[Openid-specs-risc] Subject "categories" discussion

Tue Aug 4 21:27:10 UTC 2020

(Stan: Please move the repository access discussion to a new email thread)

Hi all,
Summarizing the discussion regarding categories from today's call here:

   1. "Revoke all tokens" is an example of an event type that can benefit
   from subject categories. Sometimes the event may apply to a user on all
   devices and at other times it may apply to all users on a specific device.
   Having a subject category within the subject will help disambiguate this
   scope.
   2. If this information is made a part of the event type, it would make
   the event receiver more complex to code, with different logic to understand
   the subject of each event.
   3. Adding multiple subject identifiers in the event increases the number
   of possible combinations that a receiver must support.
   4. Having the "subject category" field is likely to reduce
   code-complexity and processing overhead, which will matter a lot at scale.

As a result, instead of my initial email below, Tim said he will email the
IETF SecEvents working group regarding these concerns around dropping the
categories claim.

We can continue the discussion here on email so that we can clarify any
concerns from within this working group before or while Tim posts on the
SecEvents WG.

Atul

On Tue, Aug 4, 2020 at 11:48 AM Mike Jones <Michael.Jones at microsoft.com>
wrote:

> Anyone can make pull requests to the repository by following the steps
> described at
> http://lists.openid.net/pipermail/openid-specs-risc/Week-of-Mon-20200720/000734.html.
> (These are exactly parallel to those you would use on GitHub or GitLab.)
>
>
>
> Typically OpenID working group chairs and editors have Write permissions
> to a working group repository – which lets them push directly to it and
> approve pull requests.  Currently Annabelle, Atul, Marius, and Phil have
> write access.  If the chairs let me know who the active primary editors
> are, I can add them as well.  (Those who are not primary editors should
> continue to create pull requests to be reviewed by the working group and
> merged by the primary editors or chairs.)
>
>
>
> Hope this helps.
>
>
>
>                                                           -- Mike
>
>
>
> *From:* Openid-specs-risc <openid-specs-risc-bounces at lists.openid.net> *On
> Behalf Of *Stan Bounev via Openid-specs-risc
> *Sent:* Tuesday, August 4, 2020 7:07 AM
> *To:* Tim Cappalli <Tim.Cappalli at microsoft.com>; Atul Tulshibagwale <
> atultulshi at google.com>; Openid-specs-risc <
> openid-specs-risc at lists.openid.net>
> *Subject:* [EXTERNAL] Re: [Openid-specs-risc] Subject "categories"
> discussion
>
>
>
> Atul, I still have an issue with the access to the repo – getting
> Forbidden and error 403 when trying to push my changes. I will work
> separately on this. For today, I’d like to include the ‘compromised’ event
> for discussion.
>
>
>
> Credential Compromised
>
>
>
>    Event Type URI:
>
>    https://schemas.openid.net/secevent/risc/event-type/credential-
>
>    compromised
>
>
>
>    Credential Compromised event signals there is a leaked credential
>
>    with a specific domain that has been found online by the transmitter.
>
>
>
>    Attributes: email address; user ID
>
>
>
> {
>
>      "iss": "https://idp.example.com/",
>
>      "jti": "756E69717565206964656E746966696572",
>
>      "iat": 1508184845,
>
>      "aud": "636C69656E745F6964",
>
>      "events": {
>
>        "
> https://schemas.openid.net/secevent/risc/event-type/credential-compromised":
> {
>
>          "subject": {
>
>            "subject_type": "iss-sub",
>
>            "iss": "https://idp.example.com/",
>
>            "sub": "7375626A656374",
>
>          },
>
