Re: [secdir] [Id-event] Secdir last call review of draft-ietf-secevent-token-09
Phil Hunt <phil.hunt@oracle.com> Tue, 24 April 2018 21:49 UTC
Return-Path: <phil.hunt@oracle.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BE2A124BAC; Tue, 24 Apr 2018 14:49:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, T_HTML_ATTACH=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XNN7TKyhl80H; Tue, 24 Apr 2018 14:49:12 -0700 (PDT)
Received: from userp2120.oracle.com (userp2120.oracle.com [156.151.31.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8B5912D946; Tue, 24 Apr 2018 14:49:12 -0700 (PDT)
Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w3OLVY3h173025; Tue, 24 Apr 2018 21:49:12 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=corp-2017-10-26; bh=aKPjNXpmvJaFZXUqGnWsV3MHe/8MjOo315rapM+0Uds=; b=pdx9mXpwaNm4+AWB7DPnYVLqhC//GIJoIOMUuqg+C0mFEN1matxReHMn+aw5xNOThtFX 0E60pfCSiExC44jlCMlt3MysC2uBAWuJesb3HAeRu/XbRYPml5W8mr8v6GEeQFKZq+IO GaNoXxeaLN8+4SukshMTzPg/+ESA9jmym7ZQSP53xVA5Ru3ck4hsQnt5cdVoWZ1KCQ4n +HpWVgk6o471qat2BAJ5F0WpkTzSpbQtdvNun/3qYmL8ifJDrHIq561ioK3oxYhqUa9Y cOVkujg6q1RQ0PhuOTYCG1N1XZ+JDEk7AALd4uxPiS0l6+RXvm3U2tdbnZHUyTALf63x OA==
Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by userp2120.oracle.com with ESMTP id 2hfwy9m4j9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 24 Apr 2018 21:49:10 +0000
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w3OLn93Q023475 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 24 Apr 2018 21:49:10 GMT
Received: from abhmp0015.oracle.com (abhmp0015.oracle.com [141.146.116.21]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id w3OLn8qp000887; Tue, 24 Apr 2018 21:49:09 GMT
Received: from [10.0.1.37] (/24.86.190.97) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 24 Apr 2018 14:49:08 -0700
From: Phil Hunt <phil.hunt@oracle.com>
Message-Id: <2F2D2F99-8116-40EE-8245-D7C5F8793BC0@oracle.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_F723C054-9F23-4EB7-8162-A734D2E06AFE"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
Date: Tue, 24 Apr 2018 14:49:47 -0700
In-Reply-To: <152424742315.3484.7625515486296411114@ietfa.amsl.com>
Cc: secdir@ietf.org, draft-ietf-secevent-token.all@ietf.org, ietf@ietf.org, ID Events Mailing List <id-event@ietf.org>, Mike Jones <michael.jones@microsoft.com>
To: Russ Housley <housley@vigilsec.com>
References: <152424742315.3484.7625515486296411114@ietfa.amsl.com>
X-Mailer: Apple Mail (2.3445.6.18)
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8873 signatures=668698
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=3 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1804240204
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/w4u1Z9Qdyv2yLEPFyrN_i3GlLk4>
Subject: Re: [secdir] [Id-event] Secdir last call review of draft-ietf-secevent-token-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Apr 2018 21:49:19 -0000
Russ,
Here are proposed changes to address your questions about Section 3. You’re right that this section is placing requirements on profiling specifications. The changes made are intended to make this more explicit. Please let us know if the updated text works for you, and if so, we’ll publish an updated draft using it.
Please see the wdiff text for section 3 below (also attached).
Thanks,
Phil & Mike
—wdiff for sec 3--
3. Requirements for SET Profiles
Profiling specifications of this specification define actual SETs to
be used in particular use cases. These profiling specifications
define the syntax and semantics of SETs conforming to that SET
profile and rules for validating those SETs. Profiling
specifications SHOULD define syntax, semantics, subject
identification, and validation.
