IETF Logo Mail Archive

Re: [Id-event] Options regarding SPAGs

Atul Tulshibagwale <atultulshi@google.com> Mon, 07 December 2020 21:22 UTC

Return-Path: <atultulshi@google.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 759C93A0B25 for <id-event@ietfa.amsl.com>; Mon, 7 Dec 2020 13:22:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.598
X-Spam-Level:
X-Spam-Status: No, score=-17.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yDPiLORJbLDN for <id-event@ietfa.amsl.com>; Mon, 7 Dec 2020 13:22:04 -0800 (PST)
Received: from mail-yb1-xb2f.google.com (mail-yb1-xb2f.google.com [IPv6:2607:f8b0:4864:20::b2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF5DC3A0B22 for <Id-event@ietf.org>; Mon, 7 Dec 2020 13:22:03 -0800 (PST)
Received: by mail-yb1-xb2f.google.com with SMTP id w127so2690896ybw.8 for <Id-event@ietf.org>; Mon, 07 Dec 2020 13:22:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=X3GWSaCt1YEnKr2BKGTSOBXBv9jEjg2Kq1dSHE5xUBs=; b=NjoRZ1/Mpz3TT4EbT6nGHRXh7S/ldK+g60OiVCXqxjBzWA2ZjGxcF87zxkQ97Lbquo lhUoeHDxHFC9W0MswjAH21z3K/nOJ4eRzcSjM52/JhM/ciLQyVcjxDqoayW6zDArLKXe HBrJcA2h7nmD3/UJyaMeLRFg+fgTVpNeN5QsWNK2S0T/aT/dyJ4mYs0Y6FMh4Hi9xq1I cBXKyutE3W88vuIIJpzNKczwsGPavTIzdB8U2LTfytYfr4bTmg/dMqg45ImshsUP04pH g9BL6VMbpd8ZP+vvayVXL00JyRfE3iMzD/fKDGyoaAzVuhh1lpmg80CGWAsv95XghC7y 5cJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=X3GWSaCt1YEnKr2BKGTSOBXBv9jEjg2Kq1dSHE5xUBs=; b=Bt5XKxBFnO3heJ3aegg0f3SamVGqD20gPP/s/27BYWRTDi1oM1McT7fSGVORB3lQCT RWV6uY+lN57rpmb4tmRv+aiOtBlrdcIrplRWP9x+Kog7ZXG9xjfy3hsoDa1nZ9OWuqKZ NkW3Jk3z5KeWvLLbAdgW1yN8tjtfcr1tZB92HQU22uDzoS8AT9uTghEwLDvic5nMpCkI b92RKHEuvQyoFU9jN0Jil2d9jCAo4u4Ky0p5q9K5VZ7bZhQOMhfCPBQf1mpdU80TebtK gUXqLb+1i1kdpC5G3XuixGR6SWDYlShEmUMCfdrO9PAEqxuIK8hYvFKckyGnvyMDYKBK 5ypA==
X-Gm-Message-State: AOAM531Y2UvZwiIJjmbRJ2HvWUo1Y5vdWDLhJ2vRwaJM8pro8SkqZZ6Z jiDNRBkf5I9ago2Sv99ui4KOixIu2SEDrkfRXuA9AA==
X-Google-Smtp-Source: ABdhPJwhaKKVpbo/YsIjIPc+XEKt35qVRQVUw6CKWqgsD9WO/knIsvuLB0ICxs26f+OlLNH4iFHDOCNjmIxUmq4MNJY=
X-Received: by 2002:a25:cd48:: with SMTP id d69mr25452868ybf.465.1607376122547; Mon, 07 Dec 2020 13:22:02 -0800 (PST)
MIME-Version: 1.0
References: <CAMCkG5v3FTnNz878Fg85hV1vYpVo1QO=AF49yvDOacw9bLw-vQ@mail.gmail.com> <6C154303-F3D3-45A5-9701-25FDF319E92E@independentid.com>
In-Reply-To: <6C154303-F3D3-45A5-9701-25FDF319E92E@independentid.com>
From: Atul Tulshibagwale <atultulshi@google.com>
Date: Mon, 07 Dec 2020 13:21:50 -0800
Message-ID: <CAMCkG5tObvekze6c_ie1iVo8CcAqAGx45MxjoLUvHF8og5cShg@mail.gmail.com>
To: Phillip Hunt <phil.hunt@independentid.com>
Cc: Atul Tulshibagwale <atultulshi=40google.com@dmarc.ietf.org>, SecEvent <Id-event@ietf.org>, Dick Hardt <dick.hardt@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000ce909505b5e66aa5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/s6p2dOXS89wFTDpnCQimVsfKTso>
Subject: Re: [Id-event] Options regarding SPAGs
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Dec 2020 21:22:07 -0000

