IETF Logo Mail Archive

Re: [Id-event] small changes to draft-ietf-secevent-delivery

Marius Scurtescu <mscurtescu@google.com> Mon, 05 March 2018 02:28 UTC

Return-Path: <mscurtescu@google.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A0D812D86E for <id-event@ietfa.amsl.com>; Sun, 4 Mar 2018 18:28:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.72
X-Spam-Level:
X-Spam-Status: No, score=-0.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 42Qr4NfP5FqP for <id-event@ietfa.amsl.com>; Sun, 4 Mar 2018 18:28:02 -0800 (PST)
Received: from mail-vk0-x22a.google.com (mail-vk0-x22a.google.com [IPv6:2607:f8b0:400c:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CA2E128959 for <id-event@ietf.org>; Sun, 4 Mar 2018 18:28:00 -0800 (PST)
Received: by mail-vk0-x22a.google.com with SMTP id x125so8867090vkc.13 for <id-event@ietf.org>; Sun, 04 Mar 2018 18:28:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=w3Wf/gbmuB7ryEexnuDKXugYR7Zz74pYm33RXkdXYBc=; b=UeEE1kKkHmAvxO4+I6WkzYZ+oavbibZrFW60tiAYLJP4L/pAzVBfyp/zjF+muvRsw6 u4b943UC+x/gvnWPDQycWdcYL2QmPk6L2q7XDq6fqEJOu96xWN59PCM+qCc7I24FsfdV UwkJf2vyKCwq7NvvkEUD5DppmeSPNMFI5dFrlk4/3Mh17YNd6Qw3Nc5jGkaqbzoMeTSF XQPtx4UXVk7+0hHHJ9LipxKzuo2wVJxvNGHqPzU7NTlVmYQiLGiBVKBCKu1w1LYi0Plx n4Le1xwLINHvwpgwB7j9W4PeAeZ4qp8+/DgbLViFSpZ6UBDFwkeT/9aO8+WTYd+tdu2W WSjA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=w3Wf/gbmuB7ryEexnuDKXugYR7Zz74pYm33RXkdXYBc=; b=myZFwviYy2LXxsUctkWJxRRGHDLNleOiSKQ1TafG0C0NDlcDNIQFkauyHkzms0Hhdb IO9ZCpLXtsBNyNND2E7p6dElmZzDPCpthkWwbXoQ/u35xiMKOc8C+zIDPSzfzqLKB1r9 R3tUJ5jTvnjVW9vLpIQ0oTbe6L4Q9k06tz3NnD7CvLMhmTQ45FVqhHz+/RIVOzd/2/8I HWDXv32/0dfCrBynXHQWx+K/Mr3Fx6lEfuEJmsV47916pCxasoUqDPEpf+TgwkzGD9wi OMQ+8RUhWvXe9Ml66e6P9hzEiVDXFQUKSNWb9sQGoBN3NN4vkW3CL/PN1VBPoxwHM70m WRiw==
X-Gm-Message-State: APf1xPDYhN0gHB57jTCZWG34e7XpkJsW907SRQIl3sovr/8UU1b9c1Lm Hs0yu2hE5nD5Zn0MEPbn7JqlPVFgizbe6z7eCsyNjA==
X-Google-Smtp-Source: AG47ELvwK/eba+o49Hwyx2W6ec5rNXbjtbTXA1LIY5WP422VFG1OeMHPVGshdArEXkguvgJeF71QHjdvPzY4gio6ZR0=
X-Received: by 10.31.156.71 with SMTP id f68mr8861636vke.129.1520216878945; Sun, 04 Mar 2018 18:27:58 -0800 (PST)
MIME-Version: 1.0
Received: by 10.31.94.88 with HTTP; Sun, 4 Mar 2018 18:27:38 -0800 (PST)
In-Reply-To: <0D2EA133-3E7B-497D-9364-C919D4FCB925@oracle.com>
References: <CAGdjJpLepZNB5DB6dgxuXheoFVLp0wWrROds1iB5J2QMcxKkqw@mail.gmail.com> <57C95B37-57A5-440E-9A4C-2D32B3677B9F@oracle.com> <CAGdjJpLPiVReysu+dFT-t2KCguCs7ceSuC-fHpYYe3vrecfP+w@mail.gmail.com> <0D2EA133-3E7B-497D-9364-C919D4FCB925@oracle.com>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Sun, 04 Mar 2018 18:27:38 -0800
Message-ID: <CAGdjJpLR0G20+U+TcjO37JvUXyAo03G7NkRBt4ifU-mWmGatZg@mail.gmail.com>
To: Phil Hunt <phil.hunt@oracle.com>
Cc: ID Events Mailing List <id-event@ietf.org>
Content-Type: multipart/alternative; boundary="001a1141bffc0de0240566a1139b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/rO6tRZubvd3hqVnsa37skou5FpY>
Subject: Re: [Id-event] small changes to draft-ietf-secevent-delivery
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Mar 2018 02:28:10 -0000

