IETF Logo Mail Archive

Re: [Id-event] I-D Action: draft-ietf-secevent-subject-identifiers-11.txt

Prachi Jain <prachi.jain1288@gmail.com> Wed, 13 July 2022 16:18 UTC

Return-Path: <prachi.jain1288@gmail.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A27DC15A720 for <id-event@ietfa.amsl.com>; Wed, 13 Jul 2022 09:18:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.854
X-Spam-Level:
X-Spam-Status: No, score=-1.854 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i2OpEgkIWw3P for <id-event@ietfa.amsl.com>; Wed, 13 Jul 2022 09:18:12 -0700 (PDT)
Received: from mail-yb1-xb32.google.com (mail-yb1-xb32.google.com [IPv6:2607:f8b0:4864:20::b32]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B78AFC14CF03 for <id-event@ietf.org>; Wed, 13 Jul 2022 09:18:12 -0700 (PDT)
Received: by mail-yb1-xb32.google.com with SMTP id y195so20146695yby.0 for <id-event@ietf.org>; Wed, 13 Jul 2022 09:18:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5bRzB5OdlOmwVON9U19huAteAmn3VLj7ApJFP7HFQi0=; b=muOwfoa+P+w/oRYHOMT0/TIirzSdyTsxt5iaPugEkEebjxC4BUgwkVAGdyXyYSWWfw XN4YOXRtM93iLWLJDQrknR75V23i/ycg4kSQWinnCooTBrHQ1DwYnaCr+mUQbPKCkBRi Vx5iyRdXDKN482t4qPFi2XML4+TuC7ZIxNwqOZUpFMw1W+eu/GoCFtjLXuAxec5sJ26U mlaWXKGpCKpBLJkEW28JSxwRYb9TFVIO4Edpr+Usb2zidNwR5UwhWMkA1y1p9343Me1v LztcOaE9nivrKfGyoVgEXGt7ENafYt2Zx9wL5N8yjaN2ijc8gt/2whIV4Pggo/6ygBkO w5mA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5bRzB5OdlOmwVON9U19huAteAmn3VLj7ApJFP7HFQi0=; b=gVtqfXJ12sd4yTkVhyerAxJknzV2bKMcyc0pjgp1nAgnhEprxqHuXsx0z/wvKxRGZA 8vkCsb7vJhBRPOSnW3M19OEXo/9dgrq//OgTZ7kB3kdUNGa32B7jhZ9vmUdlFeTYjg2e 1jvHnFlJm9qAeaG+ok0pQXgpV/ZnS9xZB6nk880YjHcaXmux+cR3wEM4Wj4ZPHKzKihd 2eTxDAY9ss84MvgBwKi1Ye3xpEcBktejECcw6xDh+FRJRPoVuKH1kf/JsfVUJA8G4T7+ GPu5fcn3JMx6pkYu41xRJ89fcnVHZ00gefQoSWoMhVO+jSlt4Pl/rQ06AL83Nq5LmYeW qpkA==
X-Gm-Message-State: AJIora9CZMFNwzpAkOr9F4Oxa80jkO/jft3+/o7Fo0JmTcT+wrww5ZwT ljYffy/m3Vmh550ZR7nvjHH1J0fSG5XMIYApTok=
X-Google-Smtp-Source: AGRyM1sEpMNTcn0/9yXHwklCfHA3BmClfrEFLM2XAwQEQdsE9BgHM6gmKH3rBv0FAegiOsPA6HPa1JDZYDlIhBCnYUE=
X-Received: by 2002:a25:1f86:0:b0:668:c551:e01a with SMTP id f128-20020a251f86000000b00668c551e01amr4675416ybf.350.1657729091681; Wed, 13 Jul 2022 09:18:11 -0700 (PDT)
MIME-Version: 1.0
References: <165057098708.9791.15663968524996247808@ietfa.amsl.com> <0c05d86964e544818799c817287ebe2e@oc11expo18.exchange.mit.edu> <D881C6F7-5A08-4692-AEF5-54E6B6EC7793@amazon.com> <6056BB4E-5094-4AF5-B2E9-435C4E7C7B3A@mit.edu> <AB291F3C-D908-43D1-99F2-C4E121A5DFA1@mit.edu> <CAA1-vB03xh=CsjbFxWed+zYJ-j9YM9reXwY3HmrB=8BHz_ndEQ@mail.gmail.com> <CAA1-vB3hip0hyegWL7Rm7xNMeAcYJWBtPFFUA3uRT9BcppC+Ag@mail.gmail.com> <7781E80F-F81A-4F61-B5A8-DFA71546680C@mit.edu>
In-Reply-To: <7781E80F-F81A-4F61-B5A8-DFA71546680C@mit.edu>
From: Prachi Jain <prachi.jain1288@gmail.com>
Date: Wed, 13 Jul 2022 11:18:00 -0500
Message-ID: <CAA1-vB0zG4dAGHRVFqhjN+gzbb_Fh7XVYkt=WQq3VTTG0jxpgQ@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: "Backman, Annabelle" <richanna@amazon.com>, "id-event@ietf.org" <id-event@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a4c2af05e3b221e7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/v4wF1yk_KgMZVtS4KAdqOzw5B0c>
Subject: Re: [Id-event] I-D Action: draft-ietf-secevent-subject-identifiers-11.txt
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2022 16:18:14 -0000

