IETF Logo Mail Archive

Re: [Id-event] Dealing with issuer conflict

Mike Jones <Michael.Jones@microsoft.com> Thu, 18 May 2017 17:46 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 051DC12EB4D for <id-event@ietfa.amsl.com>; Thu, 18 May 2017 10:46:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.031
X-Spam-Level:
X-Spam-Status: No, score=-0.031 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oWzy-fQ-8V83 for <id-event@ietfa.amsl.com>; Thu, 18 May 2017 10:46:27 -0700 (PDT)
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-sn1nam01on0129.outbound.protection.outlook.com [104.47.32.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84316120227 for <id-event@ietf.org>; Thu, 18 May 2017 10:40:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=DJY6qO0PvpZo5JgHV1rSZZMhsZltv0Nl4OVe8tvhl6M=; b=Fpbu9iut39PmCJO6X/kFwYaqggWvN+0CC25qHsZhUtqraiRWXIKoBZbbRYz2te/kpuSmmwIKWh6BrTJFKKOh7em4rbKtRQGWiheVF6rUWuJiHXPorqCdfltXucOHrN6ZjzTuSs9X+vZ7dA5wzLAO3hCpwlHCa8gfLpdIXGleIEA=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0277.namprd21.prod.outlook.com (10.173.193.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1124.0; Thu, 18 May 2017 17:40:39 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.1124.007; Thu, 18 May 2017 17:40:39 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "Phil Hunt (IDM)" <phil.hunt@oracle.com>, Dick Hardt <dick.hardt@gmail.com>
CC: ID Events Mailing List <id-event@ietf.org>
Thread-Topic: [Id-event] Dealing with issuer conflict
Thread-Index: AQHSz5GPBeIUkwXJI0S9grGRbpCBVKH6GH8AgAAO/4CAADPHoA==
Date: Thu, 18 May 2017 17:40:39 +0000
Message-ID: <CY4PR21MB0504CBB636CAD1E33158997DF5E40@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <D1129EE9-8D49-4262-A569-FF373490EB85@oracle.com> <CAD9ie-unodo_BgMdH-iT64U6n7A4H_kEVOLCViWqDuLfRSRgSg@mail.gmail.com> <262D32B6-940E-4B96-9981-079A5443ED3E@oracle.com>
In-Reply-To: <262D32B6-940E-4B96-9981-079A5443ED3E@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Ref=https://api.informationprotection.azure.com/api/72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetBy=mbj@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2017-05-18T10:40:37.4974099-07:00; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General
authentication-results: oracle.com; dkim=none (message not signed) header.d=none;oracle.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:3::32c]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0277; 7:1LdXof7YQ+vkoRHspL/4sCSkUz/8sUtgE0UojfV6cvB0Z656rO02vPdnQKprx5PlT4R80kFCofQVVQ2kLnmL60BdSJnYf3I59BSrYBazmptomo25TrtoRbMb+D3XdHB+t384yUhdl7e+TPRZOVASjIvGq1lt2c/rzSI+5Pa8uKJnV/a9hx83CDzZ55xBOyOS7wx15fO6tXCemD36r1acPUHijrCgf8eFX/oSYSnkaOjp4wH7Hp8GBi7PrX6+8jZHgX39r/Ip3aoTIVfAjb84iGVde1Ptf1yHTo1mK0HpA04WjWY6u2UmNGI1PtrGtk44JdxZu3qWHPdGrwTXjd8rvlGahR+TJXa4Ax4gG5LoZik=
x-ms-traffictypediagnostic: CY4PR21MB0277:
x-ms-office365-filtering-correlation-id: ff0eca2c-d56b-4727-8e3d-08d49e15000b
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081)(201703131423075)(201703031133081); SRVR:CY4PR21MB0277;
x-microsoft-antispam-prvs: <CY4PR21MB0277B8D70521AEB7FE1A4A1CF5E40@CY4PR21MB0277.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(10436049006162)(21748063052155)(21532816269658)(146099531331640)(17755550239193)(5213294742642);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700036)(100105000095)(100000701036)(100105300095)(100000702036)(100105100095)(61425038)(6040450)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(93006095)(93001095)(100000703036)(100105400095)(6055026)(61426038)(61427038)(6041248)(20161123564025)(20161123555025)(20161123558100)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(20161123560025)(6072148)(100000704036)(100105200095)(100000705036)(100105500095); SRVR:CY4PR21MB0277; BCL:0; PCL:0; RULEID:(100000800036)(100110000095)(100000801036)(100110300095)(100000802036)(100110100095)(100000803036)(100110400095)(100000804036)(100110200095)(100000805036)(100110500095); SRVR:CY4PR21MB0277;
x-forefront-prvs: 0311124FA9
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39400400002)(39850400002)(39450400003)(39860400002)(39840400002)(39410400002)(377454003)(24454002)(6306002)(77096006)(54896002)(10090500001)(99286003)(966005)(7696004)(55016002)(6506006)(575784001)(9686003)(8676002)(561944003)(606005)(6436002)(86362001)(2950100002)(53936002)(8936002)(2906002)(3660700001)(8990500004)(3280700002)(5005710100001)(86612001)(81166006)(50986999)(478600001)(54356999)(10290500003)(72206003)(76176999)(229853002)(7906003)(33656002)(25786009)(122556002)(4326008)(7736002)(53546009)(5660300001)(6246003)(189998001)(790700001)(6116002)(102836003)(39060400002)(38730400002)(236005)(2900100001)(74316002)(19609705001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0277; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB0504CBB636CAD1E33158997DF5E40CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 May 2017 17:40:39.6779 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0277
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/v0w8nLRBZFgdRq5WNw6XNcW-1Lo>
Subject: Re: [Id-event] Dealing with issuer conflict
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 May 2017 17:46:34 -0000