Let's go with 1 and 2, sending a pull requests, and we can discuss more
about 3 and 4. Comments inline.

On Fri, Mar 2, 2018 at 4:23 PM, Phil Hunt <phil.hunt@oracle.com> wrote:

> Inline
> Phil
>
> Oracle Corporation, Identity Cloud Services Architect
> @independentid
> www.independentid.com
> phil.hunt@oracle.com
>
> On Mar 2, 2018, at 4:00 PM, Marius Scurtescu <mscurtescu@google.com>
> wrote:
>
> On Fri, Mar 2, 2018 at 11:55 AM, Phil Hunt <phil.hunt@oracle.com> wrote:
>
>> Marius,
>>
>> Thanks.
>>
>> Item 1 and 2 look reasonable.
>>
>
> Sounds good.
>
>
>
>>
>> for Item 3, 4, I think the group should review. See below.
>>
>
> I also commented inline.
>
>
>
>>
>> Given the submission deadline is Monday, it would be good to wait group
>> confirmation of your proposals.
>>
>
> What that does mean in practical terms? If no one has objections we can go
> ahead? By when?
>
>
>>
>> Phil
>>
>> Oracle Corporation, Identity Cloud Services Architect
>> @independentid
>> www.independentid.com
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.independentid.com&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=L-kCx-OLcYfkKdS1eUcIKOBY6y5Jf8PQhbsLU2hVSuc&s=Zm52eLyjaGG_ZPMSegoNV0nSi3xEFnKDLeC0gopCEjA&e=>
>> phil.hunt@oracle.com
>>
>> On Mar 2, 2018, at 10:30 AM, Marius Scurtescu <mscurtescu@google.com>
>> wrote:
>>
>> I have a few other suggestions:
>>
>> 1. In section 1.2 we could drop the definition of Identity Provider and
>> Relying Party. I don't think these are necessary in this spec.
>>
>> 2. In section 2.1, the description of the PUSH delivery mode states that
>> the response must contain "Content-Type: application/json". I think that is
>> the case only for error responses, I think on success no Content-Type is
>> needed at all.
>>
>> 3. In section 2.2, it is stated that "the Event Receiver SHALL indicate
>> an HTTP Status 400 error with an error code as described in Section 2.4". I
>> think that some error codes should be matched by other 4xx codes (for
>> example 401 and 403). I think it would be useful to list all the possible
>> error codes and corresponding HTTP Status codes in this section and not
>> refer to 2.4,
>>
>>
>> <PH>The 4xx messages are assumed by the HTTP RFCs while the errors in sec
>> 2.4 related to errors around jwt processing. We can call out specific 4xx
>> errors that are likely to occur, but I find that people then have issues
>> wondering if they can ever use the complete set of error conditions from
>> RFC7231.
>>
>> Would people find it useful to clarify or give examples of how 7231
>> errors might occur?
>>
>> I’m not sure which of the sec 2.4 error codes could be matched with 401
>> or 403. These are mostly JWT error conditions. Can you elaborate?
>>
>
> I think jwtAud and jwtIss should be 403 and not 400.
>
>
> <PH>
> jwtAud and jwtIss are issues with the payload.  403 indicates the wrong
> authorization credential was used. E.g. a bad authorization header.
>
> It is important to distinguish between an http authorization header and a
> malformed SET.
>