Hi Phillip,
Your suggestion makes sense, but I believe this is not something we have
considered in the SSE work. (Also, to be clear, the "device-transfer" is
not an event being considered in the current draft of SSE Event Types spec
either, but just something we have hypothesized about while considering
whether SPAGs belong in the event or in the subject identifier.)

So from a Subject Identifiers spec perspective, the alternative (i.e. #4 in
Dick's email) to not include a SPAG identifier as a claim in the Subject
Identifier is valid.

However since I believe it is a property of the subject principal rather
than of the event, I'd prefer it to be a claim in the Subject Identifier.

Separately, I'd also like to understand the issue of complexity of SETs:
The limitations placed by the spec; intended but not specified by the
authors; and what issues could result from creating more complex SETs.
Right now, one SSE event is designed to be a single SET. If we have to
create multiple SETs for some events, it will be a bit of additional spec
work (and possibly downstream implementation work).

Thanks,
Atul

On Sat, Dec 5, 2020 at 9:04 AM Phillip Hunt <phil.hunt@independentid.com>
wrote:

> When we first started discussions around SET, one goal was to keep events
> simple/atomic. If multiple subjects are effected by the same event, why not
> issue multiple events and a “txn” value to indicate each SET is part of the
> same parent event/transaction?
>
> Creating compound events to express full context creates a lot of
> contextual “binding” between sender and receiver.
>
> I am not saying multiple subjects is always wrong. But this begins to feel
> like a lot of parsing complexity (affecting event parsing speed) on every
> message rather than send a few more simple messages.  For example ksql can
> capture multiple events in a stream to learn that the same event for
> multiple subjects is related if that needs to be known.
>
> Phil
>
> On Dec 4, 2020, at 4:41 PM, Atul Tulshibagwale <atultulshi=
> 40google.com@dmarc.ietf.org> wrote:
>
> 
> Hi Dick,
> #4 may not always be an option if the event has more than one subject
> claim (e.g. for an event like "device transfer").
>
> Regarding other additions:
> *Subject Categories*:
> Earlier, I had proposed that a subject identifier of any subject_type have
> an optional common claim named "subject_category", which could identify the
> type of subject principal the subject identifier refers to. However, since
> the future of this request in the Subject Identifiers spec wasn't clear, we
> decided to add a new "subject_type" in the SSE spec, called
> "user-device-session". The SSE spec draft defines the algorithm to figure
> out the category of the subject principal based on the content of this
> subject identifier.
>
> As a result of this new subject type definition in the SSE spec draft,
> "subject_category" is no longer a requirement for the SSE work. However,
> since the SSE spec is still being drafted, if the Subject Identifiers spec
> has the ability to add a subject category claim to any subject_type, then
> we can possibly change the SSE spec to make use of it.
>
> *SAML Subject Type*:
> I had proposed that a SAML subject type be introduced in the Subject
> Identifiers. This will help us send and receive events relating to a
> specific SAML-based federated session. I thought this would be a common
> subject type of interest to the Subject Identifiers spec. However, we have
> now added it as a subject type in the SSE draft spec. If the Subject
> Identifiers draft were to include this, it would be very easy for us to
> remove this from the SSE draft spec.
>
> BTW a good way to look at all my proposed changes to the Subject
> Identifiers draft is by reviewing my pull request here:
> https://github.com/richanna/secevent/pull/1
>
> Thanks,
> Atul
>
>
> On Thu, Dec 3, 2020 at 5:43 PM Dick Hardt <dick.hardt@gmail.com> wrote:
>
>> I think there is also a fourth option:
>>
>> 4. a SPAG identifier can be placed in a separate top level object or top
>> level property
>>
>> Atul: in the other thread, you mentioned that there were other additions
>> that the OpenID Shared Signals and Events WG is interested in. Would you
>> enumerate them as well so that we can address all potential issues?
