IETF Logo Mail Archive

[Id-event] SET "aud" syntax

Mike Jones <Michael.Jones@microsoft.com> Thu, 09 March 2017 19:18 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: id-event@ietfa.amsl.com
Delivered-To: id-event@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A8B4128824 for <id-event@ietfa.amsl.com>; Thu, 9 Mar 2017 11:18:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.991
X-Spam-Level:
X-Spam-Status: No, score=-1.991 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SzGjhNGUPJZC for <id-event@ietfa.amsl.com>; Thu, 9 Mar 2017 11:18:11 -0800 (PST)
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-sn1nam01on0121.outbound.protection.outlook.com [104.47.32.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1988C129853 for <id-event@ietf.org>; Thu, 9 Mar 2017 11:18:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=cYFCueD1ZDLn2JKenrzI+WnXGr+1rVvwLqUNgoSIM+M=; b=WUzMB6Adlv1uJKRAyVolkxK0Mz/u5ae3mxQVnE4dwK7giH82VSdql5J3bEscMlfyQ/AOREmeY/W8GKlsfKw8QEeT6oEeOH+X2DDLJfS3BAXoGm5vIfNYBnghwSjo1YSMdDVqNJGZmA3ZaGyH3EH9MX4FpzjGghtRWynCofz7wSc=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0503.namprd21.prod.outlook.com (10.172.122.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.947.0; Thu, 9 Mar 2017 19:18:04 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.0947.007; Thu, 9 Mar 2017 19:18:04 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>, SecEvent <id-event@ietf.org>
Thread-Topic: SET "aud" syntax
Thread-Index: AdKZCdT8KD7l2FsjTkG5NuEqYeutbQ==
Date: Thu, 09 Mar 2017 19:18:03 +0000
Message-ID: <CY4PR21MB05043BDF7A572F0879766938F5210@CY4PR21MB0504.namprd21.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:5::7b4]
x-ms-office365-filtering-correlation-id: fc448319-9503-4af1-4396-08d467210297
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:CY4PR21MB0503;
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0503; 7:hJRYgSZcpzoGeQVgwN9rybh0/ByG3b2yQgxp8HOtjHtK7Tm89tynRJslCVjzWaWYce+lXRjCSzfDoC2wos7uO/n2gTsOeIOLdXVeUSiHV36nJtVOlIKm8EL5ICh1C4YihNe5sME3eMxoFCpIpNqeHTkBkULCyjWbJrP60DZXq82LLKxjioKg9n5zvzU/YmvCGAa0TC/M9rJAxROcJHEJ5awYtmXA2riDsKWGfy2cABDkLkmIPP/EzoRHVcSOEb0SYUpN/DqhkjMvPovnTEYrYuLCCUl8RmMFsMifOVTWOR+QZZkeI8ucnVvtZ8IpJES8BmcO1c3p+VuDmhbprihQlFumAH9gttl8IwoQ0l+IgfU=
x-microsoft-antispam-prvs: <CY4PR21MB0503766F67A24F2E0AEB1926F5210@CY4PR21MB0503.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123558025)(20161123555025)(20161123562025)(20161123564025)(20161123560025)(6072148); SRVR:CY4PR21MB0503; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0503;
x-forefront-prvs: 0241D5F98C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39840400002)(39860400002)(39450400003)(39410400002)(39850400002)(377454003)(74316002)(7906003)(7736002)(86362001)(122556002)(6116002)(54356999)(8936002)(551544002)(25786008)(7696004)(236005)(189998001)(9686003)(54896002)(86612001)(53936002)(10290500002)(81166006)(102836003)(790700001)(39060400002)(53546006)(6436002)(6506006)(5660300001)(2900100001)(38730400002)(3660700001)(55016002)(8676002)(9326002)(6306002)(2906002)(77096006)(33656002)(10090500001)(606005)(99286003)(8990500004)(3280700002)(50986999)(5005710100001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0503; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB05043BDF7A572F0879766938F5210CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Mar 2017 19:18:03.9680 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0503
Archived-At: <https://mailarchive.ietf.org/arch/msg/id-event/yCRVVhoy_qik4KNeS7jmKjnVzJs>
Subject: [Id-event] SET "aud" syntax
X-BeenThere: id-event@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "A mailing list to discuss the potential solution for a common identity event messaging format and distribution system." <id-event.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/id-event>, <mailto:id-event-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/id-event/>
List-Post: <mailto:id-event@ietf.org>
List-Help: <mailto:id-event-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/id-event>, <mailto:id-event-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Mar 2017 19:18:14 -0000

Hi Yaron,

You commented below on the “aud” syntax, asking for it to be an array.  The “aud” syntax is already defined by RFC 7519 as:
   In the general case, the "aud" value is an array of case-
   sensitive strings, each containing a StringOrURI value.  In the
   special case when the JWT has one audience, the "aud" value MAY be a
   single case-sensitive string containing a StringOrURI value.

