[Openid-specs-risc] RISC event URIs

Marius Scurtescu mscurtescu at google.com
Tue Apr 18 22:17:29 UTC 2017


Alright, unless anyone has objections let's go with the URL based event
types (and potentially other URIs that the specs may need).

As John mentioned on the call yesterday, this also has the advantage that
we could setup documentation pages behind these URLs, so URIs have obvious
documentation attached.

As a nit, I think the account-deleted event type should be:
http://schemas.openid.net/risc/event/account-deleted

I moved "risc" before "event". We might need other RISC URIs which are not
event types.


Marius

On Wed, Apr 12, 2017 at 3:55 PM, Hardt, Dick <dick at amazon.com> wrote:

> The advantage of Marius’s original proposal is that it ensures that the
> event identifier will be globally unique without coordination between
> anyone profiling secevent since all events in the profile will need to
> start with a profile specific string.
>
>
>
> In other words, there is the possibility of an event name collision if
> secevent leaves each profile to determine the event ID with no other
> guidance.
>
>
>
> If secevent requires a URI and that the profile use a domain that is
> associated with the profile, then the collision risk is avoided.
>
>
>
> Assuming that is in secevent, then
>
>
>
> http://schemas.openid.net/event/risc/account-deleted
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__schemas.openid.net_event_risc_account-2Ddeleted&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=IT6azVbuki1_pmbosRf1uN_NZqVzNldI8AI9fWdg32o&s=Fv9F4TKG7qD9gN9r9NPaA4dYsqek-m-sctnLBHLfKcc&e=>
>
>
>
> works fine.
>
>
>
> /Dick
>
>
>
>
>
>
>
> On 4/12/17, 2:05 PM, someone claiming to be "Openid-specs-risc on behalf
> of Phil Hunt" <openid-specs-risc-bounces at lists.openid.net on behalf of
> phil.hunt at oracle.com> wrote:
>
>
>
> I agree with Mike.
>
>
>
> I don’t think you really have to have a hierarchy.
>
>
>
> The real issue is the value of having a vetted central registry. I do
> think there is some value to eliminate duplication and confusion.
>
>
>
> I’m on the fence. It would be good get some rough proposed event
> definitions from RISC and SCIM for example and compare and contrast the
> similarities and differences and decide if they should be expressed
> differently.
>
>
>
> Phil
>
>
>
> Oracle Corporation, Identity Cloud Services Architect & Standards
>
> @independentid
>
> www.independentid.com
>
> phil.hunt at oracle.com
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Apr 12, 2017, at 1:50 PM, Mike Jones <Michael.Jones at microsoft.com>
> wrote:
>
>
>
> openid.ns values in http://openid.net/specs/openid-authentication-2_0.
> html#anchor4
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__openid.net_specs_openid-2Dauthentication-2D2-5F0.html-23anchor4&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=IT6azVbuki1_pmbosRf1uN_NZqVzNldI8AI9fWdg32o&s=_DGYGG9FeymBn6OqVohCgnpnHEKx-iORfkoGbfvw9Sw&e=>
>
> Claimed Identifier URI in http://openid.net/specs/
> openid-authentication-2_0.html#discovery
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__openid.net_specs_openid-2Dauthentication-2D2-5F0.html-23discovery&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=IT6azVbuki1_pmbosRf1uN_NZqVzNldI8AI9fWdg32o&s=i_Efd_jqHWw_nd402qXtksQfNlpOo9adIUyBmsnKDHw&e=>
>
>                 (there are plenty more in this spec)
>
> Attribute exchange namespace at http://openid.net/specs/
> openid-attribute-exchange-1_0.html#anchor2
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__openid.net_specs_openid-2Dattribute-2Dexchange-2D1-5F0.html-23anchor2&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=IT6azVbuki1_pmbosRf1uN_NZqVzNldI8AI9fWdg32o&s=ht1coU3G-1vOvg5hIdxr1IDgU2bC2vdyoe9z1JXOVp8&e=>
