IETF Logo Mail Archive

Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens

Mike Jones <Michael.Jones@microsoft.com> Thu, 02 March 2017 00:07 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F1F0129426 for <id-event@ietfa.amsl.com>; Wed, 1 Mar 2017 16:07:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.02
X-Spam-Level:
X-Spam-Status: No, score=-2.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sFUTF371fr4a for <id-event@ietfa.amsl.com>; Wed, 1 Mar 2017 16:07:28 -0800 (PST)
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02on0100.outbound.protection.outlook.com [104.47.37.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA938128DF6 for <id-event@ietf.org>; Wed, 1 Mar 2017 16:07:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=8Y0sx8BTDwQACQJM1HsJmZGrhVFjS5fDcCYBrXd6Nqc=; b=j2dhpWRJ+RuqbDn0YxpirYvRiPkp2c8N8Qisg30OPBFRom1u07i0fRyRmkqTViLmRPgyxHfi2vWVXE4DXxxwc1VYGERxv7I5oc8+9jhyFD9Co89zQ01kAucuiMbFOu5MNpiHZW8nmO0CKTHMWiqEEiQUtWaaNUZR4GVKz43XLM0=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.947.0; Thu, 2 Mar 2017 00:07:22 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.0947.007; Thu, 2 Mar 2017 00:07:22 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: William Denniss <wdenniss@google.com>, Marius Scurtescu <mscurtescu@google.com>
Thread-Topic: [Id-event] Thread: Clarifying use of sub and iss in SET tokens
Thread-Index: AQHSkrmW5tqPJIY8NEisvT0PLETCCaGAXGUAgAABMRCAAAuGgIAAAFNAgAABeACAAAR5AIAABIYAgAA1GwCAAAFQAIAAATMw
Date: Thu, 02 Mar 2017 00:07:21 +0000
Message-ID: <CY4PR21MB050400C17BDCA9B45C2DB65CF5280@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <4611E3C8-9772-44EA-940D-077E1EA6247F@oracle.com> <CAAP42hAPZOHn-37wYrOy7OcvNuqWdXtSSMHxb_AoW7kXeAy4wA@mail.gmail.com> <CY4PR21MB050423CEEA9AB0CC64F0973FF5290@CY4PR21MB0504.namprd21.prod.outlook.com> <CAAP42hD8FbZSKWiorKSZHqiidak4Gf071xKTD2d9EvZa13mt5g@mail.gmail.com> <CY4PR21MB05047835E14B3D375C0538F6F5290@CY4PR21MB0504.namprd21.prod.outlook.com> <CAAP42hB63GC9=7nqiayjnD9i5RG7Yu7CJVCtDZpNWTgLMrDJ8w@mail.gmail.com> <0D17E1B4-D8C1-4241-8D11-8C0C700DD1D5@oracle.com> <CAAP42hANJNA62Zkhpv96snpk7O8-cUfwMtooCuhyN242vEMkfA@mail.gmail.com> <CAGdjJpLEX06CsLFH4u4YicP1qbW1Q8yjFhZjSovFRJzQv7B1bQ@mail.gmail.com> <CAAP42hAQwK1qPAymbgLNa2bjgBFABHC2VwD5NmrF+iB+zZ__wA@mail.gmail.com>
In-Reply-To: <CAAP42hAQwK1qPAymbgLNa2bjgBFABHC2VwD5NmrF+iB+zZ__wA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: google.com; dkim=none (message not signed) header.d=none;google.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:a::713]
x-ms-office365-filtering-correlation-id: 768aa4b9-d4fc-4e48-e6d0-08d461001979
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:CY4PR21MB0504;
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0504; 7:/6c7XboCOHqKto4Dj5hlyHp6JzroS2Aq1pJ6FlQKI21ROQ/+wfNBib7qC6p06EL8Mf3o1e52wkQHK6LzI9xtybYQH5Y0okX8XmeIE9aADyNWDDJJrYKyF4PEP+ggXDH53yEA3l3+4NNEs3fuiPBwZJZxlmQsJGFQQ5kIe3cB42kOyvLT+pABvL6m/Q6EhJZs/6qW/LkLFCe0/2Bo9lrFs4EXhWg1K4tllyP487lfpNLJOOmCO4ApiYwYKI5H3C8Q0ntYtkz/phJWTebiD0o1g1ILomi2FA7kB0gwZ1kVtbZldNKPOyAAJ+kWqq+dU7l7PKo7Zk2G3vYWosQB+d1eFx6WpINkzAeFHPrPOgi30Dg=
x-microsoft-antispam-prvs: <CY4PR21MB05046818A48851DB76A989C2F5280@CY4PR21MB0504.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(278428928389397)(192374486261705)(211936372134217)(21748063052155)(21532816269658)(146099531331640);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123564025)(20161123555025)(20161123562025)(20161123560025)(20161123558025)(6072148); SRVR:CY4PR21MB0504; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0504;
x-forefront-prvs: 023495660C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(39410400002)(39850400002)(39450400003)(39840400002)(377454003)(24454002)(3280700002)(2900100001)(6116002)(10090500001)(790700001)(2906002)(3660700001)(5005710100001)(8676002)(8936002)(106116001)(7906003)(81166006)(7736002)(33656002)(74316002)(10290500002)(189998001)(50986999)(86362001)(6246003)(102836003)(38730400002)(53936002)(53546006)(93886004)(54356999)(122556002)(76176999)(6506006)(5660300001)(6436002)(7696004)(77096006)(19609705001)(9686003)(606005)(25786008)(99286003)(54906002)(6306002)(92566002)(55016002)(4326008)(236005)(2950100002)(229853002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0504; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB050400C17BDCA9B45C2DB65CF5280CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Mar 2017 00:07:21.9524 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0504
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/uLsD4itdLlfN_ymimBUzaPhYNtI>
Cc: ID Events Mailing List <id-event@ietf.org>, "Phil Hunt (IDM)" <phil.hunt@oracle.com>
Subject: Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2017 00:07:31 -0000

