[Openid-specs-risc] RISC event URIs

Marius Scurtescu mscurtescu at google.com
Tue Apr 18 22:35:48 UTC 2017


On Tue, Apr 18, 2017 at 3:33 PM, Mike Jones <Michael.Jones at microsoft.com>
wrote:

> I meant “event” to designate a SET definition, “risc” to designate the
> (optional) working group name, “http://schemas.openid.net” root the name
> in an OpenID namespace, and “account-deleted” to be the WG-specific event
> name.
>
>
>
> Having both “secevent” and “event” is redundant.
>

"event" is there to make it clear that this is about an event type, there
could be other URIs needed than event types.


>
>
>                                                                 -- Mike
>
>
>
> *From:* Marius Scurtescu [mailto:mscurtescu at google.com]
> *Sent:* Tuesday, April 18, 2017 3:31 PM
> *To:* Mike Jones <Michael.Jones at microsoft.com>
> *Cc:* Hardt, Dick <dick at amazon.com>; Phil Hunt <phil.hunt at oracle.com>;
> openid-specs-risc at lists.openid.net
>
> *Subject:* Re: [Openid-specs-risc] RISC event URIs
>
>
>
> Hm, maybe you meant "event" to be the working group name, and not short
> for "event type" (which I had in mind).
>
>
>
> If so, then maybe we should use "secevent":
>
> http://schemas.openid.net/secevent/risc/event/account-deleted
>
>
>
>
> Marius
>
>
>
> On Tue, Apr 18, 2017 at 3:20 PM, Mike Jones <Michael.Jones at microsoft.com>
> wrote:
>
> I’d actually do it in the other order.  I think that all OpenID-defined
> events from all working groups should start with
> http://schemas.openid.net/event/.  The event name should follow that,
> which may optionally include a working group name as part of the event
> name.  So the right name for account-deleted, if “risc” is to be included,
> is http://schemas.openid.net/event/risc/account-deleted.
>
>
>
>                                                                 -- Mike
>
>
>
> *From:* Marius Scurtescu [mailto:mscurtescu at google.com]
> *Sent:* Tuesday, April 18, 2017 3:17 PM
> *To:* Hardt, Dick <dick at amazon.com>
> *Cc:* Phil Hunt <phil.hunt at oracle.com>; Mike Jones <
> Michael.Jones at microsoft.com>; openid-specs-risc at lists.openid.net
>
>
> *Subject:* Re: [Openid-specs-risc] RISC event URIs
>
>
>
> Alright, unless anyone has objections let's go with the URL based event
> types (and potentially other URIs that the specs may need).
>
>
>
> As John mentioned on the call yesterday, this also has the advantage that
> we could setup documentation pages behind these URLs, so URIs have obvious
> documentation attached.
>
>
>
> As a nit, I think the account-deleted event type should be:
>
> http://schemas.openid.net/risc/event/account-deleted
>
>
>
> I moved "risc" before "event". We might need other RISC URIs which are not
> event types.
>
>
>
>
> Marius
>
>
>
> On Wed, Apr 12, 2017 at 3:55 PM, Hardt, Dick <dick at amazon.com> wrote:
>
> The advantage of Marius’s original proposal is that it ensures that the
> event identifier will be globally unique without coordination between
> anyone profiling secevent since all events in the profile will need to
> start with a profile specific string.
>
>
>
> In other words, there is the possibility of an event name collision if
> secevent leaves each profile to determine the event ID with no other
> guidance.
>
>
>
> If secevent requires a URI and that the profile use a domain that is
> associated with the profile, then the collision risk is avoided.
>
>
>
> Assuming that is in secevent, then
>
>
>
> http://schemas.openid.net/event/risc/account-deleted
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__schemas.openid.net_event_risc_account-2Ddeleted&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=IT6azVbuki1_pmbosRf1uN_NZqVzNldI8AI9fWdg32o&s=Fv9F4TKG7qD9gN9r9NPaA4dYsqek-m-sctnLBHLfKcc&e=>
>
>
>
> works fine.
>
>
>
> /Dick
>
>
>
>
>
>
>
> On 4/12/17, 2:05 PM, someone claiming to be "Openid-specs-risc on behalf
> of Phil Hunt" <openid-specs-risc-bounces at lists.openid.net on behalf of
> phil.hunt at oracle.com> wrote:
>
>
>
> I agree with Mike.
>
>
>
> I don’t think you really have to have a hierarchy.
>
>
>
> The real issue is the value of having a vetted central registry. I do
> think there is some value to eliminate duplication and confusion.
>
>
>
> I’m on the fence. It would be good get some rough proposed event
> definitions from RISC and SCIM for example and compare and contrast the
