[GNAP] Next steps on subject identifiers
Fabien Imbault <fabien.imbault@gmail.com> Fri, 12 March 2021 07:08 UTC
Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 826C33A0AB5 for <txauth@ietfa.amsl.com>; Thu, 11 Mar 2021 23:08:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U4E3jb-qnLj6 for <txauth@ietfa.amsl.com>; Thu, 11 Mar 2021 23:08:48 -0800 (PST)
Received: from mail-il1-x12f.google.com (mail-il1-x12f.google.com [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81D5C3A0A9F for <txauth@ietf.org>; Thu, 11 Mar 2021 23:08:48 -0800 (PST)
Received: by mail-il1-x12f.google.com with SMTP id d5so1690817iln.6 for <txauth@ietf.org>; Thu, 11 Mar 2021 23:08:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=hpDT4ZVK5FZ4TVFUkDO+/xe2LIGt1Yss5fEsdTKAUh8=; b=Oiwvo+azjbK3edZNNegzFtl5xqVVQ+dWPFAWdNY1G1bNCrMfxRLgZI8do3/77Z/EeT hNa+ulk9Xzhd5dmlXQuD8kNUPyQzVwwZKL0ymISIrinHN5TOkWrS0S3KjLeWSPuiqGqR FjNqmyUZnCFKQjlJ/ZqhZLLnpLYgyjagWQM7jaefVjKEozafArNpcXMJEptVze8LwJyD U6nn26GBH2P3at2UNh5ypXC+1J/p4hrqblZGvAcfju+a94xX5ANST2siyKCmXFxPD3bl CnTxQDvqSnTU6XGM1wgouVeZqZbb2V7WyUj4YCtAPU44kINJR0k5IwkjHVQSLCkv/GfX ea9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=hpDT4ZVK5FZ4TVFUkDO+/xe2LIGt1Yss5fEsdTKAUh8=; b=lV3C4r0LOW5bnmrHf2pZhOl2+Z9V5JvzfY+KqvnvPxCfIrwCp4t2wZKBmtZc6vOSkX mOCSMkaJ8k8OMeil7d25r297O9oRg1ciKLE4tGfXCSnq7d7kckNGNSBhsYD1T/fUoP7e LA/WIpEQgIKNt9BXjGuIG7Sg+0KsWBFPs67k41mdXxc5tCW8aJNLx58dH7M0f+l1NUTT WkxWzxfstV3U+GdteQnSCiQw0XrTRgHCsTbqmTRhMPCe7JuI+ygioUjqXeSFy1MJ4rsi vZVWc5YXKZuJ/aTiKQEq+Dk9kBGdADDTfmEr1hMkGNZYPhbnoY3I4TxOcrgEOuVBaIu7 oz7Q==
X-Gm-Message-State: AOAM532aM9E3Gn5DN+lIztB2vzW3C5Rt3Cw9EmcNAzWCHeIBnBgUJAtY y6HSIiTvoIWDIzLI8PzhEb7pMM+NzXHhphC4tYreMFeldrMqTA==
X-Google-Smtp-Source: ABdhPJy9tPSFlLKSLSGLdH2Jy/OMFA93xBCXq297u9k8BtWP+hvhzGyefXoY57KhY0qwo5b1OL/L6omLz1P/aBpNTts=
X-Received: by 2002:a05:6e02:dc4:: with SMTP id l4mr1706799ilj.123.1615532926780; Thu, 11 Mar 2021 23:08:46 -0800 (PST)
MIME-Version: 1.0
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Fri, 12 Mar 2021 08:08:36 +0100
Message-ID: <CAM8feuSmQHebjjRvd6wCfTckTNkmk3ogYSrWN0sgTb+ownxmpA@mail.gmail.com>
To: GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003948f305bd51928f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/4yvIESccu9xjBS3oPbx7sruMfgg>
Subject: [GNAP] Next steps on subject identifiers
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Mar 2021 07:08:52 -0000
Hi everyone, Thanks a lot for your participation at IETF110 and on the mailing list. As agreed during the call, please find a summary and highlight of the next steps following the discussion item on "subject identifiers" (from an editorial standpoint this time, after taking into account the feedbacks): 1. fix open issues related to "subject identifiers". Every item with a question mark (?), in the slides, would love your input. In particular, some great questions during the meeting: - what goes into the identifier structure? (question about DIDs was further discussed in a dedicated thread) - what goes into the assertion(s) structure? - how do the identifiers and assertion(s) relate? - what do we handle in the core spec vs as an extension? New information: based on SECEVENT draft-07 published this week, we now have an internal opaque format to use. As per Yaron's suggestion, Justin has reached out to the SECEVENT WG to enquire about DID support. The next step is to make PRs (based on sub_ids draft-07), following the now usual process. See below for a recap of intended/proposed changes to fix outstanding issues, the detailed discussions will then be handled through issues and PRs on github. ------------------------------------------------------------------------------------------------------------------- Here's the list of suggested intended changes to come next (mostly normative clean up): - #16 #42 examples will be based on the sub_ids opaque format #16 #42 - #75 #120 scope of subject identifiers based on sub_id and validation by the AS (see #49) - #198 no major change on terminology but a light rewording for "subject information" (will become "statement asserted by an AS about a subject.") - #171 "ad-hoc portability" considered out of scope, sub_ids solve a big part of that - #51 is fixed by using the SECEVENT opaque format - #43 #50 assertion will correspond to an id_token authentication event, and samlv2 gives us a good reason to design the extension registry (a first step might just be to remove it from the core, due to XML security considerations / a dedicated issue related to samv2 extension is likely) - #49 "should/must validate client assertions" ultimately depends on #41, but "should" seems more realistic. As further guidance, we could move request.user into request.subject.hints to align with what has been done for interaction, to clarify the current wording "Subject identifiers are hints to the AS in determining the RO and MUST NOT be taken as declarative statements" - #178 is already with a PR in pending merge, no change to that Here's the list of issues that won't be addressed just yet (more input from WG needed): - #41 assertions as an array: it seems likely we'll need that but as long as we don't have anything else than id_token, this seems too early to change - #197 discussion on roles would remain open. Will keep the current wording for now. ------------------------------------------------------------------------------------------------------------------- 2. get preliminary feedback on the prospective issues, e.g. RO vs end-user. This is early stage and only for discussion right now. This is complementary to the "AS as a token factory" presentation by Justin. Wishing you all a nice day. The editors
- [GNAP] Next steps on subject identifiers Fabien Imbault