter).  

The problem being that If the “set” is encrypted for “aud” then only the “aud” entity can read the SET which will make it impossible to for another server to handle or worse, it would require sharing of private keys. 

Phil

Oracle Corporation, Identity Cloud Services Architect
@independentid
www.independentid.com <http://www.independentid.com/>phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
> On Oct 23, 2017, at 3:58 PM, Marius Scurtescu <mscurtescu@google.com> wrote:
> 
> I think "aud" should point to the Receiver, the outsourcing is irrelevant.
> 
> Nothing needs to change here IMO.
> 
> Marius
> 
> On Mon, Oct 23, 2017 at 3:55 PM, Phil Hunt <phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>> wrote:
> It seems reasonable to further clarify that the definition of a receiver could be improved.
> 
> I propose to change from:
>    Event Receiver
>       An Event Receiver is an entity that receives SETs through some
>       distribution method.
> 
> To:
>    Event Receiver
>       An Event Receiver is an entity that receives SETs through some
>       distribution method. An Event Receiver MAY be a different
>       entity than that described by the “aud” claim.
> 
> Phil
> 
> Oracle Corporation, Identity Cloud Services Architect
> @independentid
> www.independentid.com <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.independentid.com&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=fDB9pNmWNg5BPXoRtaXXB1Iz_tq5wICJLi5itJHRai0&s=Ee7RsPFKzheWNvOz1Ut9gCvs_2bw0DE6GEeg-S0KMyE&e=>phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
> 
>> On Oct 23, 2017, at 2:38 PM, Marius Scurtescu <mscurtescu@google.com <mailto:mscurtescu@google.com>> wrote:
>> 
>> I think "aud" is perfectly fine.
>> 
>> IMO it should make no difference for the Transmitter that the event is actually handled by an outsourced entity, the RP trusts that entity and the event is generated and targeted to the RP and not to the current outsourced processor.
>> 
>> Marius
>> 
>> On Mon, Oct 23, 2017 at 10:57 AM, Phil Hunt <phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>> wrote:
>> 
>> All,
>> 
>> I am reviewing the previous feedback from WGLC and will be bringing up any unresolved issues for quick discussion/confirmation…
>> 
>> Following up on Marius and Henk’s comment, I am concerned that “aud” has a very specific meaning and is often tied to a security domain definition. We should not necessarily say this is the receiver though it often turns out to be. For example a RP (“aud”) has outsourced events processing to a third party (the so called receiver).
>> 
>> I am happy with the current claim set, but maybe some text explaining that a receiver does not have to be the aud is appropriate?  I don’t see any benefit to having a receiver claim as this could complicate processing more than its worth.
>> 
>> There are a few other comments in this thread, but this one seemed the most unresolved.
>> 
>> Phil
>> 
>> 
>>> On Aug 3, 2017, at 8:03 AM, Henk Birkholz <henk.birkholz@sit.fraunhofer.de <mailto:henk.birkholz@sit.fraunhofer.de>> wrote:
>>> 
>>> Hello,
>>> 
>>> to me, the "audience" claim seems to be a good choice here.
>>> 
>>> Viele Grüße,
>>> 
>>> Henk
>>> 
>>> On 08/02/2017 11:45 PM, Marius Scurtescu wrote:
>>>> The abstract mentions "issuer" and "receiver" in the last sentence. "receiver" does not sound right (that should be used in the context of a transmitter), but I don't have a better suggestion. Audience?
>>>> The last paragraph of section 1 mentions "subscriber". I think it should be either "receiver" or "audience".
>>>> The explanation for figure 1 states that the issuer denotes the transmitter. If the issuer and the transmitter are assumed to be the same entity, then the transmitter definition in section 1.2 should make that clear.
>>>> Figure 3, I think the "sub" claim should be nested in the event, next to the issuer that provides the correct context. The "iss" and "sub" definitions in 2.1 also touch on this, providing conflicting advice.
>>>> Section 2,1, definition of "nbf". The definition says that this is the event time. I see two problems:
>>>> - the name suggest "not before", not exactly the same as event time
>>>> - there can be multiple events
>>>> maybe this claim should be dropped?
>>>> Section 2.1, definition of "exp". Omitting this claim is the short term solution to the confusion issue. Why not mention that and that it SHOULD NOT be used?
>>>> Section 2.1, definition of "events". It states that all events must refer to the same logical event. Lately in discussions we reached the conclusion that all events in a SET should be defined in the same profile, which is a stronger requirement. I think this definition should mention that.
>>>> Regarding events and profiles. There was a proposal to add a new claim to uniquely identify the profile. I think we need to discuss that.