That's the plan, Justin.
I have the repository forked and ready. I will publish as soon as
datatracker opens. Thank you for the advice. Appreciate it !! Sorry, I am
still learning the ropes here 🙂

-Prachi

On Wed, Jul 13, 2022 at 11:14 AM Justin Richer <jricher@mit.edu> wrote:

> Prachi,
>
> It’s unfortunate that you don’t have access to Annabelle’s GitHub
> repository, but hopefully she can get you added. If not, you can always
> fork the repository and keep the code there if she’s unavailable to add you
> to the permissions list. Additionally, you can take the XML file and upload
> it as a new version directly, without merging it in GitHub (though having a
> record in GitHub is preferable).
>
>  — Justin
>
> On Jul 12, 2022, at 11:42 PM, Prachi Jain <prachi.jain1288@gmail.com>
> wrote:
>
> Hi Justin,
>
> Your changes look good to me and I created another PR
> <https://github.com/richanna/secevent/pull/9> incorporating your updates
> and some. Again thank you for creating the PR. I cannot merge since I don't
> have write access to the repo.
> @Backman, Annabelle <richanna@amazon.com>  Can you please review and
> merge the changes? I will publish draft-12 as soon as datatracker opens.
>
>
> -Prachi
>
>
>
> On Tue, Jul 12, 2022 at 10:36 AM Prachi Jain <prachi.jain1288@gmail.com>
> wrote:
>
>> Thanks for submitting the PR, Justin. Appreciate it !!
>> I will take a look later today and publish if no changes need to be made.
>>
>> -Prachi
>>
>> On Tue, Jul 12, 2022 at 10:30 AM Justin Richer <jricher@mit.edu> wrote:
>>
>>> I haven’t heard anything from the editors on this, so I went ahead and
>>> created a PR to restore the DID language that was accepted during WGLC, as
>>> well as add a generic URI format, as discussed in the email thread below.
>>>
>>> https://github.com/richanna/secevent/pull/8
>>>
>>> I would encourage the editors to accept this change and publish a new
>>> version once the datatracker opens again, and hopefully we can move this
>>> document forward to its next review stages.
>>>
>>>  — Justin
>>>
>>> On May 31, 2022, at 4:25 PM, Justin Richer <jricher@mit.edu> wrote:
>>>
>>> Annabelle and I have had a chance to discuss this directly, but I wanted
>>> to take a moment to record my response here for the group as well. I
>>> believe we now understand each other that the `did` format should be
>>> restored, alongside a generic `uri` format, with overall guidance on where
>>> and how to use each. Namely, use the most specific semantically appropriate
>>> format that you can. The reasons for my stance, and what I believe are the
>>> conclusions we agreed to, are discussed inline below:
>>>
>>> On May 18, 2022, at 6:29 PM, Backman, Annabelle <richanna@amazon.com>
>>> wrote:
>>>
>>> There appear to be some issues with -11:
>>>
>>>    1. The definition for `did` was removed, but not the `did` entry in
>>>    the format registry
>>>    2. No replacement `url` format was added.
>>>
>>>
>>> Justin, my understanding is that your concerns are directed at the
>>> proposal to *replace* `did` with `url`, and thus would not be addressed
>>> by adding the missing `url` format. Is that correct? Assuming that is the
>>> case...
>>>
>>>
>>> My concerns with the removal of `did` would NOT be addressed by the
>>> addition of a generic `url` or `uri` format. The primary reason for this,
>>> and to me a primary driver for the subject identifiers work, is that the
>>> subject identifier format defines not only the syntax of the identifier but
>>> also its semantic content. I do not believe that it is appropriate to
>>> remove the semantic information from the format and push it all down into
>>> the lower layer.
>>>
>>>
>>> Replacing `did` with `url` doesn't push the semantic information
>>> anywhere; the semantic information is there in the lower layer already.
>>> Having a separate `did` format pulls that information up into the subject
>>> identifier format layer, encoding the same information twice. That
>>> significantly complicates processing and could hurt interoperability.
>>>
>>>
>>> In fact, it does the opposite. One could make the argument that because
