IETF Logo Mail Archive

[scim] SCIM Events

"Paulo Jorge N. Correia (paucorre)" <paucorre@cisco.com> Sun, 14 January 2024 19:42 UTC

Return-Path: <paucorre@cisco.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17326C14F600 for <scim@ietfa.amsl.com>; Sun, 14 Jan 2024 11:42:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.605
X-Spam-Level:
X-Spam-Status: No, score=-14.605 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qNMnBXxc54ia for <scim@ietfa.amsl.com>; Sun, 14 Jan 2024 11:42:44 -0800 (PST)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC6D7C14F5EC for <scim@ietf.org>; Sun, 14 Jan 2024 11:42:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=37569; q=dns/txt; s=iport; t=1705261364; x=1706470964; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=bK+qqVVIGssBCYt1NyNDdH2Q6/6TDb7/Fy/7PXGhTxU=; b=lKbgemOANxfOulqlFHZYEDv0jvQQ35eCg5eAsVJfmenXFDozQyHAjcIE s4cqjdFhUfsfu6PWDRyhry+POeDFT6PJeEbi1yC7kocf25YIFDQz2ZzCv 3xnlaZoBgBuwZNH1Uilm0aGQWzcY84ztr/yrNvIn2XzYtLE+Gzd57g2dg 0=;
X-CSE-ConnectionGUID: 0NNnzKOPTRWXO8416HEZLg==
X-CSE-MsgGUID: xvwmN2iUQUSv5/8iAFPV0A==
X-Files: smime.p7s : 5478
X-IPAS-Result: A0ANAABsOKRlmJhdJa1RBgMcAQEBAQEBBwEBEgEBBAQBAWWBFgcBAQsBgTUxKih6AitsSIRSg0wDhE5fiGcDgROQK4YtgTiEXxSBaggHAQEBCgMBATkLBAEBhQYCh0QCJjQJDgECBAEBAQEDAgMBAQEBAQEBAQYBAQUBAQECAQcFFAEBAQEBAQEBHhkFDhAnhWwNhkUBAQEBAxIRCjoLFwIBFgMDAQEBIQcDAgICLw8FCQgCBAEJCQgGDQeCBlgBghc3EQMBEKgVAYFAAolxN3qBMoEBghYFgTwEAbEsCgaBSAGBVoZEAYFOAQFrggeBCRwMgwCBLwgfG4FJRIEVQoIwgXsBgVsCgSEKAQgKASMqChGDFDmCLwSCFlaCbYEOgiWGQYZYgW4DgQVvGxAeNxEQEw0DCG4dAjE8AwUDBDIKEgwLIQUTQgNABkkLAwIaBQMDBIEwBQ0aAhAsJgMDEkkCEBQDOwMDBgMKMQMwVUEMUANoHzIJPA8MGgIbHg0nIwIsQgMRBRACFgMkFgQ0EQkLJgMqBjoCEgwGBgldJhYJBCUDCAQDVAMjFV8RAwQFBQMUBwsHeYFdA0QdQAMLaAUOAi01FBsFBIE2BZNQeQGBSQULDlNoGjkUDAI1Dx8MBwcVDwIIAwoSFgEKBgMSBAsGCwEFAhYRkjNbgymuWwcDhBGGUYMqggqHGY4uF4QBjHWGdpETL2SGMIUrjHcgim6CXpUNLQ8ND4RwAgQCBAUCDgEBBoFjOmtwcBU7gmdSGQ+OOYNfhRSKZXY7AgcBCgEBAwmIcC1rXwEB
IronPort-PHdr: A9a23:1cNHjhcvNDr1WtoMxnr6ZioAlGM/eYqcDmcuAtIPgrZKdOGk55v9e RWZ7vR2h1iPVoLeuLpIiOvT5rjpQndIoY2Av3YLbIFWWlcbhN8XkQ0tDI/NCUDyIPPwKS1vN M9DT1RiuXq8NBsdA97wMmXbuWb69jsOAlP6PAtxKP7yH9vKhtm80Pqo9rXYYh5Dg3y2ZrYhZ BmzpB/a49EfmpAqar5k0BbLr3BUM+hX3jZuIlSe3l7ws8yx55VktS9Xvpoc