Of course, there is already a “typ” claim.  Its use is optional, since whether it’s needed is application-specific.

Your suggestion that we issue general-purpose JWT guidance about iss/aud namespaces is exactly the kind of thing that’s beyond the scope of this working group, per my just-sent reply to Marius.  Suggesting that applications use the “events” claim to distinguish between SETs and other kinds of JWTs is within the scope of this working group, because it is advice about using SETs.

                                                       -- Mike

From: William Denniss [mailto:wdenniss@google.com]
Sent: Wednesday, March 1, 2017 4:00 PM
To: Marius Scurtescu <mscurtescu@google.com>
Cc: Phil Hunt (IDM) <phil.hunt@oracle.com>; Mike Jones <Michael.Jones@microsoft.com>; ID Events Mailing List <id-event@ietf.org>
Subject: Re: [Id-event] Thread: Clarifying use of sub and iss in SET tokens

If JWT had a "typ" field all along, this entire discussion could be avoided, but it's too late for that now. I believe that this was actually the founding reason behind standardizing SET, introducing the "events" claim. At least, to avoid the 3+ versions of event-on-JWT that were in discussion at the time.

As with all security considerations people can not follow them and have bad things happen.

Doesn't suggesting that unrelated systems not issue tokens sharing the same iss/aud namespace make sense here as a mitigation though?  To me that's better and more scalable than every spec removing some required claim from the other specs (e.g. mandating that people can't use "sub").


On Wed, Mar 1, 2017 at 3:54 PM, Marius Scurtescu <mscurtescu@google.com<mailto:mscurtescu@google.com>> wrote:
We also talked about adding another claim that defines the type or purpose of the JWT ("access token", "SET", etc). In a way it is the only sane option, but it is not addressing existing implementations. Asking implementors to "be careful" is asking for trouble IMO, especially because systems evolve by incrementally adding functionality.

Marius

On Wed, Mar 1, 2017 at 12:44 PM, William Denniss <wdenniss@google.com<mailto:wdenniss@google.com>> wrote:
OK so perhaps the "URI" thing is overly restrictive.

I guess the security consideration I'm recommending here is that you shouldn't have multiple systems that issue JWTs with the same iss/aud tuple, except when those systems are tightly coupled (as is the case with Connect & Logout).

If a shared issuer is used, then URI-based namespacing is *one* way to avoid this, but there are others.

I'm trying to avoid the need for SET to "break" possible use in access tokens (one of the stated goals in the original post) – I think having advice like this can avoid normative language that changes, and overly complicates SET.

_______________________________________________
Id-event mailing list
Id-event@ietf.org<mailto:Id-event@ietf.org>
https://www.ietf.org/mailman/listinfo/id-event

v2.23.0 | Report a Bug | By Email