Re: [Id-event] AD review of draft-ietf-secevent-http-push-07

Mike Jones <Michael.Jones@microsoft.com> Sat, 25 April 2020 02:12 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5ACD63A060A; Fri, 24 Apr 2020 19:12:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qAQRskQvV2gc; Fri, 24 Apr 2020 19:12:21 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650137.outbound.protection.outlook.com [40.107.65.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38E663A03EA; Fri, 24 Apr 2020 19:12:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ctLqlt6HCjC5R/+/BRcuHpqmM9oUfjoJ625wCJe4RB8BeR6uNh/kNKvrNdrQcGtmzJJ1Iipx05zGTkjbKjThawLGEe4GpSHDClB2lcXvJwddHqEK6m5TNneDQzwMoC/OZlSgqHRKnmQPrKDeE1keDS5r9C9WHmv4O/GqsSWZsjX9NuxXHQpYZogFuH3mefP5JE/asVmL9/R2xx0B8uKsAVGmzoFLsmKVEZ0XkhM3JClYeHNHxLvCBX8oUkarNvaa7bkxZWi3W6QbCqSJGPhvNxSF0unN4C2YtGgbOfDX9mAzoXk+Is/gu5043phn9baDZN+XPLevASRSkNWVqFwlJg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BlULoY4FrVEiljFEZEEXEwov4Ls1cgECmSQfh5nTSF0=; b=UlbGohGXa6dBx/uXpmj27kaV3WQEqjk1S4/Epp8Zzgro2oJMk8tjedFYAji09u4hW3Py0S/KZO3CCQrfpWm5/hrAckil1TV63EbLOFRud6xRD38mPni+dkDiQlrYEKq7Hxm98O7oSKZ/37j04I1ijdV38JYNcz892u0gjPgw2W/h8oGDLKCUak6iMBrC2dz0DQyPyVVrHXlIpuneMfJ9IijJ6XEek1cPtmGihdnGFV0jievmnc4KNA5TNxwAAzm14w4TTjfJBCpWSkcFcs4cA3WHu2BGMFtC/J/69NEtIoXqrQJZceY8V2A+M7nvmrN2HTe35SporpAfrW5F44R+yQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BlULoY4FrVEiljFEZEEXEwov4Ls1cgECmSQfh5nTSF0=; b=g12qNn1C5KrAtjxGxtIMq4bGot3kv85vbTIkjMNZPI4wFzsoeBFgmVzWU6eg2y7ro43Nb4JeSLyawDmWxX1pPpRLLKcO8w4LAn8PKJjRaNqQ+FESctuU6LW2VWD7YrSXtFcrSlVanxctPGvahrj2nOnBy5A4tT2oK/11iWfesHw=
Received: from CH2PR00MB0678.namprd00.prod.outlook.com (2603:10b6:610:a9::23) by CH2PR00MB0678.namprd00.prod.outlook.com (2603:10b6:610:a9::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2983.0; Sat, 25 Apr 2020 02:12:19 +0000
Received: from CH2PR00MB0678.namprd00.prod.outlook.com ([fe80::9517:9630:ed53:8dd6]) by CH2PR00MB0678.namprd00.prod.outlook.com ([fe80::9517:9630:ed53:8dd6%6]) with mapi id 15.20.2982.000; Sat, 25 Apr 2020 02:12:19 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Benjamin Kaduk <kaduk@mit.edu>, "richanna@amazon.com" <richanna@amazon.com>
CC: "draft-ietf-secevent-http-push.all@ietf.org" <draft-ietf-secevent-http-push.all@ietf.org>, "id-event@ietf.org" <id-event@ietf.org>
Thread-Topic: [Id-event] AD review of draft-ietf-secevent-http-push-07
Thread-Index: AdYapvFcpkAs4jP3S4SfG8JyuYpI/Q==
Date: Sat, 25 Apr 2020 02:12:19 +0000
Message-ID: <CH2PR00MB0678090216D0DC995E0AAD64F5D10@CH2PR00MB0678.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=d865b950-9001-4158-be34-00003ab8cdd0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-04-25T02:08:36Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [50.47.87.252]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 9bf246a8-463c-4750-1aa5-08d7e8be1589