> similarities and differences and decide if they should be expressed
> differently.
>
>
>
> Phil
>
>
>
> Oracle Corporation, Identity Cloud Services Architect & Standards
>
> @independentid
>
> www.independentid.com
>
> phil.hunt at oracle.com
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Apr 12, 2017, at 1:50 PM, Mike Jones <Michael.Jones at microsoft.com>
> wrote:
>
>
>
> openid.ns values in http://openid.net/specs/openid-authentication-2_0.
> html#anchor4
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__openid.net_specs_openid-2Dauthentication-2D2-5F0.html-23anchor4&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=IT6azVbuki1_pmbosRf1uN_NZqVzNldI8AI9fWdg32o&s=_DGYGG9FeymBn6OqVohCgnpnHEKx-iORfkoGbfvw9Sw&e=>
>
> Claimed Identifier URI in http://openid.net/specs/
> openid-authentication-2_0.html#discovery
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__openid.net_specs_openid-2Dauthentication-2D2-5F0.html-23discovery&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=IT6azVbuki1_pmbosRf1uN_NZqVzNldI8AI9fWdg32o&s=i_Efd_jqHWw_nd402qXtksQfNlpOo9adIUyBmsnKDHw&e=>
>
>                 (there are plenty more in this spec)
>
> Attribute exchange namespace at http://openid.net/specs/
> openid-attribute-exchange-1_0.html#anchor2
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__openid.net_specs_openid-2Dattribute-2Dexchange-2D1-5F0.html-23anchor2&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=IT6azVbuki1_pmbosRf1uN_NZqVzNldI8AI9fWdg32o&s=ht1coU3G-1vOvg5hIdxr1IDgU2bC2vdyoe9z1JXOVp8&e=>
>
> PAPE namespace at http://openid.net/specs/openid-provider-
> authentication-policy-extension-1_0.html#anchor3
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__openid.net_specs_openid-2Dprovider-2Dauthentication-2Dpolicy-2Dextension-2D1-5F0.html-23anchor3&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=IT6azVbuki1_pmbosRf1uN_NZqVzNldI8AI9fWdg32o&s=U8rYDwzBzOU4Vtkp0KRTXd22-a8bq0fxVnQcToUb1Ns&e=>
>
> Issuer URI at https://openid.net/specs/openid-connect-discovery-1_0.
> html#IssuerDiscovery
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__openid.net_specs_openid-2Dconnect-2Ddiscovery-2D1-5F0.html-23IssuerDiscovery&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=IT6azVbuki1_pmbosRf1uN_NZqVzNldI8AI9fWdg32o&s=oXmQRXaMpUPH-nB4gDeKjSWILDF7BdTtLHiV5zb3rUU&e=>
>
> Backchannel Logout event at http://openid.net/specs/
> openid-connect-backchannel-1_0.html#LogoutToken
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__openid.net_specs_openid-2Dconnect-2Dbackchannel-2D1-5F0.html-23LogoutToken&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=IT6azVbuki1_pmbosRf1uN_NZqVzNldI8AI9fWdg32o&s=wPXcz4P307OtW13LMmlvJGx7dIvt3F4z9-HH42ojRzY&e=>
>
> MODRNA policies at file:///C:/mbj/DSG/OpenID/MODRNA/openid-connect-modrna-
> authentication-1_0.html#rfc.section.4
>
> EAP ACR URIs at http://openid.net/specs/openid-connect-eap-acr-values-
> 1_0.html#ClaimsContents
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__openid.net_specs_openid-2Dconnect-2Deap-2Dacr-2Dvalues-2D1-5F0.html-23ClaimsContents&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=IT6azVbuki1_pmbosRf1uN_NZqVzNldI8AI9fWdg32o&s=u6DfdgmHebc9XFcNGx5icscB9essDnJRqYjUo2SnAmA&e=>
>
> Etc.
>
>
>
> There are plenty more.  These are just a quick subset I knew about off the
> top of my head.
>
>
>
> Yes, it would be OK to put “risc” in the name.  The, for instance you
> might use this URI for Account Deleted:
>
>               Assum
>
>
>
> IETF and “secevent” don’t really have a reason to be in these event names,
> because it’s the OpenID RISC WG defining these events, not the IETF or the
> SecEvent WG.
>
>
>
>                                                                 -- Mike
>
>
>
> *From:* Marius Scurtescu [mailto:mscurtescu at google.com
> <mscurtescu at google.com>]
> *Sent:* Wednesday, April 12, 2017 1:34 PM
> *To:* Mike Jones <Michael.Jones at microsoft.com>
> *Cc:* Phil Hunt (IDM) <phil.hunt at oracle.com>; openid-specs-risc at lists.
> openid.net
> *Subject:* Re: [Openid-specs-risc] RISC event URIs
>
>
>
> On Wed, Apr 12, 2017 at 1:31 PM, Marius Scurtescu <mscurtescu at google.com>
> wrote:
>
> Shouldn't "risc" (the profile name) be part of the URI?
>
>
>
> Similarly, what about "ietf" and "secevent" being part of the URI?
>
>
>
>
>
> Can you point to some of these other specifications and URIs?
>
>
