IETF Logo Mail Archive

Re: [Id-event] WG Last Call for draft-ietf-secevent-token-02

"Richard Backman, Annabelle" <richanna@amazon.com> Wed, 02 August 2017 21:17 UTC

Return-Path: <prvs=380bd80d9=richanna@amazon.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DD4A13217F for <id-event@ietfa.amsl.com>; Wed, 2 Aug 2017 14:17:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -12.61
X-Spam-Level:
X-Spam-Status: No, score=-12.61 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-2.8, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ovmGTQpO0vZK for <id-event@ietfa.amsl.com>; Wed, 2 Aug 2017 14:17:53 -0700 (PDT)
Received: from smtp-fw-6001.amazon.com (smtp-fw-6001.amazon.com [52.95.48.154]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E1F6132177 for <id-event@ietf.org>; Wed, 2 Aug 2017 14:17:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1501708673; x=1533244673; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=tq7LUaILf55gleP77qWtjFC8N24pMvddJ0HN7gytHUI=; b=oDDR0bd6SibndcIkGAXWtruVWyk5vKDq3MDjMct5XSLRLlG37Sfp2Kn0 FiHrSeizQBX+StaqXVUIBHtobwA6cEjIdmSoHiIMiLMK78qirRfBtwWQ7 26gXMi7E8m3M9vipp5/hj/QxhH3fY8Eqmm9w6dNsgrNhwNy1LHiKXbA5t o=;
X-IronPort-AV: E=Sophos;i="5.41,313,1498521600"; d="scan'208,217";a="302325772"
Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-64015.pdx4.amazon.com) ([10.43.8.6]) by smtp-border-fw-out-6001.iad6.amazon.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 02 Aug 2017 21:17:41 +0000
Received: from EX13MTAUWC001.ant.amazon.com (pdx1-ws-svc-p6-lb9-vlan3.pdx.amazon.com [10.236.137.198]) by email-inbound-relay-64015.pdx4.amazon.com (8.14.7/8.14.7) with ESMTP id v72LHeXd013636 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 2 Aug 2017 21:17:40 GMT
Received: from EX13D11UWC001.ant.amazon.com (10.43.162.151) by EX13MTAUWC001.ant.amazon.com (10.43.162.135) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Wed, 2 Aug 2017 21:17:40 +0000
Received: from EX13D11UWC004.ant.amazon.com (10.43.162.101) by EX13D11UWC001.ant.amazon.com (10.43.162.151) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Wed, 2 Aug 2017 21:17:40 +0000
Received: from EX13D11UWC004.ant.amazon.com ([10.43.162.101]) by EX13D11UWC004.ant.amazon.com ([10.43.162.101]) with mapi id 15.00.1104.000; Wed, 2 Aug 2017 21:17:39 +0000
From: "Richard Backman, Annabelle" <richanna@amazon.com>
To: Phil Hunt <phil.hunt@oracle.com>
CC: SecEvent <id-event@ietf.org>
Thread-Topic: [Id-event] WG Last Call for draft-ietf-secevent-token-02
Thread-Index: AQHTCj1Svuqk/S3glU+hjDHhS1RL1KJuaayAgAFFQACAAUW3gIAAgFUA//+TeQCAAHkUgP//njGA
Date: Wed, 02 Aug 2017 21:17:39 +0000
Message-ID: <6420C01C-080D-4EFC-B2DD-12688D0F7A69@amazon.com>
References: <e6649728-f94a-93f5-9885-c948a5b0ed49@gmail.com> <CY4PR21MB0504DEA69A048EADE122995DF5B20@CY4PR21MB0504.namprd21.prod.outlook.com> <D263DE2D-48F7-4AF5-B96F-B83AAED779F6@openconsentgroup.com> <72B8E7CA-3EB6-4194-BB77-CD46062FDFB7@amazon.com> <F2964484-9D65-43E8-80EE-02013B128DFE@oracle.com> <8FD5EE05-408D-4B4F-87BF-A1521EF6E66B@amazon.com> <617FC90D-F8B2-44B5-BF61-4B569C942246@oracle.com>
In-Reply-To: <617FC90D-F8B2-44B5-BF61-4B569C942246@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.23.0.170610
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.43.161.180]
Content-Type: multipart/alternative; boundary="_000_6420C01C080D4EFCB2DD12688D0F7A69amazoncom_"
MIME-Version: 1.0
Precedence: Bulk
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/nhBpUUyxE_Uz6_3U_crgSbMsCxI>
Subject: Re: [Id-event] WG Last Call for draft-ietf-secevent-token-02
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.22
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Aug 2017 21:17:56 -0000

Let me restate the iss/sub related items, starting with item 2…

Consider a hypothetical profiling specification where the subject’s issuer is always the audience for the token (e.g. an RP sending events back to an IdP, using the IdP’s own subject identifiers). The draft as written prohibits the profiling specification from simply stating “the subject issuer is the value of the aud claim” and requires that it instead duplicate the aud value in an “iss” attribute in its event payloads. I don’t recall this being the consensus.

