[Openid-specs-risc] Subject "categories" discussion
Mike Jones
Michael.Jones at microsoft.com
Tue Aug 4 18:48:04 UTC 2020
Anyone can make pull requests to the repository by following the steps described at http://lists.openid.net/pipermail/openid-specs-risc/Week-of-Mon-20200720/000734.html. (These are exactly parallel to those you would use on GitHub or GitLab.)
Typically OpenID working group chairs and editors have Write permissions to a working group repository – which lets them push directly to it and approve pull requests. Currently Annabelle, Atul, Marius, and Phil have write access. If the chairs let me know who the active primary editors are, I can add them as well. (Those who are not primary editors should continue to create pull requests to be reviewed by the working group and merged by the primary editors or chairs.)
Hope this helps.
-- Mike
From: Openid-specs-risc <openid-specs-risc-bounces at lists.openid.net> On Behalf Of Stan Bounev via Openid-specs-risc
Sent: Tuesday, August 4, 2020 7:07 AM
To: Tim Cappalli <Tim.Cappalli at microsoft.com>; Atul Tulshibagwale <atultulshi at google.com>; Openid-specs-risc <openid-specs-risc at lists.openid.net>
Subject: [EXTERNAL] Re: [Openid-specs-risc] Subject "categories" discussion
Atul, I still have an issue with the access to the repo – getting Forbidden and error 403 when trying to push my changes. I will work separately on this. For today, I’d like to include the ‘compromised’ event for discussion.
Credential Compromised
Event Type URI:
https://schemas.openid.net/secevent/risc/event-type/credential-
compromised
Credential Compromised event signals there is a leaked credential
with a specific domain that has been found online by the transmitter.
Attributes: email address; user ID
{
"iss": "https://idp.example.com/",
"jti": "756E69717565206964656E746966696572",
"iat": 1508184845,
"aud": "636C69656E745F6964",
"events": {
"https://schemas.openid.net/secevent/risc/event-type/credential-compromised": {
"subject": {
"subject_type": "iss-sub",
"iss": "https://idp.example.com/",
"sub": "7375626A656374",
},
"credential-credential-id": "userID", "email_address"
}
}
}
From: Openid-specs-risc <openid-specs-risc-bounces at lists.openid.net<mailto:openid-specs-risc-bounces at lists.openid.net>> on behalf of Tim Cappalli via Openid-specs-risc <openid-specs-risc at lists.openid.net<mailto:openid-specs-risc at lists.openid.net>>
Reply-To: Tim Cappalli <Tim.Cappalli at microsoft.com<mailto:Tim.Cappalli at microsoft.com>>
Date: Tuesday, August 4, 2020 at 5:01 AM
To: Atul Tulshibagwale <atultulshi at google.com<mailto:atultulshi at google.com>>, Openid-specs-risc <openid-specs-risc at lists.openid.net<mailto:openid-specs-risc at lists.openid.net>>
Subject: Re: [Openid-specs-risc] Subject "categories" discussion
Atul,
Can we use these scenarios (along with any other examples folks have) to continue the discussion today?
#1 “All sessions for this user and device are revoked”
{
"iss": "https://login.microsoft.com/72f988bf-86f1-41af-91ab-2d7cd011db47/",
"jti": "756E69717565206964656E746966696572",
"iat": 1596468414,
"aud": "636C69656E745F6964",
"events": {
"https://schemas.openid.net/secevent/caep/event-type/all-sessions-revoked": {
"subject": [
{
"subject_type": "iss_sub",
"iss": "https://login.microsoft.com/72f988bf-86f1-41af-91ab-2d7cd011db47/",
"sub": "B82ABEF5-201B-4BDE-A532-F9827089009E" // User UUID
},
{
"subject_type": "iss_sub",
"iss": "https://login.microsoft.com/72f988bf-86f1-41af-91ab-2d7cd011db47/",
"sub": "208EE704-07BA-4762-B5CF-B45807E5FAA8" // Device UUID
}
]
}
}
}
#2 “All user sessions on this specific device are revoked”
Same set with different event type?
From: Openid-specs-risc <openid-specs-risc-bounces at lists.openid.net<mailto:openid-specs-risc-bounces at lists.openid.net>>
Date: Friday, July 31, 2020 at 14:08
To: Openid-specs-risc <openid-specs-risc at lists.openid.net<mailto:openid-specs-risc at lists.openid.net>>
Subject: [Openid-specs-risc] Subject "categories" discussion
Hi all,
In the OpenID SSE WG call on July 21st, we discussed at length the need for the "subject category" addition to the subject identifier. The notes from that call are here<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.google.com%2Fdocument%2Fd%2F1ZFwJJDwwSBNKX35VObClC1ctMbMMuHJtr5qY-7xsLW8%2Fedit%3Fusp%3Dsharing&data=02%7C01%7Ctim.cappalli%40microsoft.com%7C269ebb4c80c040001da808d8357cc0ad%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637318157241464997&sdata=BLHrBxsCR%2Ba4ZjFeYAfsLsg4b5o3CCZwfJgZ%2BFkecs8%3D&reserved=0>.
Based on that discussion I would like to propose the following changes in the SSE profile draft and the proposed SSE Event Types draft:
1. We drop the common claim named "category" from the subject identifiers.
2. We specify in the SSE profile spec that individual events may have multiple subject-identifiers if required to disambiguate the subject as being in a specific category. The semantics of combining multiple subject identifiers within an event will always be "AND", i.e. The subject of the event is identified by the intersection of the subjects identified by each subject identifier.
3. In the proposed SSE event types spec, where required, we specify the multiple subject identifiers.
Please respond here to discuss. This is relevant to the finalization of the subject identifiers specification in the IETF. I will post a message there based on the conclusion of any discussion here and in our next SSE WG call on 8/4.
Thanks,
Atul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20200804/3a53496b/attachment-0001.html>
More information about the Openid-specs-risc
mailing list