< draft-ietf-secevent-subject-identifiers-02.txt   draft-ietf-secevent-subject-identifiers-03.txt >
Security Events Working Group A. Backman, Ed. Security Events Working Group A. Backman, Ed.
Internet-Draft Amazon Internet-Draft Amazon
Intended status: Standards Track M. Scurtescu Intended status: Standards Track M. Scurtescu
Expires: April 26, 2019 Coinbase Expires: September 12, 2019 Coinbase
October 23, 2018 March 11, 2019
Subject Identifiers for Security Event Tokens Subject Identifiers for Security Event Tokens
draft-ietf-secevent-subject-identifiers-02 draft-ietf-secevent-subject-identifiers-03
Abstract Abstract
Security events communicated within Security Event Tokens may support Security events communicated within Security Event Tokens may support
a variety of identifiers to identify the subject and/or other a variety of identifiers to identify the subject and/or other
principals related to the event. This specification formalizes the principals related to the event. This specification formalizes the
notion of subject identifiers as named sets of well-defined claims notion of subject identifiers as named sets of well-defined claims
describing the subject, a mechanism for representing subject describing the subject, a mechanism for representing subject
identifiers within a [JSON] object such as a JSON Web Token [JWT] or identifiers within a [JSON] object such as a JSON Web Token [JWT] or
Security Event Token [SET], and a registry for defining and Security Event Token [SET], and a registry for defining and
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 26, 2019. This Internet-Draft will expire on September 12, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Notational Conventions . . . . . . . . . . . . . . . . . . . 3 2. Notational Conventions . . . . . . . . . . . . . . . . . . . 3
3. Subject Identifiers . . . . . . . . . . . . . . . . . . . . . 3 3. Subject Identifiers . . . . . . . . . . . . . . . . . . . . . 3
3.1. Email Subject Identifier Type . . . . . . . . . . . . . . 3 3.1. Account Subject Identifier Type . . . . . . . . . . . . . 3
3.2. Phone Number Subject Identifier Type . . . . . . . . . . 4 3.2. Email Subject Identifier Type . . . . . . . . . . . . . . 4
3.3. Issuer and Subject Subject Identifier Type . . . . . . . 4 3.2.1. Email Canonicalization . . . . . . . . . . . . . . . 4
3.4. ID Token Claims Subject Identifier Type . . . . . . . . . 5 3.3. Phone Number Subject Identifier Type . . . . . . . . . . 5
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 3.4. Issuer and Subject Subject Identifier Type . . . . . . . 5
4.1. Security Event Subject Identifier Types Registry . . . . 6 3.5. Aliases Subject Identifier Type . . . . . . . . . . . . . 5
4.1.1. Registration Template . . . . . . . . . . . . . . . . 6 4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 6
4.1.2. Initial Registry Contents . . . . . . . . . . . . . . 7 5. Security Considerations . . . . . . . . . . . . . . . . . . . 6
4.1.3. Guidance for Expert Reviewers . . . . . . . . . . . . 8 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
5. Privacy Considerations . . . . . . . . . . . . . . . . . . . 8 6.1. Security Event Subject Identifier Types Registry . . . . 7
6. Security Considerations . . . . . . . . . . . . . . . . . . . 8 6.1.1. Registration Template . . . . . . . . . . . . . . . . 7
7. Normative References . . . . . . . . . . . . . . . . . . . . 8 6.1.2. Initial Registry Contents . . . . . . . . . . . . . . 7
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 9 6.1.3. Guidance for Expert Reviewers . . . . . . . . . . . . 9
Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 7. Normative References . . . . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 10
Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11
1. Introduction 1. Introduction
As described in section 1.2 of [SET], the subject of a security event As described in section 1.2 of [SET], the subject of a security event
may take a variety of forms, including but not limited to a JWT may take a variety of forms, including but not limited to a JWT
principal, an IP address, a URL, etc. Furthermore, even in the case principal, an IP address, a URL, etc. Furthermore, even in the case
where the subject of an event is more narrowly scoped, there may be where the subject of an event is more narrowly scoped, there may be
multiple ways by which a given subject may be identified. For multiple ways by which a given subject may be identified. For
example, an account may be identified by an opaque identifier, an example, an account may be identified by an opaque identifier, an
email address, a phone number, a JWT "iss" claim and "sub" claim, email address, a phone number, a JWT "iss" claim and "sub" claim,
skipping to change at page 3, line 16 skipping to change at page 3, line 16
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
3. Subject Identifiers 3. Subject Identifiers
A Subject Identifier Type is a light-weight schema that describes a A Subject Identifier Type is a light-weight schema that describes a
set of claims that identifies a subject. Every Subject Identifier set of claims that identifies a subject. Every Subject Identifier
Type MUST have a unique name registered in the IANA "Security Event Type MUST have a unique name registered in the IANA "Security Event
Subject Identifier Types" registry established by Section 4.1. A Subject Identifier Types" registry established by Section 6.1. A
Subject Identifier Type MAY describe more claims than are strictly Subject Identifier Type MAY describe more claims than are strictly
necessary to uniquely identify a subject, and MAY describe conditions necessary to identify a subject, and MAY describe conditions under
under which those claims are required, optional, or prohibited. which those claims are required, optional, or prohibited.
