Re: [secdir] [Id-event] Secdir last call review of draft-ietf-secevent-token-09
Phil Hunt <phil.hunt@oracle.com> Tue, 24 April 2018 21:49 UTC
Return-Path: <phil.hunt@oracle.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BE2A124BAC; Tue, 24 Apr 2018 14:49:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, T_HTML_ATTACH=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XNN7TKyhl80H; Tue, 24 Apr 2018 14:49:12 -0700 (PDT)
Received: from userp2120.oracle.com (userp2120.oracle.com [156.151.31.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8B5912D946; Tue, 24 Apr 2018 14:49:12 -0700 (PDT)
Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w3OLVY3h173025; Tue, 24 Apr 2018 21:49:12 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=corp-2017-10-26; bh=aKPjNXpmvJaFZXUqGnWsV3MHe/8MjOo315rapM+0Uds=; b=pdx9mXpwaNm4+AWB7DPnYVLqhC//GIJoIOMUuqg+C0mFEN1matxReHMn+aw5xNOThtFX 0E60pfCSiExC44jlCMlt3MysC2uBAWuJesb3HAeRu/XbRYPml5W8mr8v6GEeQFKZq+IO GaNoXxeaLN8+4SukshMTzPg/+ESA9jmym7ZQSP53xVA5Ru3ck4hsQnt5cdVoWZ1KCQ4n +HpWVgk6o471qat2BAJ5F0WpkTzSpbQtdvNun/3qYmL8ifJDrHIq561ioK3oxYhqUa9Y cOVkujg6q1RQ0PhuOTYCG1N1XZ+JDEk7AALd4uxPiS0l6+RXvm3U2tdbnZHUyTALf63x OA==
Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by userp2120.oracle.com with ESMTP id 2hfwy9m4j9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 24 Apr 2018 21:49:10 +0000
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w3OLn93Q023475 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 24 Apr 2018 21:49:10 GMT
Received: from abhmp0015.oracle.com (abhmp0015.oracle.com [141.146.116.21]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id w3OLn8qp000887; Tue, 24 Apr 2018 21:49:09 GMT
Received: from [10.0.1.37] (/24.86.190.97) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 24 Apr 2018 14:49:08 -0700
From: Phil Hunt <phil.hunt@oracle.com>
Message-Id: <2F2D2F99-8116-40EE-8245-D7C5F8793BC0@oracle.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_F723C054-9F23-4EB7-8162-A734D2E06AFE"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
Date: Tue, 24 Apr 2018 14:49:47 -0700
In-Reply-To: <152424742315.3484.7625515486296411114@ietfa.amsl.com>
Cc: secdir@ietf.org, draft-ietf-secevent-token.all@ietf.org, ietf@ietf.org, ID Events Mailing List <id-event@ietf.org>, Mike Jones <michael.jones@microsoft.com>
To: Russ Housley <housley@vigilsec.com>
References: <152424742315.3484.7625515486296411114@ietfa.amsl.com>
X-Mailer: Apple Mail (2.3445.6.18)
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8873 signatures=668698
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=3 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1804240204
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/w4u1Z9Qdyv2yLEPFyrN_i3GlLk4>
Subject: Re: [secdir] [Id-event] Secdir last call review of draft-ietf-secevent-token-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Apr 2018 21:49:19 -0000
Russ, Here are proposed changes to address your questions about Section 3. You’re right that this section is placing requirements on profiling specifications. The changes made are intended to make this more explicit. Please let us know if the updated text works for you, and if so, we’ll publish an updated draft using it. Please see the wdiff text for section 3 below (also attached). Thanks, Phil & Mike —wdiff for sec 3-- 3. Requirements for SET Profiles Profiling specifications of this specification define actual SETs to be used in particular use cases. These profiling specifications define the syntax and semantics of SETs conforming to that SET profile and rules for validating those SETs. Profiling specifications SHOULD define syntax, semantics, subject identification, and validation. Syntax The syntax defined by profiling specifications includes what claims of the SETs defined, including: Top-Level Claims Claims and event payload values placed at the JWT Claims Set. Examples are used claims defined by SETs utilizing the profile. JWT specification (see [RFC7519]), the SET specification, and by the profiling specification. Event Payload The JSON data structure contents and format, containing event- specific information, if any (see Section 1.2). Semantics Defining the semantics of