[Openid-specs-risc] Subject "categories" discussion

Stan Bounev stanb at vericlouds.com
Tue Aug 4 14:06:57 UTC 2020 

Atul, I still have an issue with the access to the repo – getting Forbidden and error 403 when trying to push my changes. I will work separately on this. For today, I’d like to include the ‘compromised’ event for discussion.

Credential Compromised

   Event Type URI:
   https://schemas.openid.net/secevent/risc/event-type/credential-
   compromised

   Credential Compromised event signals there is a leaked credential
   with a specific domain that has been found online by the transmitter.

   Attributes: email address; user ID

{
     "iss": "https://idp.example.com/",
     "jti": "756E69717565206964656E746966696572",
     "iat": 1508184845,
     "aud": "636C69656E745F6964",
     "events": {
       "https://schemas.openid.net/secevent/risc/event-type/credential-compromised": {
         "subject": {
           "subject_type": "iss-sub",
           "iss": "https://idp.example.com/",
           "sub": "7375626A656374",
         },
         "credential-credential-id": "userID", "email_address"
       }
     }
   }



From: Openid-specs-risc <openid-specs-risc-bounces at lists.openid.net> on behalf of Tim Cappalli via Openid-specs-risc <openid-specs-risc at lists.openid.net>
Reply-To: Tim Cappalli <Tim.Cappalli at microsoft.com>
Date: Tuesday, August 4, 2020 at 5:01 AM
To: Atul Tulshibagwale <atultulshi at google.com>, Openid-specs-risc <openid-specs-risc at lists.openid.net>
Subject: Re: [Openid-specs-risc] Subject "categories" discussion

Atul,

Can we use these scenarios (along with any other examples folks have) to continue the discussion today?


#1 “All sessions for this user and device are revoked”


{
    "iss": "https://login.microsoft.com/72f988bf-86f1-41af-91ab-2d7cd011db47/",
    "jti": "756E69717565206964656E746966696572",
    "iat": 1596468414,
    "aud": "636C69656E745F6964",
    "events": {
        "https://schemas.openid.net/secevent/caep/event-type/all-sessions-revoked": {
            "subject": [
                {
                    "subject_type": "iss_sub",
                    "iss": "https://login.microsoft.com/72f988bf-86f1-41af-91ab-2d7cd011db47/",
                    "sub": "B82ABEF5-201B-4BDE-A532-F9827089009E" // User UUID
                },
                {
                    "subject_type": "iss_sub",
                    "iss": "https://login.microsoft.com/72f988bf-86f1-41af-91ab-2d7cd011db47/",
                    "sub": "208EE704-07BA-4762-B5CF-B45807E5FAA8" // Device UUID
                }
            ]
        }
    }
}

#2 “All user sessions on this specific device are revoked”

Same set with different event type?


From: Openid-specs-risc <openid-specs-risc-bounces at lists.openid.net>
Date: Friday, July 31, 2020 at 14:08
To: Openid-specs-risc <openid-specs-risc at lists.openid.net>
Subject: [Openid-specs-risc] Subject "categories" discussion
Hi all,
In the OpenID SSE WG call on July 21st, we discussed at length the need for the "subject category" addition to the subject identifier. The notes from that call are here<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.google.com%2Fdocument%2Fd%2F1ZFwJJDwwSBNKX35VObClC1ctMbMMuHJtr5qY-7xsLW8%2Fedit%3Fusp%3Dsharing&data=02%7C01%7Ctim.cappalli%40microsoft.com%7C269ebb4c80c040001da808d8357cc0ad%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637318157241464997&sdata=BLHrBxsCR%2Ba4ZjFeYAfsLsg4b5o3CCZwfJgZ%2BFkecs8%3D&reserved=0>.

Based on that discussion I would like to propose the following changes in the SSE profile draft and the proposed SSE Event Types draft:

  1.  We drop the common claim named "category" from the subject identifiers.
  2.  We specify in the SSE profile spec that individual events may have multiple subject-identifiers if required to disambiguate the subject as being in a specific category. The semantics of combining multiple subject identifiers within an event will always be "AND", i.e. The subject of the event is identified by the intersection of the subjects identified by each subject identifier.
  3.  In the proposed SSE event types spec, where required, we specify the multiple subject identifiers.
Please respond here to discuss. This is relevant to the finalization of the subject identifiers specification in the IETF. I will post a message there based on the conclusion of any discussion here and in our next SSE WG call on 8/4.

Thanks,
Atul

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20200804/b7f5b27e/attachment-0001.html>

More information about the Openid-specs-risc mailing list