<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>

</head>

<body dir="ltr">

<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

Shayne,</div>

<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

Can we discuss this on the WG call on Tuesday? I agree that this is too ambiguous so let's discuss how to fix the spec text.</div>

<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

Tim</div>

<div id="appendonsend"></div>

<div style="font-family:Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<br>

</div>

<hr tabindex="-1" style="display:inline-block; width:98%">

<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Openid-specs-risc <openid-specs-risc-bounces@lists.openid.net> on behalf of Shayne Miel (smiel) via Openid-specs-risc <openid-specs-risc@lists.openid.net><br>

<b>Sent:</b> Wednesday, October 6, 2021 11:55<br>

<b>To:</b> Openid-specs-risc@lists.openid.net <Openid-specs-risc@lists.openid.net><br>

<b>Subject:</b> [Openid-specs-risc] Questions about Subject in SSE events</font>

<div> </div>

</div>

<div dir="ltr">

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

I have two questions about how to encode subjects in SSE events:</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<ol>

<li>In <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fopenid.net%2Fspecs%2Fopenid-sse-framework-1_0-01.html%23subject-ids&data=04%7C01%7Ctim.cappalli%40microsoft.com%7C031e210f95bf46b81f6308d988e1c807%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637691326519039191%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=%2BDyIRsBk%2FV4W9U%2BGq%2F2YF7QVh2zbl7xsGqa43yK42Ss%3D&reserved=0" originalsrc="https://openid.net/specs/openid-sse-framework-1_0-01.html#subject-ids" shash="C96rh6T/IMdC9gZ+60ae3BnIb/+2h1Q2HJPo6n7ivF2ubBma0le1s2+UvzIwE4vHtANa3j+oYnY4acjvOJ3NRP36sLPsLIJJZW9t4xnfdOQUqUHgPM9jXyCgQAL7QiL1mgXP0zSMxeQ0AmUntWXJhlMOet8M23VF+Q8LhF6ESII=" title="https://openid.net/specs/openid-sse-framework-1_0-01.html#subject-ids">

section 3</a> of the SSE Framework spec it says that a claim of Subject type can have

<i>any</i> name and section 3.1 shows an example with "transferrer" as the claim. All of the examples in the CAEP and RISC specs use "subject" as the claim. Should there be something in the specification that enforces the use of "subject" as the claim name?

 If not, how should receivers know how to parse the event?</li><li>In the CAEP spec the examples all show the subject type indicated with the "format" field, which appears to be correct as described in

<a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-secevent-subject-identifiers%23section-3&data=04%7C01%7Ctim.cappalli%40microsoft.com%7C031e210f95bf46b81f6308d988e1c807%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637691326519049190%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=SGwJ2ESR2VRMhAZtmZPYGoC22LY7SSshYxVFADoJ7R4%3D&reserved=0" originalsrc="https://datatracker.ietf.org/doc/html/draft-ietf-secevent-subject-identifiers#section-3" shash="aaLb5eCOdcLyDqxdKKr2vLLZaoyZj+G9YOtMjPJmdKL7n0O/zcleBwl0rHFw/BOykc4zm0kv+pe8kyA1HPWZSmE6qdQUo2W8WcEED0RlcnF+cBmERbpgoddVUafpkbsihX5TYbM9VhX6g03VYjQlDZtR4jaeD3HkBv4A0ZwqHXw=" title="https://datatracker.ietf.org/doc/html/draft-ietf-secevent-subject-identifiers#section-3">

section 3 of the Subject Identifiers spec</a>. However, in the RISC spec all of the examples show that the subject type is identified with a "subject_type" field. Are the RISC spec examples incorrect? </li></ol>

</div>

<div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<br>

</div>

<div id="x_Signature">

<div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">

<table style="box-sizing:border-box; border-collapse:collapse; border-spacing:0px; max-width:100%; color:rgb(51,51,51); font-family:"Helvetica Neue",Helvetica,Arial,sans-serif; font-size:12px; text-align:start">