the SET contents for SETs utilizing the profile is equally important. Possibly most important is defining the procedures used to validate the SET issuer and to obtain the keys controlled by the issuer that were used for cryptographic operations used in the JWT representing the SET. For instance, some profiles may define an algorithm for retrieving the SET issuer's keys that uses the "iss" claim value as its input. Likewise, if the profile allows (or requires) that the JWT be unsecured, the means by which the integrity of the JWT is ensured MUST be specified. Subject Identification Profiling specifications MUST define how the event subject is identified in the SET, as well as how to differentiate between the event subject's issuer and the SET issuer, if applicable. It is NOT RECOMMENDED for profiling specifications to use the "sub" claim in cases in which the subject is not globally unique and has a different issuer from the SET itself. Validation Profiling specifications MUST clearly specify the steps that a recipient of a SET utilizing that profile MUST perform to validate that the SET is both syntactically and semantically valid. Among the syntax and semantics of SETs that a profiling specification may define is whether the value of the "events" claim may contain multiple members, and what processing instructions are employed in the single- and multiple-valued cases for SETs conforming to that profile. Many valid choices are possible. For instance, some profiles might allow multiple event identifiers to be present and specify that any that are not understood by recipients be ignored, thus enabling extensibility. Other profiles might allow multiple event identifiers to be present but require that all be understood if the SET is to be accepted. Some profiles might require that only a single value be present. All such choices are within the scope of profiling specifications to define. Profiling specifications MUST clearly specify the steps that a recipient of a SET utilizing that profile MUST perform to validate that the SET is both syntactically and semantically valid. Phil Oracle Corporation, Identity Cloud Services Architect @independentid www.independentid.com <http://www.independentid.com/>phil.hunt@oracle.com <mailto:phil.hunt@oracle.com> > On Apr 20, 2018, at 11:03 AM, Russ Housley <housley@vigilsec.com> wrote: > > Reviewer: Russ Housley > Review result: Has Issues > > I reviewed this document as part of the Security Directorate's ongoing > effort to review all IETF documents being processed by the IESG. These > comments were written primarily for the benefit of the Security Area > Directors. Document authors, document editors, and WG chairs should > treat these comments just like any other IETF Last Call comments. > > Document: draft-ietf-secevent-token-09 > Reviewer: Russ Housley > Review Date: 2018-04-20 > IETF LC End Date: unknown > IESG Telechat date: 2018-05-10 > > Summary: Has Issues > > Major Concerns > > I do not understand the first paragraph of Section 3. I made this > comment on version -07, and some words were added, but I still do > not understand this paragraph. I think you are trying to impose some > rules on future specifications that use SET to define events. Let me > ask a couple of questions that may help. I understand that a > profiling specification MUST specify the syntax and semantics for a > collection of security event tokens, including the claims and payloads > that are expected. What MUST a profiling specification include? What > MUST a profiling specification NOT include? > > > _______________________________________________ > Id-event mailing list > Id-event@ietf.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_id-2Devent&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=hJFx-Z2ih18uUNCXosAjvygHqn2_K2mtNzqIej3Ah-c&s=28OWe42S0bg8Y2eo3VVzACeSYnzgiyyeXLl7tTu9i1Y&e=
- [secdir] Secdir last call review of draft-ietf-se… Russ Housley
- Re: [secdir] [Id-event] Secdir last call review o… Phil Hunt
- Re: [secdir] [Id-event] Secdir last call review o… Mike Jones
- Re: [secdir] [Id-event] Secdir last call review o… Mike Jones
- Re: [secdir] Secdir last call review of draft-iet… Russ Housley