[Openid-specs-risc] RISC event URIs

Wed Apr 12 20:50:31 UTC 2017

openid.ns values in http://openid.net/specs/openid-authentication-2_0.html#anchor4
Claimed Identifier URI in http://openid.net/specs/openid-authentication-2_0.html#discovery
                (there are plenty more in this spec)
Attribute exchange namespace at http://openid.net/specs/openid-attribute-exchange-1_0.html#anchor2
PAPE namespace at http://openid.net/specs/openid-provider-authentication-policy-extension-1_0.html#anchor3
Issuer URI at https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery
Backchannel Logout event at http://openid.net/specs/openid-connect-backchannel-1_0.html#LogoutToken
MODRNA policies at file:///C:/mbj/DSG/OpenID/MODRNA/openid-connect-modrna-authentication-1_0.html#rfc.section.4
EAP ACR URIs at http://openid.net/specs/openid-connect-eap-acr-values-1_0.html#ClaimsContents
Etc.

There are plenty more.  These are just a quick subset I knew about off the top of my head.

Yes, it would be OK to put “risc” in the name.  The, for instance you might use this URI for Account Deleted:
                http://schemas.openid.net/event/risc/account-deleted

IETF and “secevent” don’t really have a reason to be in these event names, because it’s the OpenID RISC WG defining these events, not the IETF or the SecEvent WG.

                                                                -- Mike

From: Marius Scurtescu [mailto:mscurtescu at google.com]
Sent: Wednesday, April 12, 2017 1:34 PM
To: Mike Jones <Michael.Jones at microsoft.com>
Cc: Phil Hunt (IDM) <phil.hunt at oracle.com>; openid-specs-risc at lists.openid.net
Subject: Re: [Openid-specs-risc] RISC event URIs

On Wed, Apr 12, 2017 at 1:31 PM, Marius Scurtescu <mscurtescu at google.com<mailto:mscurtescu at google.com>> wrote:
Shouldn't "risc" (the profile name) be part of the URI?

Similarly, what about "ietf" and "secevent" being part of the URI?

Can you point to some of these other specifications and URIs?

Marius

On Wed, Apr 12, 2017 at 1:25 PM, Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>> wrote:
I’d suggest that RISC event names be openid.net<http://openid.net> URIs.  For instance, I’d use the event name http://schemas.openid.net/event/account-deleted for the Account Deleted event that Marius described.  That would be consistent with how other things have been historically named in OpenID specifications.

                                                                -- Mike

From: Openid-specs-risc [mailto:openid-specs-risc-bounces at lists.openid.net<mailto:openid-specs-risc-bounces at lists.openid.net>] On Behalf Of Phil Hunt (IDM)
Sent: Tuesday, April 11, 2017 3:00 PM
To: Marius Scurtescu <mscurtescu at google.com<mailto:mscurtescu at google.com>>
Cc: openid-specs-risc at lists.openid.net<mailto:openid-specs-risc at lists.openid.net>
Subject: Re: [Openid-specs-risc] RISC event URIs

That said. It is perfectly ok for risc to use urns while the core spec specified uri.

There would just be no central event registry except within risc.

Phil

On Apr 11, 2017, at 2:37 PM, Marius Scurtescu <mscurtescu at google.com<mailto:mscurtescu at google.com>> wrote:
Good point, will start the discussion on the secevent list.

Marius

On Tue, Apr 11, 2017 at 2:34 PM, Hardt, Dick <dick at amazon.com<mailto:dick at amazon.com>> wrote:
I think the format of these should be decided in secevent.

I think your proposal of secevents starting with “urn:ietf:params:secevent:event-type:” is one worth proposing in secevent.

"urn:ietf:params:secevent:aud-client-id:<client-id>" is clearly a secevent discussion item

/Dick

On 4/11/17, 2:16 PM, someone claiming to be "Marius Scurtescu" <mscurtescu at google.com<mailto:mscurtescu at google.com>> wrote:

"urn:ietf:params:secevent:event-type:risc:sessions-revoked" would be an event URI, the key under the "events" claim

"urn:ietf:params:secevent:aud-client-id:<client-id>" would be the aud claim, and this solves the "SET re-played as an access token" issue

Marius

On Tue, Apr 11, 2017 at 2:07 PM, Hardt, Dick <dick at amazon.com<mailto:dick at amazon.com>> wrote:
Where are you thinking this is in the secevent SET Marius?

On 4/11/17, 10:56 AM, someone claiming to be "Openid-specs-risc on behalf of Marius Scurtescu" <openid-specs-risc-bounces at lists.openid.net<mailto:openid-specs-risc-bounces at lists.openid.net> on behalf of mscurtescu at google.com<mailto:mscurtescu at google.com>> wrote:

While talking about events, we should also decide how the event URI will look like for RISC.

I propose we use URN sub-delegation for "ietf" namespace (RFC 3553), something like:
urn:ietf:params:secevent:event-type:risc:sessions-revoked
urn:ietf:params:secevent:event-type:risc:tokens-revoked
urn:ietf:params:secevent:event-type:risc:account-deleted
urn:ietf:params:secevent:event-type:risc:all ?

Maybe instead of "event-type" in the above URNs we should use "profile"? Since "risc" above signifies a whole class of event type and not a particular one:
urn:ietf:params:secevent:profile:risc:sessions-revoked
...

We can use this scheme for other RISC related URNs, like a prefixed aud:
urn:ietf:params:secevent:aud-client-id:<client-id>

Thoughts?

Marius

_______________________________________________
Openid-specs-risc mailing list
Openid-specs-risc at lists.openid.net<mailto:Openid-specs-risc at lists.openid.net>
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Drisc&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=xWx68AhS5M_By2Kzn2sWKxgaTcobfi-OdzG-BY75oQ0&s=GlmLO4LTDZglq1yIkAKmtEZG9Fwx_e5fxSEQGspbwAo&e=

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20170412/ceca0b9a/attachment-0001.html>