>>> we have “mailto:” URLs (rfc2368) and “tel:” URLs (rfc3966) then we
>>> don’t actually need the `email_address` or `phone_number` formats either,
>>> since we could just encode all that in the URL itself. And then there’s no
>>> need for an `opaque` because you could easily use a `urn` to solve that
>>> problem. Even the issuer/subject pair COULD be formatted as a single URL,
>>> if someone just sat down and made a syntax for it (and people argued for
>>> exactly that in OIDC, but it didn’t get anywhere).
>>>
>>> So, in that world, why even bother with the subject identifiers? Let me
>>> tell you why:
>>>
>>> When I’m creating a subject identifier block in my application, I know
>>> what kind of identifier it is. I want to tell the receiver that I
>>> specifically know what kind of identifier it is. The syntax for formatting
>>> the identifier itself is incidental to this — particularly if that syntax
>>> is itself a URL.
>>>
>>>
>>> Consider the scenario where we have both `url` and `did` format types.
>>> An issuer might encode a DID using either format type; do processors that
>>> expect DIDs need to support both? If so then we've just made their lives
>>> harder. More likely, some would support both and some wouldn't, leading to
>>> unnecessary pain for parties that have to interoperate across processors
>>> and/or issuers.
>>>
>>>
>>> We’d expect to use `did` here. I would not expect a processor to support
>>> both formats if they’re specifically looking for DIDs.
>>>
>>>
>>> Now consider the scenario where we just have `url`. A processor that
>>> accepts DID URLs (possibly alongside other non-URL identifier formats) and
>>> no other URL types will see the `url` format, assume the value is a DID,
>>> and attempt to validate it or otherwise process it as a DID. Note that this
>>> step is necessary even if we have a `did` format, as it's always possible
>>> that the issuer provided a malformed subject identifier. Likewise, a
>>> processor that expects some other type of URL (e.g., an https URL) will
>>> have to parse the URL and confirm it has the expected scheme, and depending
>>> on the use case may also need to apply other security checks (e.g.,
>>> matching against allowed origins, ensuring that the URL doesn't contain a
>>> username or password, etc.).
>>>
>>>
>>> This is exactly why we shouldn’t have just `url` without other layers.
>>> If I’m processing a URL as an identifier, I may or may not want to do
>>> specific things with that URL. Or it might simply just be an identifier
>>> string, like someone’s homepage. I would be much more comfortable if the
>>> `url` format did not have any additional processing implied, but that more
>>> specific formats could require such processing, as you’d expect a DID to do
>>> in most cases.
>>>
>>> I think the malformed subject identifier example is a strawman - any
>>> identifier could be “malformed”. But instead of allowing the processor to
>>> have a much more limited check of “is this a DID?”, we now have to have a
>>> wider check of “is this a URL, is it a kind I know how to process, and is
>>> there more processing that I need to do with it?”, and that’s where all of
>>> the problems in the above example come in to play.
>>>
>>>
>>> In the case where a processor accepts both DIDs and some other type of
>>> URL, they have to parse and validate the URL and then branch based on the
>>> scheme, instead of just branching based on the identifier format.
>>>
>>>
>>> Could a processor figure out that there was a DID url inside of a `url`
>>> block? Sure — but those are semantically different identifiers, just like
>>> if I had put a `mailto:` URL inside of a `url` block, I would not
>>> expect that to be treated with any particular equivalence to the same email
>>> address in an `email_address` block. And I think the draft can actually be
>>> explicit about that distinction:
>>>
>>>  - there’s no guarantee of equivalence between the information in
>>> different formats
>>>  - you should use the most specific format for the information you’re
>>> trying to convey
>>>
>>>