>
> PAPE namespace at http://openid.net/specs/openid-provider-
> authentication-policy-extension-1_0.html#anchor3
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__openid.net_specs_openid-2Dprovider-2Dauthentication-2Dpolicy-2Dextension-2D1-5F0.html-23anchor3&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=IT6azVbuki1_pmbosRf1uN_NZqVzNldI8AI9fWdg32o&s=U8rYDwzBzOU4Vtkp0KRTXd22-a8bq0fxVnQcToUb1Ns&e=>
>
> Issuer URI at https://openid.net/specs/openid-connect-discovery-1_0.
> html#IssuerDiscovery
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__openid.net_specs_openid-2Dconnect-2Ddiscovery-2D1-5F0.html-23IssuerDiscovery&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=IT6azVbuki1_pmbosRf1uN_NZqVzNldI8AI9fWdg32o&s=oXmQRXaMpUPH-nB4gDeKjSWILDF7BdTtLHiV5zb3rUU&e=>
>
> Backchannel Logout event at http://openid.net/specs/
> openid-connect-backchannel-1_0.html#LogoutToken
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__openid.net_specs_openid-2Dconnect-2Dbackchannel-2D1-5F0.html-23LogoutToken&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=IT6azVbuki1_pmbosRf1uN_NZqVzNldI8AI9fWdg32o&s=wPXcz4P307OtW13LMmlvJGx7dIvt3F4z9-HH42ojRzY&e=>
>
> MODRNA policies at file:///C:/mbj/DSG/OpenID/MODRNA/openid-connect-modrna-
> authentication-1_0.html#rfc.section.4
>
> EAP ACR URIs at http://openid.net/specs/openid-connect-eap-acr-values-
> 1_0.html#ClaimsContents
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__openid.net_specs_openid-2Dconnect-2Deap-2Dacr-2Dvalues-2D1-5F0.html-23ClaimsContents&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=IT6azVbuki1_pmbosRf1uN_NZqVzNldI8AI9fWdg32o&s=u6DfdgmHebc9XFcNGx5icscB9essDnJRqYjUo2SnAmA&e=>
>
> Etc.
>
>
>
> There are plenty more.  These are just a quick subset I knew about off the
> top of my head.
>
>
>
> Yes, it would be OK to put “risc” in the name.  The, for instance you
> might use this URI for Account Deleted:
>
>               Assum
>
>
>
> IETF and “secevent” don’t really have a reason to be in these event names,
> because it’s the OpenID RISC WG defining these events, not the IETF or the
> SecEvent WG.
>
>
>
>                                                                 -- Mike
>
>
>
> *From:* Marius Scurtescu [mailto:mscurtescu at google.com
> <mscurtescu at google.com>]
> *Sent:* Wednesday, April 12, 2017 1:34 PM
> *To:* Mike Jones <Michael.Jones at microsoft.com>
> *Cc:* Phil Hunt (IDM) <phil.hunt at oracle.com>; openid-specs-risc at lists.
> openid.net
> *Subject:* Re: [Openid-specs-risc] RISC event URIs
>
>
>
> On Wed, Apr 12, 2017 at 1:31 PM, Marius Scurtescu <mscurtescu at google.com>
> wrote:
>
> Shouldn't "risc" (the profile name) be part of the URI?
>
>
>
> Similarly, what about "ietf" and "secevent" being part of the URI?
>
>
>
>
>
> Can you point to some of these other specifications and URIs?
>
>
> Marius
>
>
>
> On Wed, Apr 12, 2017 at 1:25 PM, Mike Jones <Michael.Jones at microsoft.com>
> wrote:
>
> I’d suggest that RISC event names be openid.net
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__openid.net&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=IT6azVbuki1_pmbosRf1uN_NZqVzNldI8AI9fWdg32o&s=dzuYBPXCYMEBvFpUEktnn8u3lkEPeUHcausoF2NU45c&e=>
>  URIs.  For instance, I’d use the event name http://schemas.openid.
> net/event/account-deleted
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__schemas.openid.net_event_account-2Ddeleted&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=IT6azVbuki1_pmbosRf1uN_NZqVzNldI8AI9fWdg32o&s=KerUNwzFrztEwKDzo7GXe2-W_8iuWNrnLZ-5Kvv2Afk&e=>