A Subject Identifier is a [JSON] object containing a "subject_type" A Subject Identifier is a [JSON] object containing a "subject_type"
claim whose value is the unique name of a Subject Identifier Type, claim whose value is the name of a Subject Identifier Type, and a set
and a set of additional "payload claims" which are to be interpreted of additional "payload claims" which are to be interpreted according
according to the rules defined by that Subject Identifier Type. to the rules defined by that Subject Identifier Type. Payload claim
Payload claim values MUST match the format specified for the claim by values MUST match the format specified for the claim by the Subject
the Subject Identifier Type. A Subject Identifier MUST NOT contain Identifier Type. A Subject Identifier MUST NOT contain any payload
any payload claims prohibited or not described by its Subject claims prohibited or not described by its Subject Identifier Type,
Identifier Type, and MUST contain all payload claims required by its and MUST contain all payload claims required by its Subject
Subject Identifier Type. Identifier Type.
The following Subject Identifier Types are registered in the IANA The following Subject Identifier Types are registered in the IANA
"Security Event Subject Identifier Types" registry established by "Security Event Subject Identifier Types" registry established by
Section 4.1. Section 6.1.
3.1. Email Subject Identifier Type 3.1. Account Subject Identifier Type
The Email Subject Identifier Type describes a subject that is a user The Account Subject Identifier Type describes a user account at a
account associated with an email address. Subject Identifiers of service provider, identified with an "acct" URI as defined in
this type MUST contain an "email" claim whose value is a string [RFC7565]. Subject Identifiers of this type MUST contain a "uri"
containing the email address of the subject, formatted as an "addr- claim whose value is the "acct" URI for the subject. The "uri" claim
spec" as defined in Section 3.4.1 of [RFC5322]. The "email" claim is is REQUIRED and MUST NOT be null or empty. The Account Subject
REQUIRED and MUST NOT be null or empty. The Email Subject Identifier Identifier Type is identified by the name "account".
Type is identified by the name "email".
Below is a non-normative example Subject Identifier for the Account
Subject Identifier Type:
{
"subject_type": "account",
"uri": "acct:example.user@service.example.com",
}
Figure 1: Example: Subject Identifier for the Account Subject
Identifier Type.
3.2. Email Subject Identifier Type
The Email Subject Identifier Type describes a principal identified
with an email address. Subject Identifiers of this type MUST contain
an "email" claim whose value is a string containing the email address
of the subject, formatted as an "addr-spec" as defined in
Section 3.4.1 of [RFC5322]. The "email" claim is REQUIRED and MUST
NOT be null or empty. The value of the "email" claim SHOULD identify
a mailbox to which email may be delivered, in accordance with
[RFC5321]. The Email Subject Identifier Type is identified by the
name "email".
Below is a non-normative example Subject Identifier for the Email Below is a non-normative example Subject Identifier for the Email
Subject Identifier Type: Subject Identifier Type:
{ {
"subject_type": "email", "subject_type": "email",
"email": "user@example.com", "email": "user@example.com",
} }
Figure 1: Example: Subject Identifier for the Email Subject Figure 2: Example: Subject Identifier for the Email Subject
Identifier Type. Identifier Type.
