[Id-event] Review of draft-ietf-secevent-subject-identifiers-05 by Michael Jones

Mike Jones <Michael.Jones@microsoft.com> Fri, 10 July 2020 03:55 UTC

From: Mike Jones <Michael.Jones@microsoft.com>
To: "id-event@ietf.org" <id-event@ietf.org>
Thread-Topic: Review of draft-ietf-secevent-subject-identifiers-05 by Michael Jones
Thread-Index: AdZWXhwXIwwWD9McR5OirUlEvStrBA==
Date: Fri, 10 Jul 2020 03:55:18 +0000
Message-ID: <BY5PR00MB0676DAA4C5ECC281853BDA15F5650@BY5PR00MB0676.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=54fc7f77-c97e-4611-8e8b-16e99c3bca74; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-07-09T18:29:48Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.87.252]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 056a4258-9076-45b3-5106-08d824850fea
x-ms-traffictypediagnostic: BY5PR00MB0676:
x-microsoft-antispam-prvs: <BY5PR00MB067616E0546647525A00AA6DF5650@BY5PR00MB0676.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: xMl2Bs8J5eskYoXDoSvpjjojEgwgfkAYon1gEzmdSPwrRKyf1jStDcECX4cV5WNAs38sUMWFEc7dDeEkjZWqVLbtMbizqviB77q+1b2eBNKDXNZ+Vd/j/lEQL9+wM9iWWUy6GvGK0P1ifHHJ1Bd7DctO/0uYCSwUxE37lLjaWkKJK+HEcuhMa55joHNaf2NhQdqqM8+58w/0QkPj7S2onX3jpxneWlpJvZaLHAYORmAh78g7X3Szh8n6E2loei0WZrlRznqGXjzcpn+xd0rKAzFjiqmEaWTZWHjFyDqpIUrVhjeXD5XqTgUF7suC4raxgzMsCJ08GSTZC1WnK3zZUuemRds0DUan4qR1iJMuSAgAwwjnEkglrYGAa2GEBW1A7zU6HoW/hbzX1m3ParilkQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR00MB0676.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(366004)(136003)(346002)(396003)(376002)(186003)(7696005)(33656002)(26005)(83380400001)(166002)(9686003)(71200400001)(86362001)(82960400001)(8936002)(8676002)(82950400001)(55016002)(2906002)(316002)(10290500003)(8990500004)(6916009)(6506007)(478600001)(5660300002)(66946007)(966005)(52536014)(76116006)(64756008)(66556008)(66476007)(66446008); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: fRRN0UAYAjO+JgELCehQtVvDEn//NMBnRcQz9kmM3xtx9SJc3mwXGZclVIprauzNOhdbciQdiX9dwt+NbiKioJkXjpOlJex8kcSmqUMEhKuvFDaCLLMDcHXazjwLDaibWY/VsZbmp08cLvNnwhaTGgH4IxPJiDunQaDXS0h7GqONV3Di7Hf3i3qpg95XBy7qYScaMP0sJeIsLgRQz6cQx7yCY0HviCA+8KTcnjtBRcBVXPxRvwTMSFmOUitXSgFFyHJ9lwW0Xr+XLPq4vh317QgUbijJ9ylV1Rw+sgjsEdvJ+tIsADGXIVF9yAehRkjeij6fTALt5d5Gt0BT6CtIj44jCQg8JyfO5vubDgplp9M17xT+RWaw/+lUzh4eEpiJZs/sd1g52wzkFT+LdnG9d8Pc+avaZzjTxvwwygR3/HSXtZWgJs1aglZbCCILLRrTobDmNot5Z0I9wvWM2eB9HO+gHUjCIDVftvTor+XaR74=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BY5PR00MB0676DAA4C5ECC281853BDA15F5650BY5PR00MB0676namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR00MB0676.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 056a4258-9076-45b3-5106-08d824850fea
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jul 2020 03:55:18.7208 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: O7k80duS/zi6tE217ZWP9X5q8usY7EPJPX1/jYsjiz5XZ+69wzkeaNK6Bs+sttd0pvssSf/Dq/JOOwpVyHaTxw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR00MB0676
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/mmd16lj_ESbzSiOgCZnekKElWMk>
Subject: [Id-event] Review of draft-ietf-secevent-subject-identifiers-05 by Michael Jones
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2020 03:55:23 -0000

I did a cover-to-cover read of draft-ietf-secevent-subject-identifiers-05. My resulting review comments follow, grouped into substantive and editorial sections.