>  for the Account Deleted event that Marius described.  That would be
> consistent with how other things have been historically named in OpenID
> specifications.
>
>
>
>                                                                 -- Mike
>
>
>
> *From:* Openid-specs-risc [mailto:openid-specs-risc-
> bounces at lists.openid.net] *On Behalf Of *Phil Hunt (IDM)
> *Sent:* Tuesday, April 11, 2017 3:00 PM
> *To:* Marius Scurtescu <mscurtescu at google.com>
> *Cc:* openid-specs-risc at lists.openid.net
> *Subject:* Re: [Openid-specs-risc] RISC event URIs
>
>
>
> That said. It is perfectly ok for risc to use urns while the core spec
> specified uri.
>
>
>
> There would just be no central event registry except within risc.
>
> Phil
>
>
> On Apr 11, 2017, at 2:37 PM, Marius Scurtescu <mscurtescu at google.com>
> wrote:
>
> Good point, will start the discussion on the secevent list.
>
>
> Marius
>
>
>
> On Tue, Apr 11, 2017 at 2:34 PM, Hardt, Dick <dick at amazon.com> wrote:
>
> I think the format of these should be decided in secevent.
>
>
>
> I think your proposal of secevents starting with “urn:ietf:params:secevent:event-type:”
> is one worth proposing in secevent.
>
>
>
> "urn:ietf:params:secevent:aud-client-id:<client-id>" is clearly a
> secevent discussion item
>
>
>
> /Dick
>
>
>
> On 4/11/17, 2:16 PM, someone claiming to be "Marius Scurtescu" <
> mscurtescu at google.com> wrote:
>
>
>
> "urn:ietf:params:secevent:event-type:risc:sessions-revoked" would be an
> event URI, the key under the "events" claim
>
>
>
> "urn:ietf:params:secevent:aud-client-id:<client-id>" would be the aud
> claim, and this solves the "SET re-played as an access token" issue
>
>
>
>
> Marius
>
>
>
> On Tue, Apr 11, 2017 at 2:07 PM, Hardt, Dick <dick at amazon.com> wrote:
>
> Where are you thinking this is in the secevent SET Marius?
>
>
>
> On 4/11/17, 10:56 AM, someone claiming to be "Openid-specs-risc on behalf
> of Marius Scurtescu" <openid-specs-risc-bounces at lists.openid.net on
> behalf of mscurtescu at google.com> wrote:
>
>
>
> While talking about events, we should also decide how the event URI will
> look like for RISC.
>
>
>
> I propose we use URN sub-delegation for "ietf" namespace (RFC 3553),
> something like:
>
> urn:ietf:params:secevent:event-type:risc:sessions-revoked
>
> urn:ietf:params:secevent:event-type:risc:tokens-revoked
>
> urn:ietf:params:secevent:event-type:risc:account-deleted
>
> urn:ietf:params:secevent:event-type:risc:all ?
>
>
>
> Maybe instead of "event-type" in the above URNs we should use "profile"?
> Since "risc" above signifies a whole class of event type and not a
> particular one:
>
> urn:ietf:params:secevent:profile:risc:sessions-revoked
>
> ...
>
>
>
> We can use this scheme for other RISC related URNs, like a prefixed aud:
>
> urn:ietf:params:secevent:aud-client-id:<client-id>
>
>
>
> Thoughts?
>
>
>
> Marius
>
>
>
>
>
> _______________________________________________
> Openid-specs-risc mailing list
> Openid-specs-risc at lists.openid.net
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.
> openid.net_mailman_listinfo_openid-2Dspecs-2Drisc&d=DwICAg&c=
> RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=
> JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=xWx68AhS5M_
> By2Kzn2sWKxgaTcobfi-OdzG-BY75oQ0&s=GlmLO4LTDZglq1yIkAKmtEZG9Fwx_
> e5fxSEQGspbwAo&e=
>
>
>
> _______________________________________________
> Openid-specs-risc mailing list
> Openid-specs-risc at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-risc
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20170418/32b970cc/attachment-0001.html>


More information about the Openid-specs-risc mailing list