x-ms-traffictypediagnostic: CH2PR00MB0678:
x-microsoft-antispam-prvs: <CH2PR00MB06780BBB3F4D71A8C4276E98F5D10@CH2PR00MB0678.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0384275935
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: /rP+zgV1m/24lreyGXhXLzZTLiM3in0fkhP6iVhFFnhXN/BsYH0YMpCaeZgvIVUQtGHQ8Cm4IfYCl+fd7MGQAxoIGUAaZLtzEy/rmWcHdHotxXsL6SijEwQOkf+ouZawwSW7XVYg29yDn0DC9Fm9YMfuXYK1bXL+w2ZVYIrLaqIs9b89usYB6jfvXPKBzyhG12bZtUb1Qiiwr3mToqzQK2PanuJKKLABeqzs9w8gMkwoei0OI9P8PbSyG6AHwQLRfnNnbn0IWHm9baC5sLBvcvm65fjuMcR8dOSJfydil9Q9jrjDyFfo8yazrrGslO4dG+Btupc8Z+NMV02pBaogcS5agRiBTSohBii37ZMUNxBoSi3N0XDiv8j45id7u7tUSPxsZ+VirahvqJ1SwUX2X7zRmHL73LLzf2+BZGQdYIQHisH0JXfRUY5rBRBoUDv2+0QXT62dcL6ffk99dJog5XnN5ZsmMDxUXxoCCrnXj6X9g6jbOU/LvB8Y6ohARs5L/QoybF2i1IL5G0GyDPoUZg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR00MB0678.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(396003)(376002)(136003)(346002)(366004)(82960400001)(8676002)(33656002)(7696005)(478600001)(82950400001)(5660300002)(4326008)(10290500003)(6506007)(52536014)(2906002)(53546011)(86362001)(66446008)(9686003)(26005)(8990500004)(71200400001)(186003)(110136005)(8936002)(55016002)(316002)(54906003)(76116006)(66946007)(64756008)(66556008)(66476007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: 7ROMvnIfj06QiT6HMezgXWiirL/e1OgnHGi7qOMedVtC2pOzT2DCLZtndsc+HWv3zMqEtGcDZsJngTPEBfZ2SC04LKLkNjSceQsYHAiNdPaZhCsiUzBqe0pAWQQBun80jQ/VeyT9OEZAVcJfQvWdN3hnHuATf3xnhc8IzI5cdCDzu0Wmplx7drMbKspb6eVF6MDFdgGUf6y1Ue/5selCTGMaFjWJ5yMXbUtNA3G3jOlcHOdUgdfiffM9i5oAY0bY2UVyRZBrE6hsZAap/C2roFOqfp00d3UAxTA9L3KLL0AJayksQco0VGL5e1wE6FPd/f0hJE5tlrRX96+XbDcOZRGaXlZZL11jdr9/zYDDGN1GmoY8bBP1eYy/G0bDjfKhijCF1C2x4UKDSmjzS5XnKh7S11H6rvlXMLgQTBK32JVAYhV7FUdsiyOTMW1iRdtGMxBDtNGhCY2DLEOa23S90cp1wmi9PrODio5qltqdMWCyLTJKRmZR+FGC510Tn+9kMb0E5LIogHHg8LbrzCGjed2TVoSO7etnObBxGG5Z80lv39pNtA9ze0s9B/DZ9KWF3IZ/pM5nn9Kteb5f7/xQoU9MQij7cqhkZ9U7GwGnH4/RuOMcgJjHxC9cshLtJLO8mGf6rCdH6RD0CCBrDxhTzqs3rIdJ1rJweV+UbzhCuJAP5xAos3/g6na+EcBa6XbOlD5/dUs7r4auGGm+p2btpYtBXK+AE3EL98vrrocFaVPYvGxshE1ng694qpN26hkTGNkIXhHwA6CazEflzX/6NgmGI+NtIZXNnCF5K5X4aOo=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH2PR00MB0678.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9bf246a8-463c-4750-1aa5-08d7e8be1589
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Apr 2020 02:12:19.8264 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: nOvVAwIX8+unHg8zfnGJvrxAJu5TJHOimkrRhDHXCrwJoriGFbFCujqZdnDMzOVl4l3A8Ein/y2+ZKjEJEWjTg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR00MB0678
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/vPfF5-MUBGord2VO8u_xw7e6Kfk>
Subject: Re: [Id-event] AD review of draft-ietf-secevent-http-push-07
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Apr 2020 02:12:23 -0000