3.2. Phone Number Subject Identifier Type 3.2.1. Email Canonicalization
The Phone Number Subject Identifier Type describes a subject that is Many email providers will treat multiple email addresses as
a user account associated with a telephone number. Subject equivalent. For example, some providers treat email addresses as
Identifiers of this type MUST contain a "phone" claim whose value is case-insensitive, and consider "user@example.com",
a string containing the full telephone number of the subject, "User@example.com", and "USER@example.com" as the same email address.
including international dialing prefix, formatted according to E.164 This has led users to view these strings as equivalent, driving
[E164]. The "phone" claim is REQUIRED and MUST NOT be null or empty. service providers to implement proprietary email canonicalization
The Phone Number Subject Identifier Type is identified by the name algorithms to ensure that email addresses entered by users resolve to
"phone". the same canonical string. When receiving an Email Subject
Identifier, the recipient SHOULD use their implementation's
canonicalization algorithm to resolve the email address to the same
subject identifier string used in their system.
3.3. Phone Number Subject Identifier Type
The Phone Number Subject Identifier Type describes a principal
identified with a telephone number. Subject Identifiers of this type
MUST contain a "phone" claim whose value is a string containing the
full telephone number of the subject, including international dialing
prefix, formatted according to E.164 [E164]. The "phone" claim is
REQUIRED and MUST NOT be null or empty. The Phone Number Subject
Identifier Type is identified by the name "phone".
Below is a non-normative example Subject Identifier for the Email Below is a non-normative example Subject Identifier for the Email
Subject Identifier Type: Subject Identifier Type:
{ {
"subject_type": "phone", "subject_type": "phone",
"phone": "+12065550100", "phone": "+12065550100",
} }
Figure 2: Example: Subject Identifier for the Phone Number Subject Figure 3: Example: Subject Identifier for the Phone Number Subject
Identifier Type. Identifier Type.
3.3. Issuer and Subject Subject Identifier Type 3.4. Issuer and Subject Subject Identifier Type
The Issuer and Subject Subject Identifier Type describes a subject The Issuer and Subject Subject Identifier Type describes a principal
that is an account identified by a pair of "iss" and "sub" claims, as identified with a pair of "iss" and "sub" claims, as defined by
defined by [JWT]. These claims MUST follow the formats of the "iss" [JWT]. These claims MUST follow the formats of the "iss" claim and
claim and "sub" claim defined by [JWT], respectively. Both the "iss" "sub" claim defined by [JWT], respectively. Both the "iss" claim and
claim and the "sub" claim are REQUIRED and MUST NOT be null or empty. the "sub" claim are REQUIRED and MUST NOT be null or empty. The
The Issuer and Subject Subject Identifier Type is identified by the Issuer and Subject Subject Identifier Type is identified by the name
name "iss-sub". "iss-sub".
Below is a non-normative example Subject Identifier for the Issuer Below is a non-normative example Subject Identifier for the Issuer
and Subject Subject Identifier Type: and Subject Subject Identifier Type:
{ {
"subject_type": "iss-sub", "subject_type": "iss-sub",
"iss": "http://issuer.example.com/", "iss": "http://issuer.example.com/",
"sub": "145234573", "sub": "145234573",
} }
Figure 3: Example: Subject Identifier for the Issuer and Subject Figure 4: Example: Subject Identifier for the Issuer and Subject
Subject Identifier Type. Subject Identifier Type.
3.4. ID Token Claims Subject Identifier Type 3.5. Aliases Subject Identifier Type
The ID Token Claims Subject Identifier Type describes a subject that The Aliases Subject Identifier Type describes a subject that is
was the subject of a previously issued ID Token [IDTOKEN]. It is identified with a list of different Subject Identifiers. It is
intended for use when a variety of identifiers have been shared with intended for use when a variety of identifiers have been shared with
the party that will be interpreting the Subject Identifier, and it is the party that will be interpreting the Subject Identifier, and it is
unknown which of those identifiers they require. This type is unknown which of those identifiers they will recognize or support.