> Marius
>
>
>
> On Wed, Apr 12, 2017 at 1:25 PM, Mike Jones <Michael.Jones at microsoft.com>
> wrote:
>
> I’d suggest that RISC event names be openid.net
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__openid.net&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=IT6azVbuki1_pmbosRf1uN_NZqVzNldI8AI9fWdg32o&s=dzuYBPXCYMEBvFpUEktnn8u3lkEPeUHcausoF2NU45c&e=>
>  URIs.  For instance, I’d use the event name http://schemas.openid.
> net/event/account-deleted
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__schemas.openid.net_event_account-2Ddeleted&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=IT6azVbuki1_pmbosRf1uN_NZqVzNldI8AI9fWdg32o&s=KerUNwzFrztEwKDzo7GXe2-W_8iuWNrnLZ-5Kvv2Afk&e=>
>  for the Account Deleted event that Marius described.  That would be
> consistent with how other things have been historically named in OpenID
> specifications.
>
>
>
>                                                                 -- Mike
>
>
>
> *From:* Openid-specs-risc [mailto:openid-specs-risc-
> bounces at lists.openid.net] *On Behalf Of *Phil Hunt (IDM)
> *Sent:* Tuesday, April 11, 2017 3:00 PM
> *To:* Marius Scurtescu <mscurtescu at google.com>
> *Cc:* openid-specs-risc at lists.openid.net
> *Subject:* Re: [Openid-specs-risc] RISC event URIs
>
>
>
> That said. It is perfectly ok for risc to use urns while the core spec
> specified uri.
>
>
>
> There would just be no central event registry except within risc.
>
> Phil
>
>
> On Apr 11, 2017, at 2:37 PM, Marius Scurtescu <mscurtescu at google.com>
> wrote:
>
> Good point, will start the discussion on the secevent list.
>
>
> Marius
>
>
>
> On Tue, Apr 11, 2017 at 2:34 PM, Hardt, Dick <dick at amazon.com> wrote:
>
> I think the format of these should be decided in secevent.
>
>
>
> I think your proposal of secevents starting with “urn:ietf:params:secevent:event-type:”
> is one worth proposing in secevent.
>
>
>
> "urn:ietf:params:secevent:aud-client-id:<client-id>" is clearly a
> secevent discussion item
>
>
>
> /Dick
>
>
>
> On 4/11/17, 2:16 PM, someone claiming to be "Marius Scurtescu" <
> mscurtescu at google.com> wrote:
>
>
>
> "urn:ietf:params:secevent:event-type:risc:sessions-revoked" would be an
> event URI, the key under the "events" claim
>
>
>
> "urn:ietf:params:secevent:aud-client-id:<client-id>" would be the aud
> claim, and this solves the "SET re-played as an access token" issue
>
>
>
>
> Marius
>
>
>
> On Tue, Apr 11, 2017 at 2:07 PM, Hardt, Dick <dick at amazon.com> wrote:
>
> Where are you thinking this is in the secevent SET Marius?
>
>
>
> On 4/11/17, 10:56 AM, someone claiming to be "Openid-specs-risc on behalf
> of Marius Scurtescu" <openid-specs-risc-bounces at lists.openid.net on
> behalf of mscurtescu at google.com> wrote:
>
>
>
> While talking about events, we should also decide how the event URI will
> look like for RISC.
>
>
>
> I propose we use URN sub-delegation for "ietf" namespace (RFC 3553),
> something like:
>
> urn:ietf:params:secevent:event-type:risc:sessions-revoked
>
> urn:ietf:params:secevent:event-type:risc:tokens-revoked
>
> urn:ietf:params:secevent:event-type:risc:account-deleted
>
> urn:ietf:params:secevent:event-type:risc:all ?
>
>
>
> Maybe instead of "event-type" in the above URNs we should use "profile"?
> Since "risc" above signifies a whole class of event type and not a
> particular one:
>
> urn:ietf:params:secevent:profile:risc:sessions-revoked
>
> ...
>
>
>
> We can use this scheme for other RISC related URNs, like a prefixed aud:
>
> urn:ietf:params:secevent:aud-client-id:<client-id>
>
>
>
> Thoughts?
>
>
>
> Marius
>
>
>
>
>
> _______________________________________________
> Openid-specs-risc mailing list
> Openid-specs-risc at lists.openid.net
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.
> openid.net_mailman_listinfo_openid-2Dspecs-2Drisc&d=DwICAg&c=
> RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=
> JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=xWx68AhS5M_
> By2Kzn2sWKxgaTcobfi-OdzG-BY75oQ0&s=GlmLO4LTDZglq1yIkAKmtEZG9Fwx_
> e5fxSEQGspbwAo&e=
>
>
>
>
> _______________________________________________
> Openid-specs-risc mailing list
> Openid-specs-risc at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-risc
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20170418/8fca6a50/attachment-0001.html>


More information about the Openid-specs-risc mailing list