IronPort-Data: A9a23:onEGia433M9qOECe6AQpyQxRtMLHchMFZxGqfqrLsTDasI4Tp2RHj j5GCjjCY6DUfSKuKJpxdc7vohRX/dOXm+bXenIv8HBoQjRS9tGt6b+xI038Mi3IcsOeFEk/t ZVGMYSdIp05HiXS/UimOLTs83IjivHXG7alVuOdNiohSVY5ES1900Nqy7Y12oU0iIjnXmth1 T+cT+j3YDdJjBYpbj1Eg076lC5SgRjShN85llJmPqEasgWHxyNLBp8Tevy6dCOmSYVZRLXqH LvOweqy126IpB1F5vFJPVrYnuzmZpaIYGBiX1IPA/DKbiBq/3F0iuBjcqNENS+7sh3R9/hp0 tJBqJesfgkgO6zIiYw1XgJRe81EFfUuFITvfz7n7aR/82WcKyGwm6w3UBltVWEl0r8f7V9mp KRwxA8lNnhvt8ruqJqnR+9lgNgULcWDFOvzbVk5kFk1pd5/KXzya/2iCe1whV/ctegSdRrqX Pf1XBI0BPj2j7KjDX9MYH42tL/AanAS6FS0onrNzUY8yzC7IACcTNEBPfKNEuFmS/m5kW7Ag ETA7UfeOi0gC+y4mWbcrFKBtMvAyHaTtII6TNVU99Zwi1GVg2cUEhBTDB2woOKyjQi1XNc3x 048o3V16/Ntsh3wCICgBXVUo1bc1vIYc8JZDuY98huA4qHV+A2eQGMDS1atbfR/65dvH2d3i ALhc9XBFSJwtZvPSE+ky4yK8HTiOAE7FVFaTHpRJecCy4K++N5o1E2nosxYOLW+j9jdGDzsz XaNtidWulkIpdQA26P+9lfdjnf14JPIVQUyoA7QWwpJ8z+Veqb9Qaqu+3v81cp6E7a+HgXY4 lgpqeyRubVm4Y62qASBR+AEHbeM7vmDMSHBjVMHI3XH32nxk5JEVd0BiAySNHtU3tA4lSgFi XI/VCtL75NVeXCtd6IyOsS6Ct8hyu7rEtGNuhHogjhmPMgZmOyvpX0GiausM4bFyxNEfUYXY sfzTCpUJSxGYZmLNRLvLwvn7Zclxzol2UTYTo3hwhKs3NK2PSHNFO1YbwPRNL1ls8toRTk5F f4Ca6NmLD0BCIXDjtX/oOb/0HhTdCdrW8qqwyCpXrfcfFMO9J4d5w/5mu55JNc/wMy5Z8/D/ 2q2XQdD2UHjiHjcYQSMYTYLVV8cdcgXkJ7PBgR1ZQzA8yF6Oe6Htf5DH7NpJuNP3LI4kpZJo wwtJp/o7gJnEGqXolzwrPDV8eRfSfhcrV/UZnH/PGdlJPaNhWXho7fZQ+cmzwFXZgKfvsolq Lrm3QTeKafvjSw7ZCoKQJpDF2+MgEU=
IronPort-HdrOrdr: A9a23:5jizJK1HUub7fR5ti3hyhAqjBeBxeYIsimQD101hICG9Lfbo9P xGzc566farslcssSkb6K+90cm7LU80hqQFn7X5XI3SETUO11HYV72KgbGSpwEIXheOitK1tp 0QP5SWaueAd2SS5PySiGLXYrRQpeVvsprY+Ns2pE0dKz2CHpsQlzuRfTzra3GeKjM2YqYRJd 633OYCjTymfngcc8S8AVc4f8Wrnbf2vaOjSyQrQzo85iezrR7A0tPH+h6jsSs2Yndq+/MP4G LFmwv26uGIqPeg0CLR0GfV8tB/hMbh4sErPr3DtuElbhHXziq4boVoXLOP+Bovpvu01VosmN 7Q5z89IsVI7W/LdG3dm2qt5+Cg6kdv15bR8y7bvZLRm729eNv8MbsEuWttSGqb16PnhqA67E sE5RPei3MdN2KwoM203am5a/gtrDv6nZLn+tRj10C2luAlGeZshJ1a80VPHJgaGiXmrIghDe l1FcnZoO1baFWAchnizyFSKfGXLwIO9y29MwE/k93Q1yITkGFyzkMeysBalnAc9IglQ50B4+ jfKKxnmLxHU8dTNMtGda08aNryDnaITQPHMWqUL1iiHKYbO2jVo5qy5Lku/umldJEB0ZN3kp XcV1FTs3I0ZivVeIaz9YwO9gqITHS2XDzrxM0b759luqfkTL6uKiGHQEBGqbrWnxzeOLyuZx +eAuMiPxa4FxqcJW9g5XyNZ6Vv
X-Talos-CUID: 9a23:aETP/W20yUhd1l1W2NIvL7xfQuYDdG/+60/sGXCILjY1EeO1ZG209/Yx
X-Talos-MUID: 9a23:MUK0HAZcsyVUKuBTpyHzgRc4NfpR3p+wVQddkLwog/fcHHkl
X-IronPort-Anti-Spam-Filtered: true
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by rcdn-iport-5.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 Jan 2024 19:42:42 +0000
