[Openid-specs-risc] Subject categories

Atul Tulshibagwale atultulshi at google.com
Wed Aug 19 18:05:01 UTC 2020 

Hi all,
As agreed on the SSE call yesterday, I'd like to present a use-case where I
believe subject categories within a subject identifier are useful. I
encourage others to also send such emails in advance of the call next
Tuesday, so that there's more clarity on the viewpoints and use-cases.

My use case:
Say a SSE Transmitter wants to signal that the authentication for a certain
user on a certain device has weakened (due to some change initiated,
observed or inferred by the transmitter). The user may have authenticated
to many devices, and one device may have sessions for multiple users.

In this case, the possibilities for conveying such information through an
event are:

   1. Include two subject identifiers in a single event. The SSE spec can
   define that when multiple subjects are present within the same event, the
   subject is identified as an "AND" of all such subject identifiers. This was
   a point of confusion in yesterday's call, but I believe this can be
   clarified in the specification and will not be a point of confusion once
   clarified. Each subject identifier specifies the category that it applies
   to. (i.e, one subject identifier is for the user category and another for
   the device category)
   2. Define the "authentication status change" event such that it can take
   multiple optional fields. A field can be "user", another can be "device"

Sending multiple events, one with a user subject and another with a device
subject is not really a choice because it will mean the first event applies
to everywhere the user is logged in to, and the second event applies to all
users logged into the device.

Having the subject category will help if the user is identified by the
subject identifier type "phone number", to clarify that the subject refers
to the user and not the device.

Option 1 is better because it is independent of the event type. Processing
multiple subject identifiers with a well defined combination semantics will
help identify subjects that the event applies to in advance of processing
the specific event.

Option 2 intertwines the logic of event processing with subject
identification and can cause an implementer to have more code that differs
slightly in handling each event that has multiple subject possibilities.

Atul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20200819/6d0c7169/attachment.html>

More information about the Openid-specs-risc mailing list