I am not suggesting 401, but 403. The request is perfectly valid, but the
iss or aud presented are not allowed to send events to this receiver.


> setType and dup may also need something else than 400.
>
>
> <PH>
> I think dup is no longer needed as we changed language to allow recovery.
>

Maybe you are right, we can probably drop "dup". I don't see any value in
it for a Transmitter.



>
> setType - We should maybe update the terminology to setEventUri indicating
> the receiver is refusing a specific event type.
>
> 406 is the closest, yet that code is about media types not being
> acceptable.  406 can occur if someone requests application/xml for example.
>

setEventIdentifier? To go with the latest terminology in the SET spec.

Even 403 might be a could status in this case. 406 seems to be related to
the "Accept" header, and that's not the case here. 415?

How about invalid "typ" claim in the SET header?  415?

Also, how about 429 for too many requests?


>
>
>>
>> 4. In section 2.3.1, the description of maxEvents, at the very end. A
>> conflict between zero request events and returnImmediately is described and
>> the later should be ignored. I think this should not be a silent ignore but
>> an error condition,
>>
>> <PH>The value of 0 is used to allow a poller to acknowledge previously
>> received SETs without having to process or wait for new events. Thus
>> returnImmediately is assumed. Thus the value of returnImmediately is
>> ignored.
>>
>
> Right, but to me with 0 and returnImmediately present the request is
> invalid and I don't think that returnImmediately should be simply ignored
>
> <PH>
> See section 2.3.3, in particular acknowledge only (2.3.3.2).
>  “maxEvents”:0 is what makes a request ack only. It can be expressed in a
> more obvious way, but I believe the discussion was this was simpler overall.
>
> returnImmediately:true in the case of 2.3.3.2 is redundant. It isn’t an
> error because control always returns immediately.  returnImmediately:false
> would however would be an error because there is nothing to return in
> section 2.3.3.2.
>
> Looking at the text, it looks like we need to clarify that either an error
> is returned or just an acceptance when maxEvents is 0.
>

Agreed with all of the above. I was suggesting to return an error for
maxEvents:0 and returnImmediately:false.

>
>
>
>
>
>> Some participants indicated a desire to keep acknowledgement threads
>> separate from SET polling threads.  Others wanted to be able to do both at
>> the same time.
>>
>
> Understood.
>
>
>
>>
>> The current spec is at:
>> https://tools.ietf.org/html/draft-ietf-secevent-delivery-01
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dietf-2Dsecevent-2Ddelivery-2D01&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=ne_ktq-vH7-ENPz2hHpvEBD9gZ8NVol5ZAKe9EeHvu8&s=Hlxm0ufeHaSgSiJeOwFFJrFyiarhtBVMckB9QCslj3Q&e=>
>>
>> I am happy to send pull requests for all these changes. Let me know.
>>
>> Thanks,
>> Marius
>> _______________________________________________
>> Id-event mailing list
>> Id-event@ietf.org
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.iet
>> f.org_mailman_listinfo_id-2Devent&d=DwICAg&c=RoP1YumCXCgaWHv
>> lZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYq
>> PkAI1aLcLN4KZNA&m=ne_ktq-vH7-ENPz2hHpvEBD9gZ8NVol5ZAKe9EeHvu
>> 8&s=uhRVJB8aZnVZHEY_MgIwN8ZjrBDaxt7YDmif4wyv6jg&e=
>>
>>
>

v2.23.0 | Report a Bug | By Email