< draft-ietf-secevent-http-push-06.txt   draft-ietf-secevent-http-push-07.txt >
Security Events Working Group A. Backman, Ed. Security Events Working Group A. Backman, Ed.
Internet-Draft Amazon Internet-Draft Amazon
Intended status: Standards Track M. Jones, Ed. Intended status: Standards Track M. Jones, Ed.
Expires: November 10, 2019 Microsoft Expires: January 9, 2020 Microsoft
M. Scurtescu M. Scurtescu
Coinbase Coinbase
M. Ansari M. Ansari
Cisco Cisco
A. Nadalin A. Nadalin
Microsoft Microsoft
May 9, 2019 July 8, 2019
Push-Based Security Event Token (SET) Delivery Using HTTP Push-Based Security Event Token (SET) Delivery Using HTTP
draft-ietf-secevent-http-push-06 draft-ietf-secevent-http-push-07
Abstract Abstract
This specification defines how a Security Event Token (SET) may be This specification defines how a Security Event Token (SET) may be
delivered to an intended recipient using HTTP POST. The SET is delivered to an intended recipient using HTTP POST. The SET is
transmitted in the body of an HTTP POST request to an endpoint transmitted in the body of an HTTP POST request to an endpoint
operated by the recipient, and the recipient indicates successful or operated by the recipient, and the recipient indicates successful or
failed transmission via the HTTP response. failed transmission via the HTTP response.
Status of This Memo Status of This Memo
skipping to change at page 1, line 41 skipping to change at page 1, line 41
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 10, 2019. This Internet-Draft will expire on January 9, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 40 skipping to change at page 2, line 40
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
7.1. Security Event Token Delivery Error Codes . . . . . . . . 10 7.1. Security Event Token Delivery Error Codes . . . . . . . . 10
7.1.1. Registration Template . . . . . . . . . . . . . . . . 11 7.1.1. Registration Template . . . . . . . . . . . . . . . . 11
7.1.2. Initial Registry Contents . . . . . . . . . . . . . . 11 7.1.2. Initial Registry Contents . . . . . . . . . . . . . . 11
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
8.1. Normative References . . . . . . . . . . . . . . . . . . 12 8.1. Normative References . . . . . . . . . . . . . . . . . . 12
8.2. Informative References . . . . . . . . . . . . . . . . . 13 8.2. Informative References . . . . . . . . . . . . . . . . . 13
Appendix A. Other Streaming Specifications . . . . . . . . . . . 14 Appendix A. Other Streaming Specifications . . . . . . . . . . . 14
Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 15 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 15
Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 16 Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20
1. Introduction and Overview 1. Introduction and Overview
This specification defines a mechanism by which a transmitter of a This specification defines a mechanism by which a transmitter of a
Security Event Token (SET) [RFC8417] may deliver the SET to an Security Event Token (SET) [RFC8417] may deliver the SET to an
intended recipient via HTTP POST [RFC7231]. intended recipient via HTTP POST [RFC7231].
Push-Based SET Delivery over HTTP POST is intended for scenarios Push-Based SET Delivery over HTTP POST is intended for scenarios
where all of the following apply: where all of the following apply:
o The transmitter of the SET is capable of making outbound HTTP o The transmitter of the SET is capable of making outbound HTTP
requests. requests.
o The recipient is capable of hosting an HTTP endpoint that is o The recipient is capable of hosting an HTTP endpoint that is
accessible to the transmitter. accessible to the transmitter.
o The transmitter and recipient are known to one another. o The transmitter and recipient are known to one another.
A mechanism for exchanging configuration metadata such as endpoint A mechanism for exchanging configuration metadata such as endpoint
URLs and cryptographic key parameters between the transmitter and URLs and cryptographic key parameters between the transmitter and
recipient is out of scope for this specifications. recipient is out of scope for this specification.
1.1. Notational Conventions 1.1. Notational Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
Throughout this document, all figures may contain spaces and extra Throughout this document, all figures may contain spaces and extra
line-wrapping for readability and due to space limitations. line-wrapping for readability and due to space limitations.
1.2. Definitions 1.2. Definitions
This specification utilizes the following terms defined in [RFC8417]:
"Security Event Token (SET)", "SET Issuer", "SET Recipient", and
"Event Payload".