Received: from alln-opgw-1.cisco.com (alln-opgw-1.cisco.com [173.37.147.229]) by rcdn-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id 40EJggkh030116 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <scim@ietf.org>; Sun, 14 Jan 2024 19:42:42 GMT
X-CSE-ConnectionGUID: VIn8v5zwSSGS307JZquiLQ==
X-CSE-MsgGUID: GCAQj6mMRHCcNZMcGsSQ+Q==
Authentication-Results: alln-opgw-1.cisco.com; dkim=pass (signature verified) header.i=@cisco.com; spf=Pass smtp.mailfrom=paucorre@cisco.com; dmarc=pass (p=reject dis=none) d=cisco.com
X-IronPort-AV: E=Sophos;i="6.04,195,1695686400"; d="p7s'?scan'208,217";a="19836590"
Received: from mail-bn7nam10lp2101.outbound.protection.outlook.com (HELO NAM10-BN7-obe.outbound.protection.outlook.com) ([104.47.70.101]) by alln-opgw-1.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 Jan 2024 19:42:41 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=V3NHqOqkKAE5VK1ezK67Te2t8BNU1nCvmvXiBdxdxQjgoN2y6u3wgbwu50Nr+kwDecrQDp8Isf/2NZn0B+q2iPbbH74MGUqbJEeAKVjH7a7rG0qMtX5KarJohP7u2Y4RfInW4am8iB2/LDQH/ylES7Oh77Xwn8Bmiu45sbr4YOMEAQ4H/M48WKfcXtO23ShJTGfyHu0hlHkhCJY8+gQtm0b+BvSSVCG+8dPrgHDmz1UtjTspOIBJcMjdas8T8JlbOzzgPIoaQ8kaVgQg01RRxxGLXRrl9c/64W+uio7k3bixhkYU5EHB1BzHK3OwAYPzqojazT0X0W68ox9NuKZs/Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=bK+qqVVIGssBCYt1NyNDdH2Q6/6TDb7/Fy/7PXGhTxU=; b=F6/Q4emEs7DiffQqGBm4W1jOgSRoCrMkNLlPPo9Q+isJZOA0cd+GGeWHkIpKSdDQTw1QakXMq37X7a9zFbFva4OsVdFWB3iEd2g+Mm6Bqx1dFDmbxIARnXDraoxPzOHOWir0i/5ZBUDKZnAVwipBLWw4fAmAnRgjIGaMozWhExWGLjyoMzIX7X24fP7XR3YtacEHS1a96rP5FeNxcbT/8+UxH49AqbB1kOc99AM7gBY/YrfmwMaL0Ys3Szwr7LYRZb1vUXgPPARc3DhgOZZReZbxFgVwd5tu53QzyH0p7u7zAXc3E8SklhXlCA90TbhtXu1IxSxVNpJPSIsJTKRLZQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
Received: from MW3PR11MB4730.namprd11.prod.outlook.com (2603:10b6:303:58::8) by CY8PR11MB7243.namprd11.prod.outlook.com (2603:10b6:930:96::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7181.21; Sun, 14 Jan 2024 19:42:39 +0000
Received: from MW3PR11MB4730.namprd11.prod.outlook.com ([fe80::a7ec:be2d:52c:42bc]) by MW3PR11MB4730.namprd11.prod.outlook.com ([fe80::a7ec:be2d:52c:42bc%3]) with mapi id 15.20.7181.022; Sun, 14 Jan 2024 19:42:38 +0000
From: "Paulo Jorge N. Correia (paucorre)" <paucorre@cisco.com>