SUBSTANTIVE COMMENTS

Abstract - Remove [JSON], [JWT], and [SET] references. Past IESG reviews of other specs have told me that citations are not allowed in abstracts, since they need to stand alone without the rest of the specification.

2. Notational Conventions

Copy https://tools.ietf.org/html/draft-ietf-secevent-http-poll-12#section-1.2 and make it a Definitions or Terminology sub-section under the current Notational Conventions section.

3. Subject Identifiers - The language "Every Subject Identifier Type MUST have a unique name registered..." is surprisingly different that the corresponding JWT spec language with also allows Private identifiers and Collision-Resistant identifiers. Why not also allow them here?

3. Subject Identifiers - The term "payload claims" is confusing. Please change this term to "Subject Identification Claims" throughout the specification.

3.1. Account Subject Identifier Type - Figure 1 - This figure is confusing because it makes it seem like "subject_type" and "uri" are top-level JWT claims. Please correct this possible confusion by adding "sub_id": to the example. The updated example would look like this:

"sub_id": {
"subject_type": "account",
"uri": "acct:example.user@service.example.com",
}

Also add "sub_id": to all other examples, such as those in 3.2, 3.3, 3.4, etc.

3.2.1 Email Canonicalization - Please add a note that the domain portion of an RFC 5322 addr-spec already must be treated in a case-insensitive manner, per RFC 1034.

3.3. Phone Number Subject Identifier - Please change all instances of "phone-number" to "phone_number" to match the JWT claim of the same name. This occurs multiple times throughout the specification.

3.4. Issuer and Subject Subject Type Identifier - Add a note that this is the way that subjects are identified in OpenID Connect ID Tokens.

5.1. Identifier Correlation - Add this phrase to the end of the last sentence "or when correlation is essential to the use case".

6. Security Considerations - Talk about integrity-protecting SETs. Borrow or reference security considerations from the other SecEvent specs.

7.1. Security Even Subject Identifier Types Registry - Please add a suggestion to IANA that this registry be located at https://www.iana.org/assignments/secevent/.

7.1.1. Registration Template - Add underscore "_" to the set of acceptable characters.

7.1.1. Registration Template - Change Controller - Remove OpenID statements and replace them by IETF specifications and "IETF".

7.1.1. Registration Template - Defining Document(s) - Also add "prohibited" to the list of conditions to be described.

7.1.3. Guidance for Expert Reviewers - State that multiple Expert Reviewers should be appointed. You can borrow language about that from RFC 7519..

7.2. JSON Web Token Claims Registration - Change "established by [SET]" to "established by "[JWT]".

Acknowledgements - Also acknowledge the SecEvent working group and its members.

EDITORIAL COMMENTS

1. Introduction - Change "section 1.2" to "Section 1.2" (and similarly change to Title Case for any other occurrences of "section", "figure", or "table").

1. Introduction - Add a comma after "but not limited to".

1. Introduction - Add a comma after "for example".

2. Notational Conventions - Update to use RFC 8417 language.

3. Subject Identifiers - Change "which" to "that" in "which are to be interpreted"

3.1. Account Subject Identifier Type - Figure 1 - It's odd to have a period ending a sentence fragment. Delete the period at the end of the figure caption. Do this for all other figures when the caption is also a sentence fragment, such as Figure 2, Figure 3, Figure 4, etc.

4.1. "sub_id" Claim - Change "sub_id" to <spanx style="verb">sub_id</spanx> in the source so that the formatting is correctly applied across all output representations. Similarly, use spanx style verb for all other instances of literals in the specification.

4.1. "sub_id" Claim - Likewise, change `sub` to <spanx style="verb">sub</spanx> and `sub_id` to <spanx style="verb">sub_id</spanx>. Search for other similar instances of uses of " ' or ` in the spec and correct them to spanx style verb.

4.2. "sub_id" and "iss-sub" Subject Identifiers - This section seems to repeat information in Section 3.4 (Issuer and Subject Subject Identifier Type). Please consolidate them.

8.1. Normative References - IANA.JWT.Claims - Delete the odd text "n.d.,".

8.1. Normative References - Choose one of [JWT] or [RFC7519] and delete the other one.

8.1. Informative References - Change [OIDC] to the standard reference name [OpenID.Core].

-- Mike

[Id-event] Review of draft-ietf-secevent-subject-… Mike Jones
Re: [Id-event] Review of draft-ietf-secevent-subj… Richard Backman, Annabelle
Re: [Id-event] Review of draft-ietf-secevent-subj… Dick Hardt