IETF Logo Mail Archive

Re: [scim] [Technical Errata Reported] RFC7644 (7122)

Phillip Hunt <phil.hunt@independentid.com> Mon, 12 September 2022 15:45 UTC

Return-Path: <phil.hunt@independentid.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6887AC14F749 for <scim@ietfa.amsl.com>; Mon, 12 Sep 2022 08:45:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=independentid-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MKmX5ZsDk2Va for <scim@ietfa.amsl.com>; Mon, 12 Sep 2022 08:44:57 -0700 (PDT)
Received: from mail-pj1-x1036.google.com (mail-pj1-x1036.google.com [IPv6:2607:f8b0:4864:20::1036]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EFFEC14F727 for <scim@ietf.org>; Mon, 12 Sep 2022 08:44:57 -0700 (PDT)
Received: by mail-pj1-x1036.google.com with SMTP id p1-20020a17090a2d8100b0020040a3f75eso8564575pjd.4 for <scim@ietf.org>; Mon, 12 Sep 2022 08:44:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=independentid-com.20210112.gappssmtp.com; s=20210112; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date; bh=/fXfFU0wOgZN0kFvldPcVFhQW0C9sLFTIWiGGVLRV4Q=; b=IcV9jTzybqN4PLsMO3kttW+BNPiI7gyXlDNKqlzsITE5okYNhdRTAdwSHKqXRxwJiO 5KcXdpXgKVUSnGrVq7e8IznKjXEXXq76KsuRu3dw5JIP8juwYHP55H8YxmEaAr3wEQQt dWxZGwEAIN/PONkgDwOGdYb6C+aCXZzAbSexUaSDE9AEfmAy2qWP5PLivaF1Vi/WnMRu L/Uf+Os47IBQ1FXhJAKlEv3ePbUOLc4gtULrmVQyDBUwr++Zt+DatcUeZ4G04QAL2FSS 3MKHp/C6qDBsphMzHaB8qkMvlg2d5Pdy3i7Tap7Ey8qzpbo/q5QAqAhhocj2dJr63I52 euwA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date; bh=/fXfFU0wOgZN0kFvldPcVFhQW0C9sLFTIWiGGVLRV4Q=; b=DGMVqhgmZ+ZIO9+05PmM7XzF4lnSDh6Yx+SV3Czsi7u5jvrLDgjnqo3BZPBVsgwtjF uV8Xp1WywNeQmJ4ecjQdCraTDXL+GLd5p3wCmjDkj7FqVtFbp/qDkPV0bvXRV3GBu5Zc oHw1O5/OASLfvmrY4xQKYSUsAYzz9M0wa1QyjIWw7XGzBt/09K8DwDW6hN80bP4vPcfZ Ix7bX+aH54UXb1qHOfj8RDmkwJoth2tZIlSu4KmuEbJw6EjbOUN3MFqkCZetRfqOGXfs U+lqoN0CHEjZanImOpptxcxGLyAfwSajQ1WfUEWsjnJzcN6JAQaz1KNkzeL/Fm3tAxij rWkw==
X-Gm-Message-State: ACgBeo2EPLTeRMBoWttzlUsSajR+DuFY8Z0ntHa9P9HSjofh9f6nAEj6 cDMWXfMPcsEg/h2tN6w7fxZFrQ==
X-Google-Smtp-Source: AA6agR6SRi1MD/kNzaNkG6ANjRuVyDJJIbiW1DAG1Ljdwy+tFGPNb8OYfewHh0DU2BgiV2QOs5vUtw==
X-Received: by 2002:a17:902:da81:b0:178:1d8b:6cb4 with SMTP id j1-20020a170902da8100b001781d8b6cb4mr11730527plx.43.1662997496621; Mon, 12 Sep 2022 08:44:56 -0700 (PDT)
Received: from smtpclient.apple (node-1w7jr9plyoqwtuw9lharvs4pu.ipv6.telus.net. [2001:569:540c:4900:7415:17bb:33cf:b1e2]) by smtp.gmail.com with ESMTPSA id a1-20020a1709027e4100b001743c51123esm6186411pln.72.2022.09.12.08.44.56 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 12 Sep 2022 08:44:56 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-41025AEF-1F25-4DFC-B2D0-9BB4AE91FF93"
Content-Transfer-Encoding: 7bit
From: Phillip Hunt <phil.hunt@independentid.com>
Mime-Version: 1.0 (1.0)
Date: Mon, 12 Sep 2022 08:44:55 -0700
Message-Id: <0E6FA89F-7081-49F1-8EA9-40CA5D0AD524@independentid.com>
References: <CAL0qLwbjM4vaJvmS6C-YfwKvUQ0vBdc2cFsmHtzuVjTOaVzgNQ@mail.gmail.com>
Cc: RFC Errata System <rfc-editor@rfc-editor.org>, francesca.palombini@ericsson.com, Nancy Cam-Winget <ncamwing@cisco.com>, egil@assimilated.dk, SCIM WG <scim@ietf.org>
In-Reply-To: <CAL0qLwbjM4vaJvmS6C-YfwKvUQ0vBdc2cFsmHtzuVjTOaVzgNQ@mail.gmail.com>
To: "Murray S. Kucherawy" <superuser@gmail.com>
X-Mailer: iPhone Mail (19G82)
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/AGMI1zmvGQz4WJRwBSDmUMvxqig>
Subject: Re: [scim] [Technical Errata Reported] RFC7644 (7122)
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Sep 2022 15:45:02 -0000

Hold for Document Update seems best. 

