IETF Logo Mail Archive

Re: [Id-event] WG Last Call for draft-ietf-secevent-token-02

Mike Jones <Michael.Jones@microsoft.com> Tue, 24 October 2017 00:05 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A91C413ADD2 for <id-event@ietfa.amsl.com>; Mon, 23 Oct 2017 17:05:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.019
X-Spam-Level:
X-Spam-Status: No, score=-2.019 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lbef0nx9TIGb for <id-event@ietfa.amsl.com>; Mon, 23 Oct 2017 17:05:12 -0700 (PDT)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0129.outbound.protection.outlook.com [104.47.40.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A93A813A5BC for <id-event@ietf.org>; Mon, 23 Oct 2017 17:05:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=+3sQzK3Qw3AOQxnWjyWajETGhrnM+1I3Kn/ZQfX9RjA=; b=iFIsNIipqnhQT7QZ0r4tLCvpllyPcan+ATXHXIq6XiQnsroPDWhnmqcj0WRPtchwloFkIeEGKhtnC6wAIvd16VINm2mJQJVw8h5btenGrcW08LuIZzXTB2eCI92uA4lm6KX8OMEvEuVokUJa+p1H3j3VmYtUvpGaFusCVnI4g2U=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0839.namprd21.prod.outlook.com (10.173.192.140) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.197.0; Tue, 24 Oct 2017 00:05:11 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.20.0197.001; Tue, 24 Oct 2017 00:05:11 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Marius Scurtescu <mscurtescu@google.com>, Yaron Sheffer <yaronf.ietf@gmail.com>
CC: SecEvent <id-event@ietf.org>
Thread-Topic: [Id-event] WG Last Call for draft-ietf-secevent-token-02
Thread-Index: AQHTCj09LrxBWiFA7kmsguwQioPAmaJxnOSAgID7ziA=
Date: Tue, 24 Oct 2017 00:05:10 +0000
Message-ID: <CY4PR21MB05044FEC88C9019A9E9BD146F5470@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <e6649728-f94a-93f5-9885-c948a5b0ed49@gmail.com> <CAGdjJpJtfV9q2iaL-uao1b7XpQjx5uJrX=fnoM36POXLFYrqow@mail.gmail.com>
In-Reply-To: <CAGdjJpJtfV9q2iaL-uao1b7XpQjx5uJrX=fnoM36POXLFYrqow@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Ref=https://api.informationprotection.azure.com/api/72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=mbj@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2017-10-23T17:05:09.8493188-07:00; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General
x-originating-ip: [2001:4898:80e8:5::42f]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0839; 6:wc+SJ3mhHZdIM+o5rut6U2QUx/ilE2SxMbvblgtDXGDOITWN+YcG+D4ma7BtNN+sTeKEMmrKorkDm8fpB9IQvibgkMG1sdMthuni0ziiLdqYuh/l+3Y1xvViMgu3V2Q5QDqk5N1bHhaqIsGkLIHRMPv3pBgXBshNiaaG0qUpdBjrevT13dJ0N7lvBDoD+cxLBKyNcfWBjFL9cxTo/Jrw4dMM0TIR7468tNBuyqY1Ks9WTzq/KQ8DfLiSs3vICUgHHGKaLomAJdMCn1EAYO7nkCBOjoFwVn/UUNZJQr6Oj2wyaUTTsAcKpLq50A/uADoah944/u7Ll/S8DMQSwkEj7C+GM3jkyVvEIexUXmsSUGg=; 5:Qpp+H9Rkp3m5BAwaclw1Y4k0LNGBoPmnhYYYNDA7BBQtAwyPwdgwmNDHgss1+CaCTaMLAjqsaQKoO/bPpKCJZ7QVZrSsGpfZPqHP9nVCmM2dN2RpWbRU5AllGZDnGPxCHQCo8dMToIQkoPdZQ9C+4tgi4JZiTaqexkZw9BKlLdQ=; 