To: Phillip Hunt <phil.hunt@independentid.com>, SCIM WG <scim@ietf.org>
Thread-Topic: SCIM Events
Thread-Index: AQHaRyHUKcM9EH5VqEqXlsqQjIEZnQ==
Date: Sun, 14 Jan 2024 19:42:38 +0000
Message-ID: <MW3PR11MB47307B2C013E3538D4A1A772CD6D2@MW3PR11MB4730.namprd11.prod.outlook.com>
References: <F303DFCB-0AB8-4823-948C-6B1C232D4F9C@independentid.com> <210FEFC9-C6E1-4476-A1FE-EF62AD65BB0D@amazon.com>
In-Reply-To: <210FEFC9-C6E1-4476-A1FE-EF62AD65BB0D@amazon.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MW3PR11MB4730:EE_|CY8PR11MB7243:EE_
x-ms-office365-filtering-correlation-id: 75db41b2-3a91-4745-6500-08dc1538f6f9
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: SjWHmdr8qwrGwqc5NmxhB+ME+zxPhx2A+U1CeFq0LfZw4zxcZ1pgs+KRmO+Boyzt594EN4ukJeq6Nn1vF0fKMfpmpT7KXES61WGvovJwuya4K8Qke/0IQ0+DRk7r9bSWtnQtjhFg21pU/b3OS5oW1R5rQWVdMdLEDWtCcYJr4EYhIpHpYVueQjqWSarqfWveBOccXecU0Smy6NoUBbeSfnMkS2ASrVoYM/eYuxOb7W8pDEbMJuaR2oGKYHOOFulm/JNf2S6IToTDILE0N1OwrsBIbuqsQ394cbG+ZY1wV1bZfdtSMt+aJP0blRbq0DJqHz9JLZMLslwOY4FkMAJKzaOa+scjBv1bQC9IzQOs3Bh0Xxp2nXcxXq6aXaeN3yeD3/4lxPrRz+kqVKNlsuyJZyxK+63sUkdG0uoHsAPmx22kG7ujBg5NRciXUyeINq+1z8MEqPPmEIQdxwiTYNJPzFK0yZlJ2XGv9cHzuT7UgSW8oBqDUGwxejfhAJ1fbgX/obddXi8acl6fBeiQ1/+kk4mYDl7pxat0HQ2tSPbt3CDKd+Drg+XsUNQzdW1DijNElw1LmVCWgzrMuzfIoGQdBEOO7Dkb/46i9GV/1WAL7ypYIuAlXJ6z+ZCWOW7VkW/vrqRV13DImMVU+CNgHxOnjNe/6m7ovLBarLbYvmDXnQTdZj6nA+a71TUR0oceAamO
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MW3PR11MB4730.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(39860400002)(396003)(366004)(136003)(376002)(346002)(230273577357003)(230473577357003)(230373577357003)(230173577357003)(230922051799003)(64100799003)(186009)(451199024)(1800799012)(55016003)(41300700001)(3480700007)(6506007)(53546011)(26005)(9686003)(33656002)(4743002)(478600001)(7696005)(66574015)(5660300002)(38070700009)(2906002)(110136005)(66556008)(76116006)(66946007)(66476007)(66446008)(40140700001)(166002)(83380400001)(38100700002)(71200400001)(8936002)(316002)(7116003)(52536014)(8676002)(9326002)(99936003)(64756008)(86362001)(122000001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: U7mdaB7dW17pkgJ5sKq0FFzvO3W5e2CEcz7wWbqiPG2SrDd9O06GSjmqmb8ebFuXgkIeK44f0AQs/FPwkdXDufoqNO+pUbc/6uTaJ8sQNxYazscc962gY2Ba1ba5cZ8lCf9WL+XKOBPKhQKC8O8XW8af1aZorsSqq2/V05pyVDo5bf5p6LYvaSOvB2Ma1xF7zufKKdmt+1ZvdwKhfUOeZ+8Oa7H9oxQhnP0TCJwB8xQ8nteXpoKZukIXrvGzJA6QLod657dVDLZBAJnWKXE4K2VJSguRKaBAwAVbd4PCDDc4nIYGYshGZoSYna60xOZG37N/DxCrL9FQ0oXOZLMh43kXf+YkKfMxyMgjmVOiZrRognQ44Z4DseJtsm4nJV5RCJRETgbQCQalbKQ9bBt9EFZA2++DRng+Q541TwRiF/NMMsUg4z+dBnU0oePY9SR+0RdAd+58FmEQ37sKdzDTR0L5VcQalfAgwQiq1uutUHEd/CJMtNsFsNxa9988+jbbH9UruGbm9ur1EddN3vV8ogs4l34teEcK2VER+c+vcR6xmH65zWpfLptSpTWg8awbBNwENoGUP7VXFFroF0wK+Fr5yiL9tihldq0PLIkgTDc9+HMMvDz476f0LbQ7zQFbNoamS4Hj79eBEvAxEfTmwdcp5rpOFyve5k4MVRdT00s+kKGoWMtFJyxkkgV4h9aN0ppkzXqpx6h3K2rfYrVZ+Y6o5Qnxa67NzJqSfC1xxJiPPHc29pjvcLjcHdaYZ5bqnhhjTf1946Xg8rgVwA09EIwDD+ppMq6pKC/LIq8/unOuJmyFrlmKLr9JMzF+y8Dd52Sf5t7VvyPRSno9Vagwp6AoomQRaSKIkjHopfL/i/IdOU/EWmSPBTpydE54fulpLf7U14sxCn/UK5Siqka91ylpEP8uYXWdFXF2ZufYaWeEEtY5pLJkoRiyuIK9pZDSMlN2emgvPE2WF/lUK1AKgUDlnc3ZCXnkABWWdvzMspHz2ZxRBFiRCT1gLgjv3H7lsf3pFzZmFeEzUx0tVJ3a1n8lbf7rkSnwgUOZ9PBpUQNWQ7xrqBaRG6tLj8k4bJqZHcJ1Cyfv95AKVfx3GGjqPLN9kFnY/VGTSvY/6fC2MDRPTq9aZ7QO6e07lixd/R/G8gSB9t8Vx010mro75ERAwmUZxsoQMhLAlbBvOzES9hLXorjfXdJsoGYrPsj3KIy6tgtLjU+GXsZfSo+t7N2RVfBYJx8ONV1cddasPjGfznF1X4lFoznUmF1CwpYGEUBFxBclWzQkXVTzJpnlP0f0Aqd/zQQwhjTvZ0RsIj0dnvMcOatgu/zKeQJD0yXDCbHDYMcjxPbj+Ee6acOabf/xTK0uAz4RZLBo0M+d07qM2cqQ7WAC4UdASEWvTMKLWRmYiM/T++sFropdSaeik2htU7B/2Vo+PAspcSyTaSPbRlvG5AZZEtM+YcrEzagGs/KWNK0KJ6N8BHpyTu8RH3zII1BoAwR3gN6vGM3VvGd+LlvIXoyHytvK7+hpgt28t5XKVbLhPw76w5dhXO9UBDdNAVpV0e5kdsOjfd204zeSoYg=
Content-Type: multipart/signed; boundary="----=_NextPart_000_026B_01DA4721.D1C9D810"; protocol="application/x-pkcs7-signature"; micalg="SHA1"
MIME-Version: 1.0
X-OriginatorOrg: cisco.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MW3PR11MB4730.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 75db41b2-3a91-4745-6500-08dc1538f6f9
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Jan 2024 19:42:38.5153 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: hkVUPbDvPLqgc41Zd1tsh5Ymkb+acDjG/wJq77eBquogkuZJ4+RC4gDg3BjM/x0xinozes/ttMZDaYihoHN/eQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY8PR11MB7243
X-Outbound-SMTP-Client: 173.37.147.229, alln-opgw-1.cisco.com
X-Outbound-Node: rcdn-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/h_dhGDRBGucgGOTwHmVQRe1mQFI>
Subject: [scim] SCIM Events
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Jan 2024 19:42:49 -0000