Phil

> On Sep 12, 2022, at 8:14 AM, Murray S. Kucherawy <superuser@gmail.com> wrote:
> 
> 
> These are the possible answers:
> 
> https://www.rfc-editor.org/errata-definitions/
> 
> I agree that we can't use "Verified" since the text of the RFC represents the consensus at the time it was published.  We would normally verify an erratum if what the community meant to publish and what actually got published were not the same thing.
> 
> Perhaps "Hold For Document Update" is the appropriate response?
> 
> -MSK, ART AD
> 
>> On Fri, Sep 9, 2022 at 12:33 PM Phillip Hunt <phil.hunt@independentid.com> wrote:
>> 
>> As one of the RFC authors (phil.hunt@yahoo.com), I think this probably has to be rejected because it introduces a normative change.
>> 
>> 
>> Reason: The specified way to handle multi-valued attribute is to use a valuePath expression using “value” as the sub-attribute (even when the attribute is not complex) per: 
>>>  o  If the target location is a multi-valued attribute and a complex
>>>       filter is specified comparing a "value", the values matched by the
>>>       filter are removed.  If no other values remain after removal of
>>>       the selected values, the multi-valued attribute SHALL be
>>>       considered unassigned.
>> 
>> I agree the errata suggests an easier way that is likely supported in many implementations but still represents a normative change. There is also a side-effect if introducing new conditional logic on single valued attrubtes that were not originally intended.
>> 
>> As to the example cited in the errata the correct way to specify per the paragraph above is:
>> {
>>  "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
>>  "Operations":[{
>>    "op":"remove",
>>    "path":”schemas[value eq \"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User\]""
>>  }]
>> }
>> 
>> With that said, I find myself sayinig why not?  The working group may wish to take this on in any SCIM 2.x discussions.
>> 
>> Phillip Hunt
>> @independentid
>> phil.hunt@independentid.com
>> 
>> 
>> 
>> 
>>> On Sep 8, 2022, at 3:33 AM, RFC Errata System <rfc-editor@rfc-editor.org> wrote:
>>> 
>>> The following errata report has been submitted for RFC7644,
>>> "System for Cross-domain Identity Management: Protocol".
>>> 
>>> --------------------------------------
>>> You may review the report below and at:
>>> https://www.rfc-editor.org/errata/eid7122
>>> 
>>> --------------------------------------
>>> Type: Technical
>>> Reported by: Egil Hansen <egil@assimilated.dk>
>>> 
>>> Section: 3.5.2
>>> 
>>> Original Text
>>> -------------
>>>   The "path" attribute is described by the following ABNF syntax rule:
>>> 
>>>                   PATH = attrPath / valuePath [subAttr]
>>> 
>>>                      Figure 7: SCIM PATCH PATH Rule
>>> 
>>>   The ABNF rules "attrPath", "valuePath", and "subAttr" are defined in
>>>   Section 3.4.2.2.  The "valuePath" rule allows specific values of a
>>>   complex multi-valued attribute to be selected.
>>> 
>>> Corrected Text
>>> --------------
>>>   The "path" attribute is described by the following ABNF syntax rule:
>>> 
>>>                   PATH = attrPath / valuePath [subAttr] / attrExp
>>> 
>>>                      Figure 7: SCIM PATCH PATH Rule
>>> 
>>>   The ABNF rules "attrPath", "valuePath", "subAttr", and "attrExp" are 
>>>   defined in Section 3.4.2.2. The "valuePath" rule allows specific 
>>>   values of a complex multi-valued attribute to be selected.
>>> 
>>> Notes
>>> -----
>>> In section 3.5.2.2. (Remove Operation), states:
>>> 
>>> "If the target location is a multi-valued attribute and a complex
>>> filter is specified comparing a "value", the values matched by the
>>> filter are removed.  If no other values remain after removal of
>>> the selected values, the multi-valued attribute SHALL be
>>> considered unassigned."
>>> 
>>> This means it should be possible to create a filter that selects a value from a multi-valued attribute that is not complex. Writing such a filter seems impossible without having "attrExp" as a possible legal PATH.
>>> 
>>> In section 3.4.2.2.  (Filtering) there is an example that shows how such a filter could look for a multi-valued attribute, i.e.:
>>> 
>>> filter=
>>> schemas eq "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
>>> 
>>> This would also work for a path filter, e.g.:
>>> 
>>> {
>>>  "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
>>>  "Operations":[{
>>>    "op":"remove",
>>>    "path":"schemas eq \"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User\""
>>>  }]
>>> }
>>> 
>>> Instructions:
>>> -------------
>>> This erratum is currently posted as "Reported". If necessary, please
>>> use "Reply All" to discuss whether it should be verified or
>>> rejected. When a decision is reached, the verifying party  
>>> can log in to change the status and edit the report, if necessary. 
>>> 
>>> --------------------------------------
>>> RFC7644 (draft-ietf-scim-api-19)
>>> --------------------------------------
>>> Title               : System for Cross-domain Identity Management: Protocol
>>> Publication Date    : September 2015
>>> Author(s)           : P. Hunt, Ed., K. Grizzle, M. Ansari, E. Wahlstroem, C. Mortimore
>>> Category            : PROPOSED STANDARD
>>> Source              : System for Cross-domain Identity Management
>>> Area                : Applications and Real-Time
>>> Stream              : IETF
>>> Verifying Party     : IESG
>>

v2.23.0 | Report a Bug | By Email