I believe that the solution already discussed is the best one.  If the event issuer is different than a logical issuer associated with the event subject, then put the logical “iss” and “sub” values inside the event.  Any “sub” at the top-level (if any) should be associated with the “iss” at the top-level, which is always the event issuer.

Any proposal that requires duplicating information, such as requiring “subIss” even when it’s always identical to “iss”, is not a great architectural choice, since it creates unnecessary error conditions that would not otherwise be possible.  (How should implementations handle the case where two values are required to match but don’t?)

                                                                -- Mike

From: Id-event [mailto:id-event-bounces@ietf.org] On Behalf Of Phil Hunt (IDM)
Sent: Thursday, May 18, 2017 7:31 AM
To: Dick Hardt <dick.hardt@gmail.com>
Cc: ID Events Mailing List <id-event@ietf.org>
Subject: Re: [Id-event] Dealing with issuer conflict

??

Happens in any case where sub is not globally identifiable.

In Connect, since sub is not uniquely identified, the iss for the sub must be included. This creates a conflict if the issuer of the SET is not the issuer of the subject.

Resolving the iss conflict has been on the list of issues since chicago.

In RISC we were discussing account close events. I am assume one of the scenarios is RPs will notify IDPs when they close an account. They must use an iss not associated with sub. As things stand now, they will have to assert the extra iss value in their payload---which for most events is complex to parse since their are no other extra claims.

Phil

On May 18, 2017, at 6:36 AM, Dick Hardt <dick.hardt@gmail.com<mailto:dick.hardt@gmail.com>> wrote:
Phil, would you clarify the use case and the requirement to ensure everyone on the list is aligned? Thanks

On Wed, May 17, 2017 at 9:45 PM Phil Hunt (IDM) <phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>> wrote:
In many cases where we are talking about events (eg risc) there is no need for extra claims other than the event type itself.

It occurs to me that in the case of RP issued events the current sectoken format requires an embedded iss to deal with the conflict with the set issuer. It seems to add a lot of complication for most events.

What if we defined a new sectoken top level attribute 'subIss' to mean "subject issuer" and keep iss reserved for the SET issuer.

I would suggest this as a recommended attribute even when iss and subIss are the same for parsing consistency.

Thoughts?

Phil
_______________________________________________
Id-event mailing list
Id-event@ietf.org<mailto:Id-event@ietf.org>
https://www.ietf.org/mailman/listinfo/id-event<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_id-2Devent&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=p1Vsd1Hb7BX87sV4x9MhtsGbORcuiacHxujwThSnWh4&s=ATYzOXXGto5afit3OgTjh19KczxKCvaBwC7ftofHMrs&e=>
--
Subscribe to the HARDTWARE<https://urldefense.proofpoint.com/v2/url?u=http-3A__hardtware.com_&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=p1Vsd1Hb7BX87sV4x9MhtsGbORcuiacHxujwThSnWh4&s=NGbCAfBEl5TtskWdjjWOY2cQJA3Fsy9QvntPnstyIkc&e=> mail list to learn about projects I am working on!
_______________________________________________
Id-event mailing list
Id-event@ietf.org<mailto:Id-event@ietf.org>
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_id-2Devent&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=p1Vsd1Hb7BX87sV4x9MhtsGbORcuiacHxujwThSnWh4&s=ATYzOXXGto5afit3OgTjh19KczxKCvaBwC7ftofHMrs&e=

v2.23.0 | Report a Bug | By Email