These suggestions make sense to me.  Do you want to do these Annabelle, or would you like me to?  If I do it, it will probably be early next week.

				Thanks all,
				-- Mike

-----Original Message-----
From: Benjamin Kaduk <kaduk@mit.edu> 
Sent: Friday, April 24, 2020 5:44 PM
To: Mike Jones <Michael.Jones@microsoft.com>
Cc: draft-ietf-secevent-http-push.all@ietf.org; id-event@ietf.org
Subject: Re: [Id-event] AD review of draft-ietf-secevent-http-push-07

Hi Mike,

My apologies for yet another long delay.  I'll trim the bits that are in good shape (nearly all of them!).

I also took another look at the "diff" (manually, that is) between push and poll, and found a few things in poll that should probably be here as well.

Section 1 should get the sentence "How SETs are defined and the process by which security events are identified for SET Recipients are specified in [RFC8417]."

In the thread for -poll we said that Section 5.3 of this document would get a s/e.g., subject claims/PII/ to match, but that doesn't seem to have happened yet.

The poll Privacy Considerations have a note at the start of the section about "SET Transmistters SHOULD attempt to deliver sets that are targeted to the specific business and protocol needs of subscribers"; would a similar note make sense for us?

On Fri, Feb 07, 2020 at 05:17:12PM +0000, Mike Jones wrote:
> draft-ietf-secevent-http-push-08<https://tools.ietf.org/html/draft-ietf-secevent-http-push-08> was published to address these review comments.  (-09<https://tools.ietf.org/html/draft-ietf-secevent-http-push-09> addressed additional editorial nits.)  Descriptions of the changes made for these comments are inline, prefixed by "Mike>".
> 
> 
> 
> -----Original Message-----
> From: Id-event <id-event-bounces@ietf.org> On Behalf Of Benjamin Kaduk
> Sent: Tuesday, December 10, 2019 4:36 PM
> To: draft-ietf-secevent-http-push.all@ietf.org
> Cc: id-event@ietf.org
> Subject: [Id-event] AD review of draft-ietf-secevent-http-push-07
> 
> 
> Section 5
> 
> 
> 
> I want to see how the discussion goes on poll's "Access Token Considerations" first, but we may want something like that as well.
> 
> 
> 
> Mike> Yes, it makes sense to do that

Since we no longer explicitly mention WWW-Authenticate in this document I won't insist on copying the Access Token Considerations over, but it could still be useful to do so.

> Section 5.2
> 
> 
> 
> RFC 6125 is great and I'm glad we're referencing it, but it does leave a couple of gaps to be specified for a full picture of application usage.
> 
> Specifically, we should say what name from the certificate we validate (and, ideally, how the application knows what name it is expecting to see in that name field in the certificate).  Most applications these days will be using the DNS-ID, and perhaps something about wildcards and/or revocation info.  The last time I was making this comment on a document I pointed to RFC 8461 as a potential example to crib from, at least in terms of the types of things to talk about.
> 
> 
> 
> Mike> I added DNS-ID.

The DNS-ID is the part of the certificate that we compare a name against, but a comparison requires having two things -- since recipients are already configured, can't we say that the expected name will be configured as well?

Thanks for all the updates!

-Ben