IETF Logo Mail Archive

Re: [scim] SCIM Events: Github Issue #26, PR#28 (Input requested)

"Saxe, Dean" <deansaxe@amazon.com> Mon, 11 December 2023 23:50 UTC

Return-Path: <prvs=702e87279=deansaxe@amazon.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FB71C14CE42 for <scim@ietfa.amsl.com>; Mon, 11 Dec 2023 15:50:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.401
X-Spam-Level:
X-Spam-Status: No, score=-4.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DEURkdsZRxBM for <scim@ietfa.amsl.com>; Mon, 11 Dec 2023 15:50:05 -0800 (PST)
Received: from smtp-fw-9105.amazon.com (smtp-fw-9105.amazon.com [207.171.188.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 217F6C14CE40 for <scim@ietf.org>; Mon, 11 Dec 2023 15:50:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1702338606; x=1733874606; h=from:to:date:message-id:references:in-reply-to: mime-version:subject; bh=VL3FrqZlYfbgo/py4y0Q88Hs8CvDU4k1eqz0hfjs4yM=; b=BpKoY0ODuHSvnl9/p+AdwklmcdKpyt76odgA5iVUq4MCbwfqR2oL47+3 01nLlA0t4iqDTY8t6bpOXcG22F/iF7K0C+Hh/T/PD/6W0LMk75XiozVyR AN1VFRujYnS64+URLRBPj3YStg3pR8rUakHH6FwPW+9CU4ufBKCw98HqU w=;
X-Amazon-filename: image001.png, image002.png
X-IronPort-AV: E=Sophos;i="6.04,269,1695686400"; d="png'150?scan'150,208,217,150";a="690425302"
Thread-Topic: [scim] SCIM Events: Github Issue #26, PR#28 (Input requested)
Received: from pdx4-co-svc-p1-lb2-vlan2.amazon.com (HELO email-inbound-relay-iad-1a-m6i4x-96feee09.us-east-1.amazon.com) ([10.25.36.210]) by smtp-border-fw-9105.sea19.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Dec 2023 23:50:05 +0000
Received: from smtpout.prod.us-west-2.prod.farcaster.email.amazon.dev (iad7-ws-svc-p70-lb3-vlan2.iad.amazon.com [10.32.235.34]) by email-inbound-relay-iad-1a-m6i4x-96feee09.us-east-1.amazon.com (Postfix) with ESMTPS id 881BC49640; Mon, 11 Dec 2023 23:50:02 +0000 (UTC)
Received: from EX19MTAUWA001.ant.amazon.com [10.0.38.20:59244] by smtpin.naws.us-west-2.prod.farcaster.email.amazon.dev [10.0.54.33:2525] with esmtp (Farcaster) id 0728ed29-9ef5-4009-b554-518f29ec117b; Mon, 11 Dec 2023 23:50:01 +0000 (UTC)
X-Farcaster-Flow-ID: 0728ed29-9ef5-4009-b554-518f29ec117b
Received: from EX19D003UWC004.ant.amazon.com (10.13.138.150) by EX19MTAUWA001.ant.amazon.com (10.250.64.217) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.40; Mon, 11 Dec 2023 23:50:01 +0000
Received: from EX19D003UWC004.ant.amazon.com (10.13.138.150) by EX19D003UWC004.ant.amazon.com (10.13.138.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1118.40; Mon, 11 Dec 2023 23:50:01 +0000
Received: from EX19D003UWC004.ant.amazon.com ([fe80::38e:f9f6:c9f7:63fa]) by EX19D003UWC004.ant.amazon.com ([fe80::38e:f9f6:c9f7:63fa%4]) with mapi id 15.02.1118.040; Mon, 11 Dec 2023 23:50:01 +0000
From: "Saxe, Dean" <deansaxe@amazon.com>
To: Phillip Hunt <phil.hunt@independentid.com>, SCIM WG <scim@ietf.org>
Thread-Index: AQHaK7etvKqy+ezgn0W/taAdWwTfKrCkO/UA
Date: Mon, 11 Dec 2023 23:50:01 +0000
Message-ID: <DFD86562-1B0F-4EA0-A606-440B1D9806A1@amazon.com>
References: <247545D1-8E0A-4969-A24C-6B3150C2D101@independentid.com>
In-Reply-To: <247545D1-8E0A-4969-A24C-6B3150C2D101@independentid.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.79.23120117
x-originating-ip: [10.187.171.54]
Content-Type: multipart/related; boundary="_005_DFD865621B0F4EA0A606440B1D9806A1amazoncom_"; type="multipart/alternative"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/du5CwC_zkITTytvaJGxDS7pha5g>
Subject: Re: [scim] SCIM Events: Github Issue #26, PR#28 (Input requested)
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Dec 2023 23:50:09 -0000

My reasoning is twofold:

First, SCIM is not a protocol for sending security events/signals/data, it’s a protocol for synchronization of resources (human and otherwise) between disparate systems.  Signaling, as described in the draft, is not a security function, it’s a mechanism to ensure that the systems are in sync.  Further, the dradr enables asynchronous processing of bulk updates to the server using SETs to convey the state of the async bulk updates.

