IETF Logo Mail Archive

Re: [Id-event] Options regarding SPAGs

Dick Hardt <dick.hardt@gmail.com> Fri, 04 December 2020 01:42 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 078043A1201 for <id-event@ietfa.amsl.com>; Thu, 3 Dec 2020 17:42:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g-W22N6TrdiF for <id-event@ietfa.amsl.com>; Thu, 3 Dec 2020 17:42:50 -0800 (PST)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7B713A12B9 for <id-event@ietf.org>; Thu, 3 Dec 2020 17:42:32 -0800 (PST)
Received: by mail-lj1-x22c.google.com with SMTP id f24so4738519ljk.13 for <id-event@ietf.org>; Thu, 03 Dec 2020 17:42:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0EvihjWDRi3QPRGathiZRaMjv/BllKggGDfWQ9sfLJ0=; b=B6ondliQuQdw5okBny1+UYn5I4cmV2RRJbTtHG3Oble0KUqzhwu5dXGvmlAm8fpNs7 muFRjzpuJeG2jbyT9tKgWw/bumJBquPlwt+GE6oR/xZo7ZI1IPveMuLMwp+jSLQnCz+2 BDiFuPGBVE5IdeiYhEiIkU9lTMZE4upfFX8BSyYIuFo3lStcZR4sfJpuBMZBPFCoxoMu kTfPLtpLtbI5sHIARkrVnP2hx7MvnCDNyLQcwKKgxHqparuaxZOyb8EgbcLpbEnThrhA BpqqAX60HRXRHAwnWjbWfEMT16bj9+EWsWXBmr2ND6MwNgyQiHio57Los2ZEauR4pxuB eMLA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0EvihjWDRi3QPRGathiZRaMjv/BllKggGDfWQ9sfLJ0=; b=TSPlBSyr2R19k0y6QysE+3I8w+SCTj6CjTwSbEVyhaxYMy0V3iFqrND1uNO8yc4gSW Fd+0ecgMa2aXp5JYqVCTiC5V+hv8JR0RUClXDESZi3D9goRPMnatviNNKUe+pXz3sqfY 2WQljWNf9te4/VRwXlVXa6YVU9VcOe6xwG3apKqgOoQA0oQgiEXL1775W+Fyfi8s5N5L 6i3IBvzNGSMT2PJTzZ4Purp704DZwcwiAFqEGsji7W/NhoLnZOQLB3aPWlg22/N0yPg5 a8Z7BPbqfjrHC/c0o6WN3y+08G9WunXUWa2djhQG/FGsL4L/9/W75foFU5auHOvyTykh PnVg==
X-Gm-Message-State: AOAM531ApbLMXrOAKVQqhPdOItuSuOaoUE8EbFNZ1LeOxwNA2gpBsx9L RbM4UJ1Z+0PHvO83OGiEwkw3NJoUrMs682e9X9eiQQWUHc5ZfA==
X-Google-Smtp-Source: ABdhPJzBK8uAmOlWheDKFzxpiJYf7z3bltZSjAKLMkC6Tf5oNB2y201MkEc4OnUANs0xRzjQvdG+p6ZpcqT5dBjMhoY=
X-Received: by 2002:a2e:b4d1:: with SMTP id r17mr2351712ljm.246.1607046150381; Thu, 03 Dec 2020 17:42:30 -0800 (PST)
MIME-Version: 1.0
References: <CAMCkG5vAnEyUeRjjRuyuk_mRQEXX2ZdZffGamzGg2+AzjMp9kQ@mail.gmail.com>
In-Reply-To: <CAMCkG5vAnEyUeRjjRuyuk_mRQEXX2ZdZffGamzGg2+AzjMp9kQ@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Thu, 03 Dec 2020 17:41:54 -0800
Message-ID: <CAD9ie-tk53ztCTA8U2bNmaB9dd9x0bK6JNyN=kOU+=RJ8zEUCw@mail.gmail.com>
To: Atul Tulshibagwale <atultulshi=40google.com@dmarc.ietf.org>
Cc: SecEvent <id-event@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ee64d005b59996bf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/shtAEpu0enKojOcnszH3zqo4vQw>
Subject: Re: [Id-event] Options regarding SPAGs
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2020 01:42:53 -0000

I think there is also a fourth option:

4. a SPAG identifier can be placed in a separate top level object or top
level property

Atul: in the other thread, you mentioned that there were other additions
that the OpenID Shared Signals and Events WG is interested in. Would you
enumerate them as well so that we can address all potential issues?


