draft-ietf-secevent-subject-identifiers-00.txt   draft-ietf-secevent-subject-identifiers-01.txt 
Security Events Working Group A. Backman Security Events Working Group A. Backman, Ed.
Internet-Draft Amazon Internet-Draft Amazon
Intended status: Standards Track M. Scurtescu Intended status: Standards Track M. Scurtescu
Expires: January 19, 2019 Google Expires: April 25, 2019 Google
July 18, 2018 October 22, 2018
Subject Identifiers for Security Event Tokens Subject Identifiers for Security Event Tokens
draft-ietf-secevent-subject-identifiers-00 draft-ietf-secevent-subject-identifiers-01
Abstract Abstract
Security events communicated within Security Event Tokens may support Security events communicated within Security Event Tokens may support
a variety of identifiers to identify the subject and/or other a variety of identifiers to identify the subject and/or other
principals related to the event. This specification formalizes the principals related to the event. This specification formalizes the
notion of subject identifiers as named sets of well-defined claims notion of subject identifiers as named sets of well-defined claims
describing the subject, a mechanism for representing subject describing the subject, a mechanism for representing subject
identifiers within a [JSON] object such as a JSON Web Token [JWT] or identifiers within a [JSON] object such as a JSON Web Token [JWT] or
Security Event Token [SET], and a registry for defining and Security Event Token [SET], and a registry for defining and
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 19, 2019. This Internet-Draft will expire on April 25, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 18 skipping to change at page 2, line 18
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Notational Conventions . . . . . . . . . . . . . . . . . . . 3 2. Notational Conventions . . . . . . . . . . . . . . . . . . . 3
3. Subject Identifiers . . . . . . . . . . . . . . . . . . . . . 3 3. Subject Identifiers . . . . . . . . . . . . . . . . . . . . . 3
3.1. Email Subject Identifier Type . . . . . . . . . . . . . . 3 3.1. Email Subject Identifier Type . . . . . . . . . . . . . . 3
3.2. Phone Number Subject Identifier Type . . . . . . . . . . 4 3.2. Phone Number Subject Identifier Type . . . . . . . . . . 4
3.3. Issuer and Subject Subject Identifier Type . . . . . . . 4 3.3. Issuer and Subject Subject Identifier Type . . . . . . . 4
3.4. ID Token Claims Subject Identifier Type . . . . . . . . . 5 3.4. ID Token Claims Subject Identifier Type . . . . . . . . . 5
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
4.1. Security Event Subject Identifier Types Registry . . . . 5 4.1. Security Event Subject Identifier Types Registry . . . . 6
4.1.1. Registration Template . . . . . . . . . . . . . . . . 6 4.1.1. Registration Template . . . . . . . . . . . . . . . . 6
4.1.2. Initial Registry Contents . . . . . . . . . . . . . . 6 4.1.2. Initial Registry Contents . . . . . . . . . . . . . . 7
4.1.3. Guidance for Expert Reviewers . . . . . . . . . . . . 7 4.1.3. Guidance for Expert Reviewers . . . . . . . . . . . . 8
5. Privacy Considerations . . . . . . . . . . . . . . . . . . . 8 5. Privacy Considerations . . . . . . . . . . . . . . . . . . . 8
6. Security Considerations . . . . . . . . . . . . . . . . . . . 8 6. Security Considerations . . . . . . . . . . . . . . . . . . . 8
7. Normative References . . . . . . . . . . . . . . . . . . . . 8 7. Normative References . . . . . . . . . . . . . . . . . . . . 8
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 9 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 9
Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction 1. Introduction
As described in section 1.2 of [SET], the subject of a security event As described in section 1.2 of [SET], the subject of a security event
may take a variety of forms, including but not limited to a JWT may take a variety of forms, including but not limited to a JWT
principal, an IP address, a URL, etc. Furthermore, even in the case principal, an IP address, a URL, etc. Furthermore, even in the case
where the subject of an event is more narrowly scoped, there may be where the subject of an event is more narrowly scoped, there may be
multiple ways by which a given subject may be identified. For multiple ways by which a given subject may be identified. For
example, an account may be identified by an opaque identifier, an example, an account may be identified by an opaque identifier, an
email address, a phone number, a JWT "iss" claim and "sub" claim, email address, a phone number, a JWT "iss" claim and "sub" claim,
skipping to change at page 3, line 37 skipping to change at page 3, line 37
any payload claims prohibited or not described by its Subject any payload claims prohibited or not described by its Subject
Identifier Type, and MUST contain all payload claims required by its Identifier Type, and MUST contain all payload claims required by its
Subject Identifier Type. Subject Identifier Type.
The following Subject Identifier Types are registered in the IANA The following Subject Identifier Types are registered in the IANA
"Security Event Subject Identifier Types" registry established by "Security Event Subject Identifier Types" registry established by
Section 4.1. Section 4.1.