So that standard JWT libraries can be used with SETs, I believe we should just reference the RFC 7519 definition, something along the lines of “The syntax of the “aud” claim is as defined in Section 4.1.3 of [RFC 7519].”  Would that work for you?

                                                       -- Mike

From: Id-event [mailto:id-event-bounces@ietf.org] On Behalf Of Yaron Sheffer
Sent: Saturday, December 10, 2016 1:28 PM
To: SecEvent <id-event@ietf.org>
Subject: [Id-event] Some comments to draft-hunt-idevent-token-07


Hi, I finally read the draft in detail, and I do have a few comments.

My main suggestion is to tighten the specification of an Event, by defining more strictly the difference between "event" and "event extension" and tweaking the JSON structure a bit.

In addition, I think we should require the claim to be signed, since it will be used for security-sensitive activities across complex distributed systems.

  *   1: Why is signing optional? The publisher doesn't know how the subscriber's system is architected, and might well want end-to-end authentication of the claim. This is also important for auditing.
  *   1: "example events" - is specification of individual events (maybe only a few basic ones) within scope of our charter? Otherwise we cannot guarantee interop.
  *   1.2: principle -> principal
  *   2: "first value" is meaningless. JSON objects are unordered (4th paragraph of RFC 7159). If order is important, we could make "events" into an array.
  *   2: event extensions are not defined but only introduced by the text after they are described. Also, in the example there's this URL: https://​example.​com/​scim/​event/​pas​swor​dRes​etEx​t - I believe it needs to be part of the passwordReset object and not parallel to it.
  *   Why "events" and not "event"? We don't really have support for multiple events. Certainly not if they are all of the same type. The current text is confusing: "events" is not the same as "a primary event and its extensions".
  *   "In the above example "iss" and "sub" contained within the claim" - this is incorrect, probably leftover from an earlier version.
  *   "aud" MAY be a URI: shouldn't it be an array, maybe an array that contains a single URI?
  *   Why do we use the terms "single-valued" vs. "multiple-valued" strings? Why not use the normal JSON terminology, "string" vs. "array of strings"?
  *   Why is "sub" optional? Do we have any good examples of events where this value is not required?
  *   "a future date" - we should clarify that there may be cases when nbf is smaller than iat, i.e. when it takes some time until the SET is issued.
  *   "exp" - is it also a NumericDate? Please specify.
  *   In the medical example, it is strange that the event is named by a URL that points to an HTML page. I would expect a more stable URI.
  *   2.2: is encryption a MUST whenever there are attributes specified? If so, we should have a normative section saying so, not just mention it in the context of an example. Besides, we have not defined what attributes are.
  *   2.2: this section is confusing. We first say that the JWT must be encrypted. But then instead, we sign it, and we "sign" with a null algorithm. Why?
  *   Signed SETs MUST (not MAY) be validated by the subscriber.
  *   Also, I think we should remove the preconditions and always require signing, as a MUST. An optional signature is actually a security loophole because an attacker can remove the signature, and the subscriber doesn't know that it's missing.
  *   3.2: "that alone will not guarantee that the correct subscribing party knows they should have received a particular SET." The text is unclear to me. Do we mean: "that alone does not guarantee that a particular SET was delivered to the correct subscribing party"?
  *   We may want a separate Implementation Considerations section, and move "delivery", "sequencing" and "timing" into it. Yes they are security-relevant, just like anything else in this document, but they would apply just as well to any event stream protocol.
  *   3.3: this is the first time we mention provisioning. Do we really intend SETs to be used for that?
  *   3.3: ISTM that we should define a sequencing mechanism, rather than leave it open to profiles. E.g., require a sequence number whenever "txn" is used.
  *   3.4: Also, our timestamps only have 1 second granularity, and so are too coarse for session state (consider automated logins/logouts).
  *   3.5: Why don't we have an unambiguous way to distinguish SETs from access tokens, why leave it to implementers? Sounds like a major security issue in the making. We should consider here ALL implementations that accept access tokens, including legacy implementations that cannot be modified.
  *   4: The audit happens on the subscriber side. By then it is too late to require JWS to be used by the publisher. As mentioned, I propose that JWS should ALWAYS be required.
  *   4: "When sharing personally identifiable information" - we should remove this condition. I don't see a case where the information shared is NOT PII, and therefore legal agreements about information sharing and user consent must always be in place.
  *   4: I don't think the subject information is "perceived" as PII. It is PII, otherwise it would be useless to the subscriber, because the subscriber would not be able to identify the subject. Also, even if the information on the wire is not in itself PII, e.g. when using a hash, the fact that a publisher shares information that a particular user is also a user on its system and is undergoing certain state changes is privacy-sensitive.
  *   I suggest to add an Implementation Status section, per RFC 7942.

Thanks,

    Yaron

v2.23.0 | Report a Bug | By Email