Syntax
The syntax defined by
profiling specifications includes what claims of the SETs defined, including:
Top-Level Claims
Claims and event payload values placed at the JWT Claims Set. Examples are used
claims defined by SETs utilizing the profile. JWT specification (see [RFC7519]), the
SET specification, and by the profiling specification.
Event Payload
The JSON data structure contents and format, containing event-
specific information, if any (see Section 1.2).
Semantics
Defining the semantics of the SET contents for SETs utilizing the
profile is equally important. Possibly most important is defining
the procedures used to validate the SET issuer and to obtain the
keys controlled by the issuer that were used for cryptographic
operations used in the JWT representing the SET. For instance,
some profiles may define an algorithm for retrieving the SET
issuer's keys that uses the "iss" claim value as its input.
Likewise, if the profile allows (or requires) that the JWT be
unsecured, the means by which the integrity of the JWT is ensured
MUST be specified.
Subject Identification
Profiling specifications MUST define how the event subject is
identified in the SET, as well as how to differentiate between the
event subject's issuer and the SET issuer, if applicable. It is
NOT RECOMMENDED for profiling specifications to use the "sub"
claim in cases in which the subject is not globally unique and has
a different issuer from the SET itself.
Validation
Profiling specifications MUST clearly specify the steps that a
recipient of a SET utilizing that profile MUST perform to validate
that the SET is both syntactically and semantically valid.
Among the syntax and semantics of SETs that a profiling
specification may define is whether the value of the "events"
claim may contain multiple members, and what processing
instructions are employed in the single- and multiple-valued cases
for SETs conforming to that profile. Many valid choices are
possible. For instance, some profiles might allow multiple event
identifiers to be present and specify that any that are not
understood by recipients be ignored, thus enabling extensibility.
Other profiles might allow multiple event identifiers to be
present but require that all be understood if the SET is to be
accepted. Some profiles might require that only a single value be
present. All such choices are within the scope of profiling
specifications to define.
Profiling specifications MUST clearly specify the steps that a
recipient of a SET utilizing that profile MUST perform to validate
that the SET is both syntactically and semantically valid.
Phil
Oracle Corporation, Identity Cloud Services Architect
@independentid
www.independentid.com <http://www.independentid.com/>phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
> On Apr 20, 2018, at 11:03 AM, Russ Housley <housley@vigilsec.com> wrote:
>
> Reviewer: Russ Housley
> Review result: Has Issues
>
> I reviewed this document as part of the Security Directorate's ongoing
> effort to review all IETF documents being processed by the IESG. These
> comments were written primarily for the benefit of the Security Area
> Directors. Document authors, document editors, and WG chairs should
> treat these comments just like any other IETF Last Call comments.
>
> Document: draft-ietf-secevent-token-09
> Reviewer: Russ Housley
> Review Date: 2018-04-20
> IETF LC End Date: unknown
> IESG Telechat date: 2018-05-10
>
> Summary: Has Issues
>
> Major Concerns
>
> I do not understand the first paragraph of Section 3. I made this
> comment on version -07, and some words were added, but I still do
> not understand this paragraph. I think you are trying to impose some
> rules on future specifications that use SET to define events. Let me
> ask a couple of questions that may help. I understand that a
> profiling specification MUST specify the syntax and semantics for a
> collection of security event tokens, including the claims and payloads
> that are expected. What MUST a profiling specification include? What
> MUST a profiling specification NOT include?
>
>
> _______________________________________________
> Id-event mailing list
> Id-event@ietf.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_id-2Devent&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=hJFx-Z2ih18uUNCXosAjvygHqn2_K2mtNzqIej3Ah-c&s=28OWe42S0bg8Y2eo3VVzACeSYnzgiyyeXLl7tTu9i1Y&e=
- [secdir] Secdir last call review of draft-ietf-se… Russ Housley
- Re: [secdir] [Id-event] Secdir last call review o… Phil Hunt
- Re: [secdir] [Id-event] Secdir last call review o… Mike Jones
- Re: [secdir] [Id-event] Secdir last call review o… Mike Jones
- Re: [secdir] Secdir last call review of draft-iet… Russ Housley