Item 4 is an attempt to insure that how the subject for any given event is represented in the token is defined *somewhere*. Feel free to ignore the 2nd sentence of my suggested text (“It is NOT RECOMMENDED for Profiling Specifications…”) if there is disagreement on that recommendation; it’s the first sentence that’s important. As it stands, the draft defines Subject in section 1.2, but makes no comment on how Subject is represented aside from that it might be in the sub claim, and profiling specifications that use sub should declare semantics. My suggestion is to require that profile specifications declare how they represent the subject of their events, however they choose to do it.

--
Annabelle Richard Backman

From: Phil Hunt <phil.hunt@oracle.com>
Date: Wednesday, August 2, 2017 at 1:07 PM
To: "Richard Backman, Annabelle" <richanna@amazon.com>
Cc: SecEvent <id-event@ietf.org>
Subject: Re: [Id-event] WG Last Call for draft-ietf-secevent-token-02

Annabelle,

You are correct #1 isn’t really controversial.

I would look at the minutes of Chicago (see Mike’s presentation) and then the intervening discussing prior to Prague.

I’ve made my concerns clear so I won’t bother repeating them. Your comments suggest some remaining disagreement on what should be in the common SET Token spec vs down stream event profiles. E.g. some have expressed that SET’s job is simply to define the event claim and nothing more.

Phil

Oracle Corporation, Identity Cloud Services Architect & Standards
@independentid
www.independentid.com<http://www.independentid.com>
phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>

On Aug 2, 2017, at 12:54 PM, Richard Backman, Annabelle <richanna@amazon.com<mailto:richanna@amazon.com>> wrote:

Phil,

Can you be more specific about which items have been discussed and what the consensus was? Items 2 and 4 touch on the issuer mismatch matter, but are about clarifying requirements for profiling specifications and so far as I can tell are aligned with the intentions of the current text regarding the handling and interpretation of the “sub” and “iss” claims. Similarly item 6 addresses a profiling specification requirement related to the JWT confusion issue, and does not deviate from the WG consensus as I understand it.

Item 1, I should hope, is uncontroversial. ☺

--
Annabelle Richard Backman
Identity Services


From: Id-event <id-event-bounces@ietf.org<mailto:id-event-bounces@ietf.org>> on behalf of Phil Hunt <phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>>
Date: Wednesday, August 2, 2017 at 12:22 PM
To: "Richard Backman, Annabelle" <richanna@amazon.com<mailto:richanna@amazon.com>>
Cc: SecEvent <id-event@ietf.org<mailto:id-event@ietf.org>>
Subject: Re: [Id-event] WG Last Call for draft-ietf-secevent-token-02

Annabelle,

Thanks for the comments. Many of these items have been discussed at length but many members strongly want to leave as is.  I’ll await further group discussion.

Re: item 5 - I think I need to re-write that based on feedback from Nat and Marius.  Stay tuned.

Some of these items are also being discussed in the new JWT BCP document.  Maybe we should hold the SET Token spec so we can refer to the BCP and publish together?  That said, I know many want this finalized ASAP.

Phil

Oracle Corporation, Identity Cloud Services Architect & Standards
@independentid
www.independentid.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.independentid.com_&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=dr8DHRQ7TCuwn3QgnXZDcyuP9gE-wrdKUmrJ-MSlw5g&s=GVYabcbdptKpdVyAGGSN7wwhQaoUuIbYv3g0_vTWp4o&e=>
phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>

On Aug 2, 2017, at 11:43 AM, Richard Backman, Annabelle <richanna@amazon.com<mailto:richanna@amazon.com>> wrote:

Thanks for all the work on this! It was my understanding that there was an open item from Prague regarding whether to explicitly declare the events’ profiling specification in the SET. Has this been discussed further, or do we still need to close on it?

I have several comments/questions on the current draft:


  1.  “Profile Specification” vs. “Profiling Specification”
There are a handful of instances of the former that need to be changed to the latter, to match the term as defined in section 1.2:

     *   In the “sub” definition in section 1.2
     *   In section 3
     *   In section 4.2

  1.  Note regarding Subject Issuer vs. SET Issuer
The note regarding the potential for Subject and SET Issuer mismatch (in the “iss” definition in section 1.2) is I think more prescriptive than intended. As written, it mandates placing the Subject’s Issuer in an “iss” value within the event payload, but does not define a format or structure for this value. The logical format – that of the “iss” JWT claim – may or may not be appropriate, depending on the nature of the event and its Subject. I suggest removing this note and covering this concern elsewhere (see #4 below, re: Subject Identification).