>          "credential-credential-id": "userID", "email_address"
>
>        }
>
>      }
>
>    }
>
>
>
>
>
>
>
> *From: *Openid-specs-risc <openid-specs-risc-bounces at lists.openid.net> on
> behalf of Tim Cappalli via Openid-specs-risc <
> openid-specs-risc at lists.openid.net>
> *Reply-To: *Tim Cappalli <Tim.Cappalli at microsoft.com>
> *Date: *Tuesday, August 4, 2020 at 5:01 AM
> *To: *Atul Tulshibagwale <atultulshi at google.com>, Openid-specs-risc <
> openid-specs-risc at lists.openid.net>
> *Subject: *Re: [Openid-specs-risc] Subject "categories" discussion
>
>
>
> Atul,
>
>
>
> Can we use these scenarios (along with any other examples folks have) to
> continue the discussion today?
>
>
>
>
>
> *#1 “All sessions for this user and device are revoked”*
>
>
>
>
>
> {
>
>     "iss": "
> https://login.microsoft.com/72f988bf-86f1-41af-91ab-2d7cd011db47/",
>
>     "jti": "756E69717565206964656E746966696572",
>
>     "iat": 1596468414,
>
>     "aud": "636C69656E745F6964",
>
>     "events": {
>
>         "
> https://schemas.openid.net/secevent/caep/event-type/all-sessions-revoked":
> {
>
>             "subject": [
>
>                 {
>
>                     "subject_type": "iss_sub",
>
>                     "iss": "
> https://login.microsoft.com/72f988bf-86f1-41af-91ab-2d7cd011db47/",
>
>                     "sub": "B82ABEF5-201B-4BDE-A532-F9827089009E" // User
> UUID
>
>                 },
>
>                 {
>
>                     "subject_type": "iss_sub",
>
>                     "iss": "
> https://login.microsoft.com/72f988bf-86f1-41af-91ab-2d7cd011db47/",
>
>                     "sub": "208EE704-07BA-4762-B5CF-B45807E5FAA8" //
> Device UUID
>
>                 }
>
>             ]
>
>         }
>
>     }
>
> }
>
>
>
> *#2 “All user sessions on this specific device are revoked”*
>
>
>
> Same set with different event type?
>
>
>
>
>
> *From: *Openid-specs-risc <openid-specs-risc-bounces at lists.openid.net>
> *Date: *Friday, July 31, 2020 at 14:08
> *To: *Openid-specs-risc <openid-specs-risc at lists.openid.net>
> *Subject: *[Openid-specs-risc] Subject "categories" discussion
>
> Hi all,
>
> In the OpenID SSE WG call on July 21st, we discussed at length the need
> for the "subject category" addition to the subject identifier. The notes
> from that call are here
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.google.com%2Fdocument%2Fd%2F1ZFwJJDwwSBNKX35VObClC1ctMbMMuHJtr5qY-7xsLW8%2Fedit%3Fusp%3Dsharing&data=02%7C01%7Ctim.cappalli%40microsoft.com%7C269ebb4c80c040001da808d8357cc0ad%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637318157241464997&sdata=BLHrBxsCR%2Ba4ZjFeYAfsLsg4b5o3CCZwfJgZ%2BFkecs8%3D&reserved=0>
> .
>
>
>
> Based on that discussion I would like to propose the following changes in
> the SSE profile draft and the proposed SSE Event Types draft:
>
>    1. We drop the common claim named "category" from the subject
>    identifiers.
>    2. We specify in the SSE profile spec that individual events may have
>    multiple subject-identifiers if required to disambiguate the subject as
>    being in a specific category. The semantics of combining multiple subject
>    identifiers within an event will always be "AND", i.e. The subject of the
>    event is identified by the intersection of the subjects identified by each
>    subject identifier.
>    3. In the proposed SSE event types spec, where required, we specify
>    the multiple subject identifiers.
>
> Please respond here to discuss. This is relevant to the finalization of
> the subject identifiers specification in the IETF. I will post a message
> there based on the conclusion of any discussion here and in our next SSE WG
> call on 8/4.
>
>
>
> Thanks,
>
> Atul
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20200804/c0e20ff4/attachment-0001.html>