24:HYrz90q8P3V1aqfSVJAaWT+CesB2s95rW+um1RtZu3Bi/0UGt9oSA5zhZbIBkfFgl/T4nssnPFIcodWnCCrq6ShQKvpX6XliGT0gneRwQwQ=; 7:YbBafcdjSBx1gFL2D5u+QXXIHIb7vX+4Ev+FzOk2NbDKYM21LjvFDUVKSOhFytrZiZPrkvVQwH/WnilcPEJzw8McS4OYklN1jBoE8EgHobOyI6DHlnvphAPOw+VygFT45ZCNSZQVgYnZc2CvN0OG0wZnS0Ige4ZNZLlUvKZz9eWaDYx846rR6VAXeXHNTi1+WYb1gx+6/evi5mhwbPa1kTejyByhqd9XceVL+/yW1xH9Mcr0cl8THC/xuhvm0yRB
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 0984cbae-81be-4c81-2948-08d51a72e4e8
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081)(4534020)(4602075)(4627075)(201703031133081)(201702281549075)(2017052603229); SRVR:CY4PR21MB0839;
x-ms-traffictypediagnostic: CY4PR21MB0839:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-exchange-antispam-report-test: UriScan:(120809045254105)(21748063052155);
x-microsoft-antispam-prvs: <CY4PR21MB0839987F6B4B47CD4BCEFBFDF5470@CY4PR21MB0839.namprd21.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(61425038)(6040450)(2401047)(8121501046)(5005006)(93006095)(93001095)(3002001)(3231020)(10201501046)(100000703101)(100105400095)(6055026)(61426038)(61427038)(6041248)(20161123558100)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123564025)(20161123560025)(20161123562025)(20161123555025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:CY4PR21MB0839; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:CY4PR21MB0839;
x-forefront-prvs: 047001DADA
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(346002)(39860400002)(47760400005)(43784003)(69234005)(51914003)(24454002)(189002)(199003)(316002)(6306002)(110136005)(54896002)(236005)(3660700001)(9686003)(99286003)(55016002)(97736004)(2900100001)(2906002)(10090500001)(6116002)(102836003)(790700001)(561944003)(22452003)(53936002)(33656002)(86612001)(6246003)(86362001)(39060400002)(230783001)(7696004)(189998001)(4326008)(19609705001)(3280700002)(2950100002)(77096006)(106356001)(5660300001)(53546010)(68736007)(6506006)(50986999)(101416001)(229853002)(76176999)(54356999)(105586002)(6436002)(25786009)(74316002)(8676002)(10290500003)(7736002)(478600001)(8990500004)(81156014)(81166006)(8936002)(606006)(14454004)(72206003)(966005); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0839; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB05044FEC88C9019A9E9BD146F5470CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0984cbae-81be-4c81-2948-08d51a72e4e8
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Oct 2017 00:05:10.9855 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0839
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/x0EDr0Hc_JMZ3zMS3tXHdYp6UJs>
Subject: Re: [Id-event] WG Last Call for draft-ietf-secevent-token-02
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Oct 2017 00:05:14 -0000