identified by the name "id-token-claims". Subject Identifiers of this type MUST contain an "identifiers" claim
whose value is a JSON array containing one or more Subject
Subject Identifiers of this type MUST contain at least one of the Identifiers. Each Subject Identifier in the array MUST identify the
following claims: same entity. The "identifiers" claim is REQUIRED and MUST NOT be
null or empty. It MAY contain multiple instances of the same Subject
email Identifier Type (e.g., multiple Email Subject Identifiers), but
An "email" claim, as defined in [IDTOKEN]. If present, the value SHOULD NOT contain exact duplicates. This type is identified by the
of this claim MUST NOT be null or empty. name "aliases".
phone_number
A "phone_number" claim, as defined in [IDTOKEN]. If present, the
value of this claim MUST NOT be null or empty.
sub
A "sub" claim, as defined in [RFC7519]. If present, the value of
this claim MUST NOT be null or empty.
iss
An "iss" claim, as defined in [RFC7519]. This claim is OPTIONAL,
unless a "sub" claim in present, in which case it is REQUIRED. If
present, its value MUST NOT be null or empty.
At least one of "email", "phone_number", or "sub" MUST be present.
Below is a non-normative example Subject Identifier for the ID Token Below is a non-normative example Subject Identifier for the Aliases
Claims Subject Identifier Type: Subject Identifier Type:
{ {
"subject_type": "id-token-claims", "subject_type": "aliases",
"iss": "http://issuer.example.com/", "identifiers": [
"sub": "145234573", {
"email": "user@example.com", "subject_type": "email",
"email": "user@example.com",
},
{
"subject_type": "phone",
"phone": "+12065550100",
},
{
"subject_type": "email",
"email": "user+qualifier@example.com",
}
],
} }
Figure 4: Example: Subject Identifier for the ID Token Claims Subject Figure 5: Example: Subject Identifier for the Aliases Subject
Identifier Type. Identifier Type.
4. IANA Considerations 4. Privacy Considerations
4.1. Security Event Subject Identifier Types Registry There are no privacy considerations.
5. Security Considerations
There are no security considerations.
6. IANA Considerations
6.1. Security Event Subject Identifier Types Registry
This document defines Subject Identifier Types, for which IANA is This document defines Subject Identifier Types, for which IANA is
asked to create and maintain a new registry titled "Security Event asked to create and maintain a new registry titled "Security Event
Subject Identifier Types". Initial values for the Security Event Subject Identifier Types". Initial values for the Security Event
Subject Identifier Types registry are given in Section 3. Future Subject Identifier Types registry are given in Section 3. Future
assignments are to be made through the Expert Review registration assignments are to be made through the Expert Review registration
policy [BCP26] and shall follow the template presented in policy [BCP26] and shall follow the template presented in
Section 4.1.1. Section 6.1.1.
4.1.1. Registration Template 6.1.1. Registration Template
Type Name Type Name
The name of the Subject Identifier Type, as described in The name of the Subject Identifier Type, as described in
Section 3. The name MUST be an ASCII string consisting only of Section 3. The name MUST be an ASCII string consisting only of
lower-case characters ("a" - "z"), digits ("0" - "9"), and hyphens lower-case characters ("a" - "z"), digits ("0" - "9"), and hyphens
("-"), and SHOULD NOT exceed 20 characters in length. ("-"), and SHOULD NOT exceed 20 characters in length.
Type Description Type Description
A brief description of the Subject Identifier Type. A brief description of the Subject Identifier Type.
skipping to change at page 7, line 7 skipping to change at page 7, line 42
Defining Document(s) Defining Document(s)
A reference to the document or documents that define the Subject A reference to the document or documents that define the Subject
Identifier Type. The definition MUST specify the name, format, Identifier Type. The definition MUST specify the name, format,
and meaning of each claim that may occur within a Subject and meaning of each claim that may occur within a Subject
Identifier of the defined type, as well as whether each claim is Identifier of the defined type, as well as whether each claim is
optional or required, or the circumstances under which the claim optional or required, or the circumstances under which the claim
is optional or required. URIs that can be used to retrieve copies is optional or required. URIs that can be used to retrieve copies
of each document SHOULD be included. of each document SHOULD be included.