Hi Phil,

As promised in the last IETF meeting  I’m reading the last version of the SCIM event.

 

I’m struggling with 2.4.1 where the Event Provision (EP) or Event Router (ER)  is going to create an SCIM event feed for provision, and I’m assuming that the Event Subscriber (ES) doesn’t has that user yet, how would this work if we don’t mandate the userName attribute in the data event payload attribute, in fact I would argue that similar to RFC 7863 this needs to be require for all the operations.

 

Or at this point it is irrelevant and there should be a statement saying that the data event payload should use the rules defined the schema defined in the schemas attribute in the data section, this will cover [RFC7633] but will cover others schemas like the work that Elliot is doing with devices. 

 

Am I missing something ? 

 

Thank you,

Paulo

 

From: scim <scim-bounces@ietf.org> On Behalf Of Saxe, Dean
Sent: Monday, December 11, 2023 11:40 PM
To: Phillip Hunt <phil.hunt@independentid.com>; SCIM WG <scim@ietf.org>
Subject: Re: [scim] SCIM Events Pull Request #20 - Unsecured Tokens

 

Thanks for raising this, Phil.

 

Intercepting proxies are in wide use, as is TLS termination that occurs in front of the targeted destination.  In both of these scenarios, unencrypted SETs may be observed by the TLS terminator, the data may be logged, and thus available to unauthorized parties.  

 

I see two specific issues here.  First, disclosure of information is a risk with any sort of intercepting proxy or TLS termination if the SET is unencrypted.  If the content of the SET is not sufficiently sensitive as to be a risk if disclosed, this is not a problem.  However, for some data such as PII this is a challenge that needs to be solved.  Second, modification of the SET in flight is a risk that is sufficiently solved by signing.  

 

Perhaps the focus should be on the security considerations section and the handling of unencrypted SETs when terminating TLS proxies may be in use.  The risk can be called out, a solution of using JWE proposed, and the attendant risks with JWEs as you outline below described.  Implementers must then make a decision about the handling of PII in SETs.

 

I’m going to reach out to some folks deep in the SSF world to get their feedback, as well.  I’ll post any relevant responses to the list.

 

Thanks,

-dhs

 

--

Dean H. Saxe,  <https://idpro.org/cidpro/> CIDPRO (he/him)

Senior Security Engineer, AWS Identity Security Team | Amazon Web Services (AWS)

E:  <mailto:deansaxe@amazon.com> deansaxe@amazon.com | M:  <tel:206-659-7293> 206-659-7293

 

From: scim <scim-bounces@ietf.org <mailto:scim-bounces@ietf.org> > on behalf of Phillip Hunt <phil.hunt@independentid.com <mailto:phil.hunt@independentid.com> >
Date: Sunday, December 10, 2023 at 11:13 AM
To: SCIM WG <scim@ietf.org <mailto:scim@ietf.org> >
Subject: [EXTERNAL] [scim] SCIM Events Pull Request #20 - Unsecured Tokens

 


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.

 

I am just bringing to the group an issue that Dean raised in PR #20 (https://github.com/ietf-scim-wg/draft-ietf-scim-events/pull/20) on the SCIM Events Github site.

 

This change occures in Section 3.1 which provides advice on use of encryption and signing (original below).  Any new proposals from the group that address both Dean and my concerns would be greatly appreciated.  Please reply to this email thread so we can record the decision.