ᐧ

On Thu, Dec 3, 2020 at 3:04 PM Atul Tulshibagwale <atultulshi=
40google.com@dmarc.ietf.org> wrote:

> Hi all,
> Based on Dick's request, I'd like to summarize the situation with SPAGs
> here.
>
> *Background*:
> The present Subject Identifiers draft
> <https://github.com/richanna/secevent/blob/1fd045d251ff3c6be9a500c6a78d895be3c6b2bf/draft-ietf-secevent-subject-identifiers.txt>
> forbids a subject identifier of a specific subject_type from having any
> claims that are not described in the subject_type. This prevents
> higher-level specs from proposing any additional claims to be included in
> subject identifiers of subject types that are defined in the Subject
> Identifier spec.
>
> *SPAGs*:
> Subject Principal Administrative Groupings or SPAGs are an addition to the
> OpenID "Shared Signals and Events Profile of SETs"
> <https://bitbucket.org/openid/risc/src/caep-draft-01/openid-sse-profile-2_0.txt>,
> which is a revision of the "RISC Profile of SETs
> <https://bitbucket.org/openid/risc/src/master/openid-risc-profile-1_0.txt>".
> The present draft of the SecEvents Subject Identifiers spec is derived from
> a section in this RISC Profile. The SSE Profile now refers to the SecEvents
> Subject Identifiers draft.
>
> SPAGs are required to address the following needs:
>
>    1. Disambiguate a subject identifier if it belongs to more than one
>    sub-organizations. For example, if the subject claim in an event is of the
>    subject type "email", then a SPAG may be used to specify the
>    sub-organization the specified email should be scoped down to. A dynamic
>    organization may have the same email in multiple sub-organizations, and the
>    event may apply to only one such sub organization.
>    2. Provide a lighter weight mechanism to start and stop event streams
>    for sub-organizations. These could be OUs or dynamic groups within an
>    organization, or separate tenants in a multi-tenanted transmitter or
>    receiver.
>
> *Requirements from Subject Identifiers*:
>
>    1. A SPAG may be specified as an additional attribute of a subject
>    identifier with any subject type, in order to disambiguate and scope the
>    event with that subject identifier.
>    2. A SPAG may be a new subject type of its own when it is used in an
>    event that specifies the starting or stopping of a stream.
>
> *Options*:
> The following options are possible to address this requirement.
>
>    1. *Minimal Change to the present Subject Identifiers draft*: Remove
>    the words "or not described" on line 247
>    <https://github.com/richanna/secevent/blob/1fd045d251ff3c6be9a500c6a78d895be3c6b2bf/draft-ietf-secevent-subject-identifiers.txt#L247>.
>    This way a higher-level spec that needs to add additional attributes to all
>    subject identifiers used in that spec can add them and specify the
>    additional attributes' optional or required nature. In this option, SPAGs
>    will be defined in the SSE profile spec.
>    2. *Include SPAGs in the Subject Identifiers spec*: Include language
>    for SPAGs proposed earlier in this list, so that:
>       1. Subject Principals and SPAGs are defined in the Subject
>       Identifiers spec
>       2. An additional attribute named "spag_id" is added as an optional
>       attribute of any subject_type.
>       3. An additional subject_type "spag" is defined (this is used
>       primarily for "control plane" events.)
>    3. *Do both 1. and 2*: With this, we will address the issue that
>    higher-level specs cannot insert additional attributes in predefined
>    subject types, and define SPAGs within the Subject Identifiers spec.
>
> Thanks,
> Atul
>
> _______________________________________________
> Id-event mailing list
> Id-event@ietf.org
> https://www.ietf.org/mailman/listinfo/id-event
>

v2.23.0 | Report a Bug | By Email