4.1.2. Initial Registry Contents 6.1.2. Initial Registry Contents
4.1.2.1. Email Subject Identifier Type 6.1.2.1. Account Subject Identifier Type
o Type Name: "email" o Type Name: "account"
o Type Description: Subject identifier based on email address. o Type Description: Subject identifier based on "acct" URI.
o Change Controller: IETF secevent Working Group o Change Controller: IETF secevent Working Group
o Defining Document(s): Section 3 of this document. o Defining Document(s): Section 3 of this document.
4.1.2.2. ID Token Claims Subject Identifier Type 6.1.2.2. Email Subject Identifier Type
o Type Name: "id-token-claims" o Type Name: "email"
o Type Description: Subject identifier based on OpenID Connect ID o Type Description: Subject identifier based on email address.
Token claims.
o Change Controller: IETF secevent Working Group o Change Controller: IETF secevent Working Group
o Defining Document(s): Section 3 of this document. o Defining Document(s): Section 3 of this document.
4.1.2.3. Issuer and Subject Subject Identifier Type 6.1.2.3. Issuer and Subject Subject Identifier Type
o Type Name: "iss-sub" o Type Name: "iss-sub"
o Type Description: Subject identifier based on an issuer and o Type Description: Subject identifier based on an issuer and
subject. subject.
o Change Controller: IETF secevent Working Group o Change Controller: IETF secevent Working Group
o Defining Document(s): Section 3 of this document. o Defining Document(s): Section 3 of this document.
4.1.2.4. Phone Number Subject Identifier Type 6.1.2.4. Phone Number Subject Identifier Type
o Type Name: "phone" o Type Name: "phone"
o Type Description: Subject identifier based on an phone number. o Type Description: Subject identifier based on an phone number.
o Change Controller: IETF secevent Working Group o Change Controller: IETF secevent Working Group
o Defining Document(s): Section 3 of this document. o Defining Document(s): Section 3 of this document.
4.1.3. Guidance for Expert Reviewers 6.1.2.5. Aliases Subject Identifier Type
o Type Name: "aliases"
o Type Description: Subject identifier that groups together multiple
different subject identifiers for the same subject.
o Change Controller: IETF secevent Working Group
o Defining Document(s): Section 3 of this document.
6.1.3. Guidance for Expert Reviewers
The Expert Reviewer is expected to review the documentation The Expert Reviewer is expected to review the documentation
referenced in a registration request to verify its completeness. The referenced in a registration request to verify its completeness. The
Expert Reviewer must base their decision to accept or reject the Expert Reviewer must base their decision to accept or reject the
request on a fair and impartial assessment of the request. If the request on a fair and impartial assessment of the request. If the
Expert Reviewer has a conflict of interest, such as being an author Expert Reviewer has a conflict of interest, such as being an author
of a defining document referenced by the request, they must recuse of a defining document referenced by the request, they must recuse
themselves from the approval process for that request. In the case themselves from the approval process for that request. In the case
where a request is rejected, the Expert Reviewer should provide the where a request is rejected, the Expert Reviewer should provide the
requesting party with a written statement expressing the reason for requesting party with a written statement expressing the reason for
skipping to change at page 8, line 28 skipping to change at page 9, line 28
Subject Identifier Types need not be generally applicable and may be Subject Identifier Types need not be generally applicable and may be
highly specific to a particular domain; it is expected that types may highly specific to a particular domain; it is expected that types may
be registered for niche or industry-specific use cases. The Expert be registered for niche or industry-specific use cases. The Expert
Reviewer should focus on whether the type is thoroughly documented, Reviewer should focus on whether the type is thoroughly documented,
and whether its registration will promote or harm interoperability. and whether its registration will promote or harm interoperability.
In most cases, the Expert Reviewer should not approve a request if In most cases, the Expert Reviewer should not approve a request if
the registration would contribute to confusion, or amount to a the registration would contribute to confusion, or amount to a
synonym for an existing type. synonym for an existing type.
5. Privacy Considerations
There are no privacy considerations.
6. Security Considerations
There are no security considerations.