<tbody style="box-sizing:border-box">

<tr style="box-sizing:border-box">

<td width="50" style="box-sizing:border-box"><img width="50" height="50" style="box-sizing:border-box; vertical-align:middle; display:block" src="https://duo.com/assets/img/email/duo-logo-email-signature.gif"></td>

<td width="10" style="box-sizing:border-box"><img width="10" height="50" style="box-sizing:border-box; vertical-align:middle; display:block" src="https://duo.com/assets/img/email/spacer.gif"></td>

<td style="box-sizing:border-box">

<div style="box-sizing:border-box; margin:0px; font-family:Helvetica,sans-serif; display:inline">

<strong style="box-sizing:border-box; font-weight:bold; display:inline">Shayne Miel</strong><span> </span>

<div style="box-sizing:border-box; margin:0px; display:inline"><span style="box-sizing:border-box; color:rgb(153,153,153)">/</span><span> </span><span style="box-sizing:border-box">Engineering Technical Leader (he, him, his)</span></div>

<div style="box-sizing:border-box; margin:0px; display:inline"><br style="box-sizing:border-box">

<a href="mailto:smiel@cisco.com" style="box-sizing:border-box; color:rgb(99,178,70)">smiel@cisco.com</a></div>

<div style="box-sizing:border-box; margin:0px; display:inline"><br style="box-sizing:border-box">

<span style="box-sizing:border-box">(919) 923-6230</span><span style="box-sizing:border-box"></span></div>

<div style="box-sizing:border-box; margin:0px; display:inline"><br style="box-sizing:border-box; display:inline">

<a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fduo.com%2F&data=04%7C01%7Ctim.cappalli%40microsoft.com%7C031e210f95bf46b81f6308d988e1c807%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637691326519049190%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=2W7klgTC%2FSuVxtmZaMxlnpWtlh43rALQii6HSUNsHvg%3D&reserved=0" originalsrc="https://duo.com/" shash="DD/ipD8xxvmHK+zQhVUAjwMwqiuYx9x3/d8qZ2MPrVc6dxoUTT4Cd1HxazYoaf0xJM4F8j5o3Gd/CI474CZeZVbWlnARvOp7NgRVK5Scq6DhcNRl5Kh/SzC4XjFYQ4bRH9y0UAo2AwLHwPCebgzD3xBUqhA0UFyaM5h7sl1B6XQ=" style="box-sizing:border-box; color:rgb(99,178,70)">Duo.com</a></div>

</div>

</td>

<td style="box-sizing:border-box"><img width="1" height="50" style="box-sizing:border-box; vertical-align:middle; display:block" src="https://duo.com/assets/img/email/spacer.gif"></td>

</tr>

<tr style="box-sizing:border-box">

<td colspan="4" style="box-sizing:border-box">

<div style="box-sizing:border-box; margin:0px; display:inline"><br style="box-sizing:border-box">

<span style="box-sizing:border-box; display:inline">----------<br style="box-sizing:border-box">

Duo Security is<span> </span><a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fduo.com%2Fabout%2Fpress%2Freleases%2Fcisco-completes-acquisition-of-duo-security&data=04%7C01%7Ctim.cappalli%40microsoft.com%7C031e210f95bf46b81f6308d988e1c807%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637691326519059181%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=eIVqc4Ou%2Buyra%2FUm2nrsLLn4EC8%2BTSItPin4xVEbsiQ%3D&reserved=0" originalsrc="https://duo.com/about/press/releases/cisco-completes-acquisition-of-duo-security" shash="zGrGd33cfNkpCMx5y7Ii7NycdhNzIlKbLvqac3cJGsuRN3tZw0KPK+shcaR4wSeIIoE7b58bXwjJX2tEdiRCj58yZVolN4DD6k5l9LLVJM+NZaSp3IkZCpPzkhxBqwyoq+yNadUv7+KTkG6NEKwt+WFi4qlSK7O1PG4to2knITw=" style="box-sizing:border-box; color:rgb(99,178,70)">now

 part of Cisco</a>.</span></div>

</td>

</tr>

</tbody>

</table>

<br>

</div>

</div>

</div>

</div>

</div>

</body>

</html>