>>>> Figure 5. Maybe a signed example would be better, especially that the next paragraph mentions that signatures or encryption should be used.
>>>> Section 4.5, second paragraph. Mentions that "nonce" is also required, but that is not actually true. Id Tokens issued at the token endpoint for example will not have it. I suggest we drop the whole paragraph.
>>>> Marius
>>>> On Mon, Jul 31, 2017 at 1:40 PM, Yaron Sheffer <yaronf.ietf@gmail.com <mailto:yaronf.ietf@gmail.com> <mailto:yaronf.ietf@gmail.com <mailto:yaronf.ietf@gmail.com>>> wrote:
>>>>    This is to announce working group last call on this draft
>>>>    (https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Dietf-2Dsecevent-2Dtoken_&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=UUydIFEV9SQ_lw_LNE4lvS7pQLXEZEWA2F1i7bfAuUY&s=9SIT98RlAb1C9Md1W54IRl6cxjlKfjqT99u5-Ojw4Fw&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Dietf-2Dsecevent-2Dtoken_&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=UUydIFEV9SQ_lw_LNE4lvS7pQLXEZEWA2F1i7bfAuUY&s=9SIT98RlAb1C9Md1W54IRl6cxjlKfjqT99u5-Ojw4Fw&e=>     <https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Dietf-2Dsecevent-2Dtoken_&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=UUydIFEV9SQ_lw_LNE4lvS7pQLXEZEWA2F1i7bfAuUY&s=9SIT98RlAb1C9Md1W54IRl6cxjlKfjqT99u5-Ojw4Fw&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Dietf-2Dsecevent-2Dtoken_&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=UUydIFEV9SQ_lw_LNE4lvS7pQLXEZEWA2F1i7bfAuUY&s=9SIT98RlAb1C9Md1W54IRl6cxjlKfjqT99u5-Ojw4Fw&e=> >).
>>>>    Please send your comments to the list. Even if you are perfectly
>>>>    happy with the draft, please let us know that you support its
>>>>    publication as-is by posting to the list.
>>>>    Because of the summer holidays, this last call is open for 3 weeks,
>>>>    until Aug. 21.
>>>>    Thanks,
>>>>         Dick and Yaron
>>>>    _______________________________________________
>>>>    Id-event mailing list
>>>>    Id-event@ietf.org <mailto:Id-event@ietf.org> <mailto:Id-event@ietf.org <mailto:Id-event@ietf.org>>
>>>>    https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_id-2Devent&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=UUydIFEV9SQ_lw_LNE4lvS7pQLXEZEWA2F1i7bfAuUY&s=jX1QgcFI8umtt8pEkthXa3uL_TsJINLVTXORUpSDnvA&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_id-2Devent&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=UUydIFEV9SQ_lw_LNE4lvS7pQLXEZEWA2F1i7bfAuUY&s=jX1QgcFI8umtt8pEkthXa3uL_TsJINLVTXORUpSDnvA&e=>     <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_id-2Devent&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=UUydIFEV9SQ_lw_LNE4lvS7pQLXEZEWA2F1i7bfAuUY&s=jX1QgcFI8umtt8pEkthXa3uL_TsJINLVTXORUpSDnvA&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_id-2Devent&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=UUydIFEV9SQ_lw_LNE4lvS7pQLXEZEWA2F1i7bfAuUY&s=jX1QgcFI8umtt8pEkthXa3uL_TsJINLVTXORUpSDnvA&e=> >
>>>> _______________________________________________
>>>> Id-event mailing list
>>>> Id-event@ietf.org <mailto:Id-event@ietf.org>
>>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_id-2Devent&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=UUydIFEV9SQ_lw_LNE4lvS7pQLXEZEWA2F1i7bfAuUY&s=jX1QgcFI8umtt8pEkthXa3uL_TsJINLVTXORUpSDnvA&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_id-2Devent&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=UUydIFEV9SQ_lw_LNE4lvS7pQLXEZEWA2F1i7bfAuUY&s=jX1QgcFI8umtt8pEkthXa3uL_TsJINLVTXORUpSDnvA&e=> 
>>> 
>>> _______________________________________________
>>> Id-event mailing list
>>> Id-event@ietf.org <mailto:Id-event@ietf.org>
>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_id-2Devent&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=UUydIFEV9SQ_lw_LNE4lvS7pQLXEZEWA2F1i7bfAuUY&s=jX1QgcFI8umtt8pEkthXa3uL_TsJINLVTXORUpSDnvA&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_id-2Devent&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=UUydIFEV9SQ_lw_LNE4lvS7pQLXEZEWA2F1i7bfAuUY&s=jX1QgcFI8umtt8pEkthXa3uL_TsJINLVTXORUpSDnvA&e=>
>> 
>> 
>> _______________________________________________
>> Id-event mailing list
>> Id-event@ietf.org <mailto:Id-event@ietf.org>
>> https://www.ietf.org/mailman/listinfo/id-event <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_id-2Devent&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=qgzi6hIQUdXUCZu3X2lrQFAdGZO2O9szzwPah2M8LX0&s=kr9e2Ob_q0g5BinjBOLJAjrZeWIcrCNx9O1jax-Bs8o&e=>
>> 
>> 
> 
> 
> _______________________________________________
> Id-event mailing list
> Id-event@ietf.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_id-2Devent&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=fDB9pNmWNg5BPXoRtaXXB1Iz_tq5wICJLi5itJHRai0&s=7M0OleTd4BpCbNMHkA9Vif8ucznK2XkdYp7wB0zI3N0&e=

v2.23.0 | Report a Bug | By Email