Thanks for the useful review comments, Marius.  The proposed resolutions that Annabelle and I discussed in-person are as follows.

From: Id-event [mailto:id-event-bounces@ietf.org] On Behalf Of Marius Scurtescu
Sent: Wednesday, August 2, 2017 2:46 PM
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Cc: SecEvent <id-event@ietf.org>
Subject: Re: [Id-event] WG Last Call for draft-ietf-secevent-token-02

The abstract mentions "issuer" and "receiver" in the last sentence. "receiver" does not sound right (that should be used in the context of a transmitter), but I don't have a better suggestion. Audience?

JWT [RFC 7519], JWS, JWE, etc. uniformly use the term “recipient” for this concept.  I believe we should do the same.

The last paragraph of section 1 mentions "subscriber". I think it should be either "receiver" or "audience".

“recipients” seems right here again, both for consistency sake, and because the plain English meaning matches the intended semantics.

The explanation for figure 1 states that the issuer denotes the transmitter. If the issuer and the transmitter are assumed to be the same entity, then the transmitter definition in section 1.2 should make that clear.

I believe that the “transmitter” is intended to be able to be different than the “issuer”.  JWT uses the term “issuer” and not “transmitter”, FYI.  I believe that some of the uses of “transmitter” should actually be “issuer” – in particular this needs to be changed “An "iss" claim, denoting the Event Transmitter.”  An “Event Issuer” definition probably needs to be also added.  I’ll take a crack and normalizing this terminology usage, both to match JWT, and to make the “issuer” / “transmitter” distinction clear.

Figure 3, I think the "sub" claim should be nested in the event, next to the issuer that provides the correct context. The "iss" and "sub" definitions in 2.1 also touch on this, providing conflicting advice.

OK, in this case, I think I’m fine with the proposed change.

Section 2,1, definition of "nbf". The definition says that this is the event time. I see two problems:
- the name suggest "not before", not exactly the same as event time
- there can be multiple events
maybe this claim should be dropped?

At least Annabelle and I agreed with you that dropping this claim description from the SET makes sense, as it’s described usage is currently kind of a hack.  (“nbf” could still be used by some profiles in its usual JWT manner without the SET spec saying anything about it.)  We propose replacing it with the “toe” (time of event) claim described in the thread “[Id-event] Replacing "nbf" claim with a new "toe" claim”.

Section 2.1, definition of "exp". Omitting this claim is the short term solution to the confusion issue. Why not mention that and that it SHOULD NOT be used?

It’s said that it should not be used because it’s one of the most commonly used claims in other JWTs and this paragraph gives us a place to describe the rationale for not using it in SET profiles.

Section 2.1, definition of "events". It states that all events must refer to the same logical event. Lately in discussions we reached the conclusion that all events in a SET should be defined in the same profile, which is a stronger requirement. I think this definition should mention that.

I’m OK adding a statement that they should all be from profiles with compatible claims usage, which I think is what you’re actually after.

Regarding events and profiles. There was a proposal to add a new claim to uniquely identify the profile. I think we need to discuss that.

As discussed on the list, the problem with adding a new “profile” claim is that it duplicates information already derivable from the event URIs.  This can lead to error conditions that are otherwise impossible, because inconsistencies can arise.  Also, per the previous reply events need to be from compatible profiles – not necessarily the same profile – and so a singleton “profile” claim wouldn’t actually work in the general case.

Figure 5. Maybe a signed example would be better, especially that the next paragraph mentions that signatures or encryption should be used.

Unsigned keeps the draft shorter. ;-)

Section 4.5, second paragraph. Mentions that "nonce" is also required, but that is not actually true. Id Tokens issued at the token endpoint for example will not have it. I suggest we drop the whole paragraph.

Good catch.  It should really be qualified to say “it would not contain the correct "nonce" claim value for the ID Token to be accepted in contexts for which substitution is possible”.

                                                                Thanks again, Marius!
                                                                -- Mike
Marius

On Mon, Jul 31, 2017 at 1:40 PM, Yaron Sheffer <yaronf.ietf@gmail.com<mailto:yaronf.ietf@gmail.com>> wrote:
This is to announce working group last call on this draft (https://datatracker.ietf.org/doc/draft-ietf-secevent-token/).

Please send your comments to the list. Even if you are perfectly happy with the draft, please let us know that you support its publication as-is by posting to the list.

Because of the summer holidays, this last call is open for 3 weeks, until Aug. 21.

Thanks,
    Dick and Yaron

_______________________________________________
Id-event mailing list
Id-event@ietf.org<mailto:Id-event@ietf.org>
https://www.ietf.org/mailman/listinfo/id-event

v2.23.0 | Report a Bug | By Email