>>> Are there other scenarios where the issuer or processor encounters more
>>> significant pain if we just have `url` versus if we have `url` and `did`?
>>>
>>>
>>> Yes, I think the entire act of punting everything to the lower layer
>>> causes nothing BUT pain. This confusion stems from the fact that both URIs
>>> and the subject identifier formats both specify some level of semantic and
>>> syntactic constraint. However, mixing them in the way proposed is deeply
>>> problematic and would be disastrous in practice.
>>>
>>> As such, the subject identifiers format should continue to provide
>>> semantic information about its contents, just like it has in the past
>>> before draft -10, and not simply turn into a meaningless way to put URLs
>>> into a JSON object.
>>>
>>>  — Justin
>>>
>>>
>>> —
>>> Annabelle Backman (she/her)
>>> richanna@amazon.com
>>>
>>>
>>>
>>>
>>> On Apr 26, 2022, at 5:36 PM, Justin Richer <jricher@mit.edu> wrote:
>>>
>>> CAUTION: This email originated from outside of the organization. Do not
>>> click links or open attachments unless you can confirm the sender and know
>>> the content is safe.
>>>
>>>
>>>
>>> I strongly disagree with the editor's removal of "did" from the spec and
>>> the reasons for doing so.pushing the semantic information off into a lower
>>> layer is not helpful in terms of complexity nor application. Now an
>>> application will need to parse the various url's to know what they are
>>> instead of being told in the data structure what's in there.
>>>
>>> -Justin
>>> ________________________________________
>>> From: Id-event [id-event-bounces@ietf.org] on behalf of
>>> internet-drafts@ietf.org [internet-drafts@ietf.org]
>>> Sent: Thursday, April 21, 2022 3:56 PM
>>> To: i-d-announce@ietf.org
>>> Cc: id-event@ietf.org
>>> Subject: [Id-event] I-D Action:
>>> draft-ietf-secevent-subject-identifiers-11.txt
>>>
>>> A New Internet-Draft is available from the on-line Internet-Drafts
>>> directories.
>>> This draft is a work item of the Security Events WG of the IETF.
>>>
>>>        Title           : Subject Identifiers for Security Event Tokens
>>>        Authors         : Annabelle Backman
>>>                          Marius Scurtescu
>>>                          Prachi Jain
>>>        Filename        : draft-ietf-secevent-subject-identifiers-11.txt
>>>        Pages           : 22
>>>        Date            : 2022-04-21
>>>
>>> Abstract:
>>>   Security events communicated within Security Event Tokens may support
>>>   a variety of identifiers to identify subjects related to the event.
>>>   This specification formalizes the notion of subject identifiers as
>>>   structured information that describe a subject, and named formats
>>>   that define the syntax and semantics for encoding subject identifiers
>>>   as JSON objects.  It also defines a registry for defining and
>>>   allocating names for such formats, as well as the sub_id JSON Web
>>>   Token (JWT) claim.
>>>
>>>
>>> The IETF datatracker status page for this draft is:
>>> https://datatracker.ietf.org/doc/draft-ietf-secevent-subject-identifiers/
>>>
>>> There is also an htmlized version available at:
>>>
>>> https://datatracker.ietf.org/doc/html/draft-ietf-secevent-subject-identifiers-11
>>>
>>> A diff from the previous version is available at:
>>>
>>> https://www.ietf.org/rfcdiff?url2=draft-ietf-secevent-subject-identifiers-11
>>>
>>>
>>> Internet-Drafts are also available by rsync at rsync.ietf.org
>>> ::internet-drafts
>>>
>>>
>>> _______________________________________________
>>> Id-event mailing list
>>> Id-event@ietf.org
>>> https://www.ietf.org/mailman/listinfo/id-event
>>>
>>> _______________________________________________
>>> Id-event mailing list
>>> Id-event@ietf.org
>>> https://www.ietf.org/mailman/listinfo/id-event
>>>
>>>
>>>
>>> _______________________________________________
>>> Id-event mailing list
>>> Id-event@ietf.org
>>> https://www.ietf.org/mailman/listinfo/id-event
>>>
>>>
>>> _______________________________________________
>>> Id-event mailing list
>>> Id-event@ietf.org
>>> https://www.ietf.org/mailman/listinfo/id-event
>>>
>>
>

v2.23.0 | Report a Bug | By Email