This specification utilizes terminology defined in [RFC8417], as well This specification utilizes terminology defined in [RFC8417], as well
as the terms defined below: as the terms defined below:
SET Transmitter SET Transmitter An entity that delivers SETs in its possession to
An entity that delivers SETs in its possession to one or more SET one or more SET Recipients.
Recipients.
SET Recipient
An entity that receives SETs through some distribution method.
2. SET Delivery 2. SET Delivery
To deliver a SET to a given SET Recipient, the SET Transmitter makes To deliver a SET to a given SET Recipient, the SET Transmitter makes
a SET transmission request to the SET Recipient, with the SET itself a SET transmission request to the SET Recipient, with the SET itself
contained within the request. The SET Recipient replies to this contained within the request. The SET Recipient replies to this
request with a response either acknowledging successful transmission request with a response either acknowledging successful transmission
of the SET or indicating that an error occurred while receiving, of the SET or indicating that an error occurred while receiving,
parsing, and/or validating the SET. parsing, and/or validating the SET.
skipping to change at page 8, line 21 skipping to change at page 8, line 21
Error Codes" registry established by Section 7.1. Error Codes" registry established by Section 7.1.
The following table presents the initial set of Error Codes that are The following table presents the initial set of Error Codes that are
registered in the IANA "Security Event Token Delivery Error Codes" registered in the IANA "Security Event Token Delivery Error Codes"
registry: registry:
+-----------------------+-------------------------------------------+ +-----------------------+-------------------------------------------+
| Error Code | Description | | Error Code | Description |
+-----------------------+-------------------------------------------+ +-----------------------+-------------------------------------------+
| invalid_request | The request body cannot be parsed as a | | invalid_request | The request body cannot be parsed as a |
| | SET, or the event payload within the SET | | | SET, or the Event Payload within the SET |
| | does not conform to the event's | | | does not conform to the event's |
| | definition. | | | definition. |
| invalid_key | One or more keys used to encrypt or sign | | invalid_key | One or more keys used to encrypt or sign |
| | the SET is invalid or otherwise | | | the SET is invalid or otherwise |
| | unacceptable to the SET Recipient. (e.g., | | | unacceptable to the SET Recipient. (e.g., |
| | expired, revoked, failed certificate | | | expired, revoked, failed certificate |
| | validation, etc.) | | | validation, etc.) |
| authentication_failed | The SET Recipient could not authenticate | | authentication_failed | The SET Recipient could not authenticate |
| | the SET Transmitter from the contents of | | | the SET Transmitter from the contents of |
| | the request. | | | the request. |
skipping to change at page 19, line 32 skipping to change at page 19, line 32
o Reworded guidance around signing and/or encrypting SETs for o Reworded guidance around signing and/or encrypting SETs for
integrity protection. integrity protection.
o Renamed TLS "Support Considerations" section to "Confidentiality o Renamed TLS "Support Considerations" section to "Confidentiality
of SETs". of SETs".
o Reworded guidance around subject identifier selection and privacy o Reworded guidance around subject identifier selection and privacy
concerns. concerns.
Draft 06 - mbj, MS:
o Made minor editorial corrections.
o Updated to indicate that failure response should be returned if
errors occur in authenticating the SET.
o Updated reference for JSON from RFC 7159 to RFC 8259.
o Fixed Authentication Using Signed SETs to indicate the SET
Transmitter must be authorized to deliver the SET, not the SET
Issuer.
o Fixed Authenticating Persisted SETs to put the responsibility for
ensuring the SET is signed on the SET Recipient.
o Fixed error code format definition to match error codes defined in
doc.
Draft 07 - AB:
o Made minor editorial corrections.
o Removed "SET Recipient" definition and added explicit list of
terms used from RFC8417.
Authors' Addresses Authors' Addresses
Annabelle Backman (editor) Annabelle Backman (editor)
Amazon Amazon
Email: richanna@amazon.com Email: richanna@amazon.com
Michael B. Jones (editor) Michael B. Jones (editor)
Microsoft Microsoft
 End of changes. 10 change blocks. 
13 lines changed or deleted 39 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/