WG Action: Formed Security Events (secevent)

The IESG <iesg-secretary@ietf.org> Fri, 28 October 2016 15:55 UTC

Return-Path: <iesg-secretary@ietf.org>
X-Original-To: ietf-announce@ietf.org
Delivered-To: ietf-announce@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id D09F2129408; Fri, 28 Oct 2016 08:55:26 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Subject: WG Action: Formed Security Events (secevent)
X-Test-IDTracker: no
X-IETF-IDTracker: 6.36.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <147767012684.24900.10442335675929662512.idtracker@ietfa.amsl.com>
Date: Fri, 28 Oct 2016 08:55:26 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-announce/_rB2VgLXoNXPakVRBN3wgkjgr3c>
Cc: secevent-chairs@ietf.org, The IESG <iesg@ietf.org>, id-event@ietf.org
X-BeenThere: ietf-announce@ietf.org
X-Mailman-Version: 2.1.17
Reply-To: ietf@ietf.org
List-Id: "IETF announcement list. No discussions." <ietf-announce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-announce/>
List-Post: <mailto:ietf-announce@ietf.org>
List-Help: <mailto:ietf-announce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Oct 2016 15:55:27 -0000

A new IETF WG has been formed in the Security Area. For additional
information, please contact the Area Directors or the WG Chair.

Security Events (secevent)
Current status: Proposed WG

  Yoav Nir <ynir.ietf@gmail.com>

Assigned Area Director:
  Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>

Security Area Directors:
  Stephen Farrell <stephen.farrell@cs.tcd.ie>
  Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>
Mailing list:
  Address: id-event@ietf.org
  To subscribe: https://www.ietf.org/mailman/listinfo/id-event
  Archive: https://mailarchive.ietf.org/arch/browse/id-event/

Charter: https://datatracker.ietf.org/doc/charter-ietf-secevent/

Many HTTP web services and APIs depend on a web security infrastructure
  * identifies security subjects and regulates their access to services
  * and provides profile and rights information to applications.

Examples are systems that leverage user-agent session cookies
(RFC6265), and OAuth2 (RFC6749). In order to prevent or mitigate
security risks, or to provide out-of-band information as 
necessary, these systems need to share security event messages. 
For example, an OAuth authorization server, having received a 
token revocation request (RFC7009) may need to inform affected
resource servers; a cloud provider may wish to inform another 
cloud provider of suspected fraudulent use of identity 
information; an identity provider may wish to signal a session 
logout to a relying party and does not wish to rely solely upon 
clearing a session cookie.

It is expected that several identity and security working groups and
organizations will use Identity Event Tokens to describe area-specific
events such as: SCIM Provisioning Events, OpenID RISC Events, and
OpenID Connect Backchannel Logout, among others.

The Security Events working group will produce a standards-track Event 
Token specification that includes:
 - A JWT extension for expressing security events
 - A syntax that enables event-specific data to be conveyed
This Event Token specification will be event transport independent.

The working group will also develop a simple standards-track Event 
Delivery specification that includes:
 - A mechanism for delivering events using HTTP POST (push)
 - Metadata for describing event feeds
 - Methods for subscribing to and managing event feeds
 - Methods for validating event feed subscriptions

  Feb 2017 - Initial adoption of event token and event delivery drafts
  Jun 2017 - WG last call of event token draft
  Aug 2017 - Event token draft to IESG as a Proposed Standard
  Nov 2017 - WG last call of event delivery draft
  Jan 2018 - Event delivery draft to IESG as a Proposed Standard
  Mar 2018 - Recharter or Conclude