 

Dean’s request is to change the paragraph under “Unsecured" to:

Unsecured tokens SHALL NOT be used. 

The justification in the PR was:

Updated language to prevent the use of unencrypted, unsigned tokens in this profile. The concept of "inside" and "outside" networks is no longer sufficient to consider whether transmitting over a TLS-only protocol is sufficient for securing such information.

Supporting such tokens is likely to lead to implementations that leak sensitive information and / or man in the middle interception/modification of SETs.

 

Based on this assumption (that TLS is unsuffient) we would have to also disallow the use of “signed” tokens as JWS does not provide confidentiality. Note that in many cases because SETs may be processed through gateways (e.g. aggregating events from a cluster), using JWE may become challenging as the iss and aud values would not be accessible.  Using JWE effectively forces point-to-point use only which again may cause the receiver to have to forward the unencrypted token on to its own internal endpoints. 

 

It’s my belief that TLS is sufficient in most cases. MITM is not a threat except if administrative systems are compromised or faulty. To the contrary, RFC8935/8936 talks about exchanging events through fixed endpoints. I believe editorially it would be out of scope for this spec to imagine the number of subsequent poorly security or designed systems that might lead to a mis-configuration.

 

AFAIK, most OpenID Security Signals Framework implementations currently do not support signed or encrypted SETs (though i2gosignals does). These unencrypted systems are running in production now.

 

While I do generally agree using unencrypted tokens is a bad practice, saying SHALL NOT will likely be ignored. Editorially my goal is to give guidance that in the absence of SET signatures, what the alternative requirements should be.

 

I am proposing the following revised text for the “Unsecured Token” section:

Per Section 6 <xref target="RFC7519"/>, tokens MAY be generated with <tt>{"alg":"none"}</tt>.

This mode potentially speeds up processing by avoiding what would be redundant cryptographic
processing. An example would be replication scenarios within a cluster (e.g. Kubernetes).
Unencrypted tokens MUST be transferred over mutually-authenticated TLS layer encryption and
SHOULD only be used in restricted network environments.

 

Cheers,

 

Phil

phil.hunt@independentid.com <mailto:phil.hunt@independentid.com> 

 

Original text:

3.1.  Security Event Token Signing and Encryption

   This specification uses Security Event Tokens as the message format
   for SCIM Events.  As SETs are based on JWT tokens [RFC7519], they can
   be transmitted insecurely, signed, or encrypted.  For more
   information see the JWT Cookbook specification [RFC7520] for
   examples.  The decision on whether to use JWS and JWE depends on
   operational considerations.  For each SCIM Feed relationship, it is
   up to deployers to decide on signing, encryption and algorithm
   requirements.  Deployers SHOULD be aware that too much emphasis on
   turning on every possible encryption feature may cause operational
   performance to suffer.  Deployers MUST weigh the security trade-offs
   of up-to-date SCIM services, vs. the potential information loss of an
   event.

   Unsecured
      Per Section 6 [RFC7519], tokens MAY be generated with
      {"alg":"none"}.  This mode speeds up processing and is best used
      in DBR scenarios.  Unencrypted tokens MUST be transferred over
      authenticated TLS layer encryption and SHOULD only be used in a
      restricted network environment.

   Signed
      JWS ([RFC7515]) signed SETs are useful when it is important to be
      able to verify the issuer of a SET as valid.  In addition, some



Hunt, et al.               Expires 24 May 2024                 [Page 27]
?
Internet-Draft           draft-ietf-scim-events            November 2023


      systems MAY wish to validate the authenticity of the event in a
      review process which may occur at a later date.  While the content
      can be validated as originating from the correct issuer and is
      unmodified, the message contents remain unsecure.  Signed SETs
      MUST be transferred over encrypted transport.

   Encrypted
      JWE ([RFC7516]) are encrypted SETs and are useful when the
      transport mechanism is not fully secured (e.g. messages carried by
      a third party).  The use of JWEs ensures only the designated
      receiver can read the event and provides mutual authentication
      within the SET message itself.

v2.23.0 | Report a Bug | By Email