[Openid-specs-risc] Fw: [Id-event] Late comment on experience with draft-ietf-secevent-subject-identifiers-12
Tim Cappalli
Tim.Cappalli at microsoft.com
Thu Nov 10 20:47:42 UTC 2022
fyi. probably something we should discuss.
________________________________
From: Id-event <id-event-bounces at ietf.org> on behalf of Phillip Hunt <phil.hunt at independentid.com>
Sent: Thursday, August 25, 2022 13:01
To: ID Events Mailing List <id-event at ietf.org>
Subject: [Id-event] Late comment on experience with draft-ietf-secevent-subject-identifiers-12
Apologies for this late feedback. I felt it important to share my recent (right now) after recent review of interop with the OpenID Shared Signals draft and the new SCIM WG SCIM Events Profile draft (draft-ietf-scim-events-00<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-scim-events%2F&data=05%7C01%7Ctim.cappalli%40microsoft.com%7Cf8e6f8ebf6af460727a708da86bb7e0f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637970437110186712%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=NkAhfsj7a59eZjf0lVveOp97rW3MC%2BpvC9QT1Rerkds%3D&reserved=0>).
It appears there is potential for interop concerns or mistakes arising because the examples in this draft suggests profilers to embed subject identifiers inside of the events claim that may suggest multiple events about different subjects are possible (contrary to RFC8417). A best practice would be to use the “sub_id” to hold such claims. It should be noted that the use of subject identifiers in event “payloads” should be supplemental to sub_id. A SET that contains multiple events about the same transaction must be about the same top-level identifier “sub_id” (per section 2.0 of RFC8417).
For example in SCIM Events, a SET could be issued that contains both a provisioning event (urn:ietf:params:event:SCIM:prov:patch) AND a signal (urn:ietf:params:event:SCIM:sig:authMethod). In the current draft the “sub” claim ties the events together to indicate the event occurs from the same transaction about the same subject.
In contrast, the OpenID RISC Profile embeds subjects in events:
https://openid.net/specs/openid-risc-profile-specification-1_0-01.html<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fopenid.net%2Fspecs%2Fopenid-risc-profile-specification-1_0-01.html&data=05%7C01%7Ctim.cappalli%40microsoft.com%7Cf8e6f8ebf6af460727a708da86bb7e0f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637970437110186712%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=P3dAFDqdDqaDhqJy17ks0KIvDFCuNQxzUnxGmrECM24%3D&reserved=0>
The interop concern is:
* Subject information located in differing places (top level sub_id claim or embedded in event payloads)
* A possible impression a SET can contain multiple events with per event identifiers about different subjects contrary to section 2 RFC8417
I would like the authors to consider adjusting the draft to more strongly recommend “sub_id” as the main claim and that subject objects in event payloads SHOULD be specific to that event type (ie. as a supplemental context).
>From an inter-op perspective it is much easier to write code to look for sub_id and recognize it as a standard json object.
I ran into this problem recently implementing SET for SCIM Events and testing interop with the implementation described at SharedSignals.guide. In this implementation, events are only accepted if subject is embedded in the event “payload” rather than as a top-level claim (“sub-id”).
Further I have been asked if SCIM Events could adopt support this draft. If SCIM were to support it, we would use the ’sub_id’ claim. Off the top, this would make SCIM incompatible with the implementation of sharedsignals.guide which implements SSEF (https://openid.net/specs/openid-sse-framework-1_0-ID1.html<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fopenid.net%2Fspecs%2Fopenid-sse-framework-1_0-ID1.html&data=05%7C01%7Ctim.cappalli%40microsoft.com%7Cf8e6f8ebf6af460727a708da86bb7e0f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637970437110186712%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=YkXxDr%2F%2B644rJDiWPHjN%2BE2gr%2FROlPX7dXyxe%2BfiC9A%3D&reserved=0>).
Phillip Hunt
@independentid
phil.hunt at independentid.com<mailto:phil.hunt at independentid.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20221110/cd8316e0/attachment.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ATT00001.txt
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20221110/cd8316e0/attachment.txt>
More information about the Openid-specs-risc
mailing list