3.1. Email Subject Identifier Type 3.1. Email Subject Identifier Type
The Email Subject Identifier Type describes a subject by email The Email Subject Identifier Type describes a subject that is a user
address. Subject Identifiers of this type MUST contain an "email" account associated with an email address. Subject Identifiers of
claim whose value is a string containing the email address of the this type MUST contain an "email" claim whose value is a string
subject. The "email" claim MUST NOT be null or empty. The Email containing the email address of the subject, formatted as an "addr-
Subject Identifier Type is identified by the name "email". spec" as defined in Section 3.4.1 of [RFC5322]. The "email" claim is
REQUIRED and MUST NOT be null or empty. The Email Subject Identifier
Type is identified by the name "email".
Below is a non-normative example Subject Identifier for the Email Below is a non-normative example Subject Identifier for the Email
Subject Identifier Type: Subject Identifier Type:
{ {
"subject_type": "email", "subject_type": "email",
"email": "user@example.com", "email": "user@example.com",
} }
Figure 1: Example: Subject Identifier for the Email Subject Figure 1: Example: Subject Identifier for the Email Subject
Identifier Type. Identifier Type.
3.2. Phone Number Subject Identifier Type 3.2. Phone Number Subject Identifier Type
The Phone Number Subject Identifier Type describes a subject by The Phone Number Subject Identifier Type describes a subject that is
telephone number. Subject Identifiers of this type MUST contain a a user account associated with a telephone number. Subject
"phone" claim whose value is a string containing the full telephone Identifiers of this type MUST contain a "phone" claim whose value is
number of the subject, including international dialing prefix, a string containing the full telephone number of the subject,
formatted according to E.164 [E164]. The "phone" claim MUST NOT be including international dialing prefix, formatted according to E.164
null or empty. The Phone Number Subject Identifier Type is [E164]. The "phone" claim is REQUIRED and MUST NOT be null or empty.
identified by the name "phone". The Phone Number Subject Identifier Type is identified by the name
"phone".
Below is a non-normative example Subject Identifier for the Email Below is a non-normative example Subject Identifier for the Email
Subject Identifier Type: Subject Identifier Type:
{ {
"subject_type": "phone", "subject_type": "phone",
"phone": "+1 (206) 555-0100", "phone": "+1 (206) 555-0100",
} }
Figure 2: Example: Subject Identifier for the Phone Number Subject Figure 2: Example: Subject Identifier for the Phone Number Subject
Identifier Type. Identifier Type.
3.3. Issuer and Subject Subject Identifier Type 3.3. Issuer and Subject Subject Identifier Type
The Issuer and Subject Subject Identifier Type describes a subject by The Issuer and Subject Subject Identifier Type describes a subject
an issuer and a subject. Subject Identifiers of this type MUST that is an account identified by a pair of "iss" and "sub" claims, as
contain an "iss" claim whose value identifies the issuer, and a "sub" defined by [JWT]. These claims MUST follow the formats of the "iss"
claim whose value identifies the subject with respect to the issuer. claim and "sub" claim defined by [JWT], respectively. Both the "iss"
These claims MUST follow the formats of the "iss" claim and "sub" claim and the "sub" claim are REQUIRED and MUST NOT be null or empty.
claim defined by [JWT], respectively. Both the "iss" claim and the The Issuer and Subject Subject Identifier Type is identified by the
"sub" claim MUST NOT be null or empty. The Issuer and Subject name "iss-sub".
Subject Identifier Type is identified by the name "iss_sub".
Below is a non-normative example Subject Identifier for the Issuer Below is a non-normative example Subject Identifier for the Issuer
and Subject Subject Identifier Type: and Subject Subject Identifier Type:
{ {
"subject_type": "iss_sub", "subject_type": "iss-sub",
"iss": "http://issuer.example.com/", "iss": "http://issuer.example.com/",
"sub": "145234573", "sub": "145234573",
} }
Figure 3: Example: Subject Identifier for the Issuer and Subject Figure 3: Example: Subject Identifier for the Issuer and Subject
Subject Identifier Type. Subject Identifier Type.
3.4. ID Token Claims Subject Identifier Type 3.4. ID Token Claims Subject Identifier Type
The ID Token Claims Subject Identifier Type describes a subject by a The ID Token Claims Subject Identifier Type describes a subject that
subset of the claims from an ID token. Subject Identifiers of this was the subject of a previously issued ID Token [IDTOKEN]. It is
type MUST contain at least one of the following claims: intended for use when a variety of identifiers have been shared with
the party that will be interpreting the Subject Identifier, and it is
unknown which of those identifiers they require. This type is
identified by the name "id-token-claims".
Subject Identifiers of this type MUST contain at least one of the
following claims:
email email
An "email" claim, as defined in [IDTOKEN]. An "email" claim, as defined in [IDTOKEN]. If present, the value
of this claim MUST NOT be null or empty.
phone_number phone_number
A "phone_number" claim, as defined in [IDTOKEN]. A "phone_number" claim, as defined in [IDTOKEN]. If present, the
value of this claim MUST NOT be null or empty.
sub sub
A "sub" claim, as defined in [RFC7519]. A "sub" claim, as defined in [RFC7519]. If present, the value of
this claim MUST NOT be null or empty.
