[Openid-specs-risc] Subject "categories" discussion

Tue Aug 4 12:01:17 UTC 2020

Atul,

Can we use these scenarios (along with any other examples folks have) to continue the discussion today?

#1 “All sessions for this user and device are revoked”

{
    "iss": "https://login.microsoft.com/72f988bf-86f1-41af-91ab-2d7cd011db47/",
    "jti": "756E69717565206964656E746966696572",
    "iat": 1596468414,
    "aud": "636C69656E745F6964",
    "events": {
        "https://schemas.openid.net/secevent/caep/event-type/all-sessions-revoked": {
            "subject": [
                {
                    "subject_type": "iss_sub",
                    "iss": "https://login.microsoft.com/72f988bf-86f1-41af-91ab-2d7cd011db47/",
                    "sub": "B82ABEF5-201B-4BDE-A532-F9827089009E" // User UUID
                },
                {
                    "subject_type": "iss_sub",
                    "iss": "https://login.microsoft.com/72f988bf-86f1-41af-91ab-2d7cd011db47/",
                    "sub": "208EE704-07BA-4762-B5CF-B45807E5FAA8" // Device UUID
                }
            ]
        }
    }
}

#2 “All user sessions on this specific device are revoked”

Same set with different event type?

From: Openid-specs-risc <openid-specs-risc-bounces at lists.openid.net>
Date: Friday, July 31, 2020 at 14:08
To: Openid-specs-risc <openid-specs-risc at lists.openid.net>
Subject: [Openid-specs-risc] Subject "categories" discussion
Hi all,
In the OpenID SSE WG call on July 21st, we discussed at length the need for the "subject category" addition to the subject identifier. The notes from that call are here<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.google.com%2Fdocument%2Fd%2F1ZFwJJDwwSBNKX35VObClC1ctMbMMuHJtr5qY-7xsLW8%2Fedit%3Fusp%3Dsharing&data=02%7C01%7Ctim.cappalli%40microsoft.com%7C269ebb4c80c040001da808d8357cc0ad%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637318157241464997&sdata=BLHrBxsCR%2Ba4ZjFeYAfsLsg4b5o3CCZwfJgZ%2BFkecs8%3D&reserved=0>.

Based on that discussion I would like to propose the following changes in the SSE profile draft and the proposed SSE Event Types draft:

  1.  We drop the common claim named "category" from the subject identifiers.
  2.  We specify in the SSE profile spec that individual events may have multiple subject-identifiers if required to disambiguate the subject as being in a specific category. The semantics of combining multiple subject identifiers within an event will always be "AND", i.e. The subject of the event is identified by the intersection of the subjects identified by each subject identifier.
  3.  In the proposed SSE event types spec, where required, we specify the multiple subject identifiers.
Please respond here to discuss. This is relevant to the finalization of the subject identifiers specification in the IETF. I will post a message there based on the conclusion of any discussion here and in our next SSE WG call on 8/4.

Thanks,
Atul

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20200804/059a3fa1/attachment.html>