7. Normative References 7. Normative References
[BCP26] Cotton, M., Leiba, B., and T. Narten, "Guidelines for [BCP26] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26, Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017, RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>. <https://www.rfc-editor.org/info/rfc8126>.
[E164] International Telecommunication Union, "The international [E164] International Telecommunication Union, "The international
public telecommunication numbering plan", 2010, public telecommunication numbering plan", 2010,
<http://www.itu.int/rec/T-REC-E.164-201011-I/en>. <http://www.itu.int/rec/T-REC-E.164-201011-I/en>.
[IDTOKEN] Sakamura, N., Bradley, J., Jones, M., de Medeiros, B., and
C. Mortimore, "OpenID Connect Core 1.0 - ID Token", April
2017, <http://openid.net/specs/
openid-connect-core-1_0.html#IDToken>.
[JSON] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data [JSON] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
Interchange Format", RFC 7159, DOI 10.17487/RFC7159, March Interchange Format", RFC 7159, DOI 10.17487/RFC7159, March
2014, <https://www.rfc-editor.org/info/rfc7159>. 2014, <https://www.rfc-editor.org/info/rfc7159>.
[JWT] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token [JWT] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
(JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015,
<https://www.rfc-editor.org/info/rfc7519>. <https://www.rfc-editor.org/info/rfc7519>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321,
DOI 10.17487/RFC5321, October 2008,
<https://www.rfc-editor.org/info/rfc5321>.
[RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322, [RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322,
DOI 10.17487/RFC5322, October 2008, DOI 10.17487/RFC5322, October 2008,
<https://www.rfc-editor.org/info/rfc5322>. <https://www.rfc-editor.org/info/rfc5322>.
[RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token [RFC7565] Saint-Andre, P., "The 'acct' URI Scheme", RFC 7565,
(JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, DOI 10.17487/RFC7565, May 2015,
<https://www.rfc-editor.org/info/rfc7519>. <https://www.rfc-editor.org/info/rfc7565>.
[SET] Hunt, P., Ed., Jones, M., Denniss, W., and M. Ansari, [SET] Hunt, P., Ed., Jones, M., Denniss, W., and M. Ansari,
"Security Event Token (SET)", RFC 8417, "Security Event Token (SET)", RFC 8417,
DOI 10.17487/RFC8417, July 2018, DOI 10.17487/RFC8417, July 2018,
<https://www.rfc-editor.org/info/rfc8417>. <https://www.rfc-editor.org/info/rfc8417>.
Acknowledgements Acknowledgements
This document is based on work developed within the OpenID RISC This document is based on work developed within the OpenID RISC
Working Group. The authors would like to thank the members of this Working Group. The authors would like to thank the members of this
group for their hard work and contributions. group for their hard work and contributions.
Change Log Change Log
(This section to be removed by the RFC Editor before publication as (This section to be removed by the RFC Editor before publication as
an RFC.) an RFC.)
Draft 00 - AB - First draft Draft 00 - AB - First draft
Draft 01 - AB: * Added reference to RFC 5322 for format of "email" Draft 01 - AB:
claim. * Renamed "iss_sub" type to "iss-sub". * Renamed
"id_token_claims" type to "id-token-claims". * Added text specifying
the nature of the subjects described by each type.
Draft 02 - AB: * Corrected format of phone numbers in examples. * o Added reference to RFC 5322 for format of "email" claim.
Updated author info.
o Renamed "iss_sub" type to "iss-sub".
o Renamed "id_token_claims" type to "id-token-claims".
o Added text specifying the nature of the subjects described by each
type.
Draft 02 - AB:
o Corrected format of phone numbers in examples.
o Updated author info.
Draft 03 - AB:
o Added "account" type for "acct" URIs.
o Replaced "id-token-claims" type with "aliases" type.
o Added email canonicalization guidance.
o Updated semantics for "email", "phone", and "iss-sub" types.
Authors' Addresses Authors' Addresses
Annabelle Backman (editor) Annabelle Backman (editor)
Amazon Amazon
Email: richanna@amazon.com Email: richanna@amazon.com
Marius Scurtescu Marius Scurtescu
Coinbase Coinbase
 End of changes. 45 change blocks. 
132 lines changed or deleted 191 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/