>>
>>
>> ᐧ
>>
>> On Thu, Dec 3, 2020 at 3:04 PM Atul Tulshibagwale <atultulshi=
>> 40google.com@dmarc.ietf.org> wrote:
>>
>>> Hi all,
>>> Based on Dick's request, I'd like to summarize the situation with SPAGs
>>> here.
>>>
>>> *Background*:
>>> The present Subject Identifiers draft
>>> <https://github.com/richanna/secevent/blob/1fd045d251ff3c6be9a500c6a78d895be3c6b2bf/draft-ietf-secevent-subject-identifiers.txt>
>>> forbids a subject identifier of a specific subject_type from having any
>>> claims that are not described in the subject_type. This prevents
>>> higher-level specs from proposing any additional claims to be included in
>>> subject identifiers of subject types that are defined in the Subject
>>> Identifier spec.
>>>
>>> *SPAGs*:
>>> Subject Principal Administrative Groupings or SPAGs are an addition to
>>> the OpenID "Shared Signals and Events Profile of SETs"
>>> <https://bitbucket.org/openid/risc/src/caep-draft-01/openid-sse-profile-2_0.txt>,
>>> which is a revision of the "RISC Profile of SETs
>>> <https://bitbucket.org/openid/risc/src/master/openid-risc-profile-1_0.txt>".
>>> The present draft of the SecEvents Subject Identifiers spec is derived from
>>> a section in this RISC Profile. The SSE Profile now refers to the SecEvents
>>> Subject Identifiers draft.
>>>
>>> SPAGs are required to address the following needs:
>>>
>>>    1. Disambiguate a subject identifier if it belongs to more than one
>>>    sub-organizations. For example, if the subject claim in an event is of the
>>>    subject type "email", then a SPAG may be used to specify the
>>>    sub-organization the specified email should be scoped down to. A dynamic
>>>    organization may have the same email in multiple sub-organizations, and the
>>>    event may apply to only one such sub organization.
>>>    2. Provide a lighter weight mechanism to start and stop event
>>>    streams for sub-organizations. These could be OUs or dynamic groups within
>>>    an organization, or separate tenants in a multi-tenanted transmitter or
>>>    receiver.
>>>
>>> *Requirements from Subject Identifiers*:
>>>
>>>    1. A SPAG may be specified as an additional attribute of a subject
>>>    identifier with any subject type, in order to disambiguate and scope the
>>>    event with that subject identifier.
>>>    2. A SPAG may be a new subject type of its own when it is used in an
>>>    event that specifies the starting or stopping of a stream.
>>>
>>> *Options*:
>>> The following options are possible to address this requirement.
>>>
>>>    1. *Minimal Change to the present Subject Identifiers draft*: Remove
>>>    the words "or not described" on line 247
>>>    <https://github.com/richanna/secevent/blob/1fd045d251ff3c6be9a500c6a78d895be3c6b2bf/draft-ietf-secevent-subject-identifiers.txt#L247>.
>>>    This way a higher-level spec that needs to add additional attributes to all
>>>    subject identifiers used in that spec can add them and specify the
>>>    additional attributes' optional or required nature. In this option, SPAGs
>>>    will be defined in the SSE profile spec.
>>>    2. *Include SPAGs in the Subject Identifiers spec*: Include language
>>>    for SPAGs proposed earlier in this list, so that:
>>>       1. Subject Principals and SPAGs are defined in the Subject
>>>       Identifiers spec
>>>       2. An additional attribute named "spag_id" is added as an
>>>       optional attribute of any subject_type.
>>>       3. An additional subject_type "spag" is defined (this is used
>>>       primarily for "control plane" events.)
>>>    3. *Do both 1. and 2*: With this, we will address the issue that
>>>    higher-level specs cannot insert additional attributes in predefined
>>>    subject types, and define SPAGs within the Subject Identifiers spec.
>>>
>>> Thanks,
>>> Atul
>>>
>>> _______________________________________________
>>> Id-event mailing list
>>> Id-event@ietf.org
>>> https://www.ietf.org/mailman/listinfo/id-event
>>>
>> _______________________________________________
> Id-event mailing list
> Id-event@ietf.org
> https://www.ietf.org/mailman/listinfo/id-event
>
> _______________________________________________
> Id-event mailing list
> Id-event@ietf.org
> https://www.ietf.org/mailman/listinfo/id-event
>

v2.23.0 | Report a Bug | By Email