Second, the RISC and CAEP protocols sufficiently cover this space and do so with more granularity than is offered in this specification.  CAEP has a well-defined set of credential change signals<https://openid.net/specs/openid-caep-specification-1_0.html#rfc.section.3.3>. RISC profiles signals regarding credential recovery activation<https://openid.net/specs/openid-risc-profile-specification-1_0.html#rfc.section.2.9> and changes to how credential recovery is configured<https://openid.net/specs/openid-risc-profile-specification-1_0.html#rfc.section.2.10>.

I feel that profiling these in the proposed standard would conflict with the work already occurring in the OpenID Foundation specifications which have reached Implementers Draft.

Thanks,
-dhs

--
Dean H. Saxe, CIDPRO<https://idpro.org/cidpro/> (he/him)
Senior Security Engineer, AWS Identity Security Team | Amazon Web Services (AWS)
E: deansaxe@amazon.com<mailto:deansaxe@amazon.com> | M: 206-659-7293<tel:206-659-7293>

From: scim <scim-bounces@ietf.org> on behalf of Phillip Hunt <phil.hunt@independentid.com>
Date: Sunday, December 10, 2023 at 2:24 PM
To: SCIM WG <scim@ietf.org>
Subject: [EXTERNAL] [scim] SCIM Events: Github Issue #26, PR#28 (Input requested)


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.


Dean has requested that SCIM Signals be removed from the specification as they duplicate RISC specifications published by OpenID Foundation. WG input is requested:
References:
[cid:image001.png@01DA2C49.B2CF5D60]

Privacy considerations - Risk Signals Events · Issue #26 · ietf-scim-wg/draft-ietf-scim-events<https://github.com/ietf-scim-wg/draft-ietf-scim-events/issues/26>
github.com<https://github.com/ietf-scim-wg/draft-ietf-scim-events/issues/26>


[cid:image002.png@01DA2C49.B2CF5D60]

Removed authMethod/pwdReset from IANA registry by dhs-aws · Pull Request #28 · ietf-scim-wg/draft-ietf-scim-events<https://github.com/ietf-scim-wg/draft-ietf-scim-events/pull/28>
github.com<https://github.com/ietf-scim-wg/draft-ietf-scim-events/pull/28>




This request means removing section 2.5.  A copy of that section is posted below.

Reasons to have Section 2.5:

1.  A provisioning endpoint such as SCIM may be the originating source of the security signal.  The events expressed using SCIM Identifiers rather than OpenID’s much more complex system (which uses per feed configurable identifiers).
2.  Because of signing requirements, a SCIM Signal might get republished as part of a larger or different security signals system before distributing to a third party.  For example, the SCIM subject identifier is translated along with the event into a proper RISC event. This may be done, because the SCIM system doesn’t have the full OIDC context of the resource (e.g. because they may run off a different identity data store)
3. Authentication factor changes and password resets might trigger other provisioning workflows.
4. Changes to authentication attributes not typically propagated as provisioning events because the raw values are not and should not be made available.

I am neutral on this issue. I can see both sides of the concern.

Please reply with your comments and indicate:

YES - Please remove section 2.5 SCIM Signals Events

NO - Please leave section 2.5 as is (or with proposed changes)

Thanks,

Phil
phil.hunt@independentid.com

Section 2.5

2.5.  SCIM Signals Events

   This section defines security signal events that have occurred within
   a SCIM Service Provider.  The URI prefix for these events is:
   urn:ietf:params:SCIM:event:signal

2.5.1.  urn:ietf:params:SCIM:event:sig:authMethod

   A new authentication method has been added to the User profile.  As
   attackers often use new authentication methods to lock-out Users from
   their account, this signal can be used by the receiver that the
   chance of account them may be temporarily elevated.  The receiver MAY
   also wish to take action such as resetting current authorizations or
   sessions.

   {
     "jti": "3d0c3cf797584bd193bd0fb1bd4e7d30",
     "sub_id": {
       "format": "scim",
       "uri": "/Users/44f6142df96bd6ab61e7521d9"
     },
     "events":{
       "urn:ietf:params:SCIM:event:sig:authMethod": {}
     },
     "iat": 1458496025,
     "iss": "https://scim.example.com"
   }

         Figure 12: Example SCIM Authentication Factor Change Event

2.5.2.  urn:ietf:params:SCIM:event:sig:pwdReset

   The specified resource (e.g.  User) has changed its password or the
   password has been reset.  When the password has changed, the
   attributes attribute is supplied with the value "password".

   {
     "jti": "3d0c3cf797584bd193bd0fb1bd4e7d30",
     "sub_id": {
       "format": "scim",
       "uri": "/Users/44f6142df96bd6ab61e7521d9"
     },
     "events": {
       "urn:ietf:params:SCIM:event:sig:pwdReset": {}
     },
     "iat": 1458496025,
     "iss": "https://scim.example.com",
     "aud":[
       "https://jhub.example.com/Feeds/98d52461fa5bbc879593b7754",
       "https://jhub.example.com/Feeds/5d7604516b1d08641d7676ee7"
     ]
   }

               Figure 13: Example SCIM Password Change Event

v2.23.0 | Report a Bug | By Email