If the Subject Identifier contains a "sub" claim, it MUST also iss
contain an "iss" claim, as defined in [RFC7519]. The ID Token Claims An "iss" claim, as defined in [RFC7519]. This claim is OPTIONAL,
Subject Identifier Type is identified by the name "id_token_claims". unless a "sub" claim in present, in which case it is REQUIRED. If
present, its value MUST NOT be null or empty.
At least one of "email", "phone_number", or "sub" MUST be present.
Below is a non-normative example Subject Identifier for the ID Token Below is a non-normative example Subject Identifier for the ID Token
Claims Subject Identifier Type: Claims Subject Identifier Type:
{ {
"subject_type": "id_token_claims", "subject_type": "id-token-claims",
"iss": "http://issuer.example.com/", "iss": "http://issuer.example.com/",
"sub": "145234573", "sub": "145234573",
"email": "user@example.com", "email": "user@example.com",
} }
Figure 4: Example: Subject Identifier for the ID Token Claims Subject Figure 4: Example: Subject Identifier for the ID Token Claims Subject
Identifier Type. Identifier Type.
4. IANA Considerations 4. IANA Considerations
skipping to change at page 6, line 47 skipping to change at page 7, line 21
o Type Name: "email" o Type Name: "email"
o Type Description: Subject identifier based on email address. o Type Description: Subject identifier based on email address.
o Change Controller: IETF secevent Working Group o Change Controller: IETF secevent Working Group
o Defining Document(s): Section 3 of this document. o Defining Document(s): Section 3 of this document.
4.1.2.2. ID Token Claims Subject Identifier Type 4.1.2.2. ID Token Claims Subject Identifier Type
o Type Name: "id_token_claims" o Type Name: "id-token-claims"
o Type Description: Subject identifier based on OpenID Connect ID o Type Description: Subject identifier based on OpenID Connect ID
Token claims. Token claims.
o Change Controller: IETF secevent Working Group o Change Controller: IETF secevent Working Group
o Defining Document(s): Section 3 of this document. o Defining Document(s): Section 3 of this document.
4.1.2.3. Issuer and Subject Subject Identifier Type 4.1.2.3. Issuer and Subject Subject Identifier Type
o Type Name: "iss_sub" o Type Name: "iss-sub"
o Type Description: Subject identifier based on an issuer and o Type Description: Subject identifier based on an issuer and
subject. subject.
o Change Controller: IETF secevent Working Group o Change Controller: IETF secevent Working Group
o Defining Document(s): Section 3 of this document. o Defining Document(s): Section 3 of this document.
4.1.2.4. Phone Number Subject Identifier Type 4.1.2.4. Phone Number Subject Identifier Type
skipping to change at page 8, line 42 skipping to change at page 9, line 18
[JWT] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token [JWT] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
(JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015,
<https://www.rfc-editor.org/info/rfc7519>. <https://www.rfc-editor.org/info/rfc7519>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322,
DOI 10.17487/RFC5322, October 2008,
<https://www.rfc-editor.org/info/rfc5322>.
[RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
(JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015,
<https://www.rfc-editor.org/info/rfc7519>. <https://www.rfc-editor.org/info/rfc7519>.
[SET] Hunt, P., Ed., Jones, M., Denniss, W., and M. Ansari, [SET] Hunt, P., Ed., Jones, M., Denniss, W., and M. Ansari,
"Security Event Token (SET)", RFC 8417, "Security Event Token (SET)", RFC 8417,
DOI 10.17487/RFC8417, July 2018, DOI 10.17487/RFC8417, July 2018,
<https://www.rfc-editor.org/info/rfc8417>. <https://www.rfc-editor.org/info/rfc8417>.
Acknowledgements Acknowledgements
skipping to change at page 9, line 18 skipping to change at page 9, line 44
Working Group. The authors would like to thank the members of this Working Group. The authors would like to thank the members of this
group for their hard work and contributions. group for their hard work and contributions.
Change Log Change Log
(This section to be removed by the RFC Editor before publication as (This section to be removed by the RFC Editor before publication as
an RFC.) an RFC.)
Draft 00 - AB - First draft Draft 00 - AB - First draft
Draft 01 - AB: * Added reference to RFC 5322 for format of "email"
claim. * Renamed "iss_sub" type to "iss-sub". * Renamed
"id_token_claims" type to "id-token-claims". * Added text specifying
the nature of the subjects described by each type.
Authors' Addresses Authors' Addresses
Annabelle Backman Annabelle Backman (editor)
Amazon Amazon
Email: richanna@amazon.com Email: richanna@amazon.com
Marius Scurtescu Marius Scurtescu
Google Google
Email: mscurtescu@google.com Email: mscurtescu@google.com
 End of changes. 23 change blocks. 
44 lines changed or deleted 68 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/