  2.  Explicit Typing of SETs
I suggest removing the text “if the SET could be used in an application context in which it could be confused with other kinds of JWTs” from the first paragraph of section 2.2, making the secevent+jwt typ header mandatory to implement for all SETs. This conditional is impossible to evaluate, as new types of JWTs will be introduced over time. Just considering existing JWTs, it is a lot to ask for Profiling Spec authors to fully examine the contents and usage of every existing JWT. Mandating use of typ for SETs takes this load off of Profiling Spec authors and insures that future specs have a consistent, reliable way to defend against JWT type confusion.



  3.  Requirements for SET Profiles: Subject Identification
I suggest adding text along the lines of “Profiling Specifications MUST define for each of their events how the Subject is identified in the SET, as well as how to address conflicts the event Subject’s Issuer and the SET Issuer if applicable. It is NOT RECOMMENDED for Profiling Specifications to use the “sub” claim in cases where the Subject is not globally unique and has a different Issuer from the SET itself.”



  4.  Guidance for Signing SETs
The text in the last paragraph of section 4.1 is unclear to me. It seems to suggest that it is safe to send unsigned JWTs over a channel that lacks transport-layer security, so long as requests include a bearer token or use Basic Authentication. Am I misreading this? It seems counter to the guidance given earlier in the same section.



  5.  Distinguishing SETs from other kinds of JWTs
The last sentence of the first paragraph of section 4.7 seems impossible to me. Profiling Specifications cannot be solely responsible for ensuring incompatibility with all future JWT profiles. They can at best ensure incompatibility with existing JWT profiles and be compatible with a standard mechanism by which future JWT profiles may ensure incompatibility (e.g. the “secevent+jwt” typ header). It may be enough to strike the “(or other)” text from this sentence.




--
Annabelle Richard Backman
Identity Services


From: Id-event <id-event-bounces@ietf.org<mailto:id-event-bounces@ietf.org>> on behalf of "M.Lizar@OCG" <m.lizar@openconsentgroup.com<mailto:m.lizar@openconsentgroup.com>>
Date: Tuesday, August 1, 2017 at 9:17 AM
To: Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>
Cc: Yaron Sheffer <yaronf.ietf@gmail.com<mailto:yaronf.ietf@gmail.com>>, SecEvent <id-event@ietf.org<mailto:id-event@ietf.org>>
Subject: Re: [Id-event] WG Last Call for draft-ietf-secevent-token-02

+1 on existing text .

Agree the document is ready to publish

- Mark

On 31 Jul 2017, at 16:53, Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote:

I believe that the specification is ready to publish as-is.  It already meets the needs of the known use cases and is in production use.

                                                                -- Mike

From: Id-event [mailto:id-event-bounces@ietf.org] On Behalf Of Yaron Sheffer
Sent: Monday, July 31, 2017 1:40 PM
To: SecEvent <id-event@ietf.org<mailto:id-event@ietf.org>>
Subject: [Id-event] WG Last Call for draft-ietf-secevent-token-02

This is to announce working group last call on this draft (https://datatracker.ietf.org/doc/draft-ietf-secevent-token/<https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Dietf-2Dsecevent-2Dtoken_&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=FztSyO9IdR2ly2Cwmu1RhMdXDKw1epjGp_4pel_o_pg&s=NcFFmLZ6aFDT27EoSTD7rkP2m2nktWqgSd3_CPep8Uw&e=>).

Please send your comments to the list. Even if you are perfectly happy with the draft, please let us know that you support its publication as-is by posting to the list.

Because of the summer holidays, this last call is open for 3 weeks, until Aug. 21.

Thanks,
    Dick and Yaron
_______________________________________________
Id-event mailing list
Id-event@ietf.org<mailto:Id-event@ietf.org>
https://www.ietf.org/mailman/listinfo/id-event<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_id-2Devent&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=FztSyO9IdR2ly2Cwmu1RhMdXDKw1epjGp_4pel_o_pg&s=YwxW95s5oIBrBLkfuiMUIYuzFIcdnVa8Bn1zvZ4Uurc&e=>




_______________________________________________
Id-event mailing list
Id-event@ietf.org<mailto:Id-event@ietf.org>
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_id-2Devent&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=FztSyO9IdR2ly2Cwmu1RhMdXDKw1epjGp_4pel_o_pg&s=YwxW95s5oIBrBLkfuiMUIYuzFIcdnVa8Bn1zvZ4Uurc&e=

v2.23.0 | Report a Bug | By Email