draft-ietf-secevent-subject-identifiers-04.txt   draft-ietf-secevent-subject-identifiers-05.txt 
Security Events Working Group A. Backman, Ed. Security Events Working Group A. Backman, Ed.
Internet-Draft Amazon Internet-Draft Amazon
Intended status: Standards Track M. Scurtescu Intended status: Standards Track M. Scurtescu
Expires: January 9, 2020 Coinbase Expires: January 25, 2020 Coinbase
July 08, 2019 July 24, 2019
Subject Identifiers for Security Event Tokens Subject Identifiers for Security Event Tokens
draft-ietf-secevent-subject-identifiers-04 draft-ietf-secevent-subject-identifiers-05
Abstract Abstract
Security events communicated within Security Event Tokens may support Security events communicated within Security Event Tokens may support
a variety of identifiers to identify the subject and/or other a variety of identifiers to identify the subject and/or other
principals related to the event. This specification formalizes the principals related to the event. This specification formalizes the
notion of subject identifiers as named sets of well-defined claims notion of subject identifiers as named sets of well-defined claims
describing the subject, a mechanism for representing subject describing the subject, a mechanism for representing subject
identifiers within a [JSON] object such as a JSON Web Token [JWT] or identifiers within a [JSON] object such as a JSON Web Token [JWT] or
Security Event Token [SET], and a registry for defining and Security Event Token [SET], and a registry for defining and
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 9, 2020. This Internet-Draft will expire on January 25, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 19 skipping to change at page 2, line 19
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Notational Conventions . . . . . . . . . . . . . . . . . . . 3 2. Notational Conventions . . . . . . . . . . . . . . . . . . . 3
3. Subject Identifiers . . . . . . . . . . . . . . . . . . . . . 3 3. Subject Identifiers . . . . . . . . . . . . . . . . . . . . . 3
3.1. Account Subject Identifier Type . . . . . . . . . . . . . 3 3.1. Account Subject Identifier Type . . . . . . . . . . . . . 3
3.2. Email Subject Identifier Type . . . . . . . . . . . . . . 4 3.2. Email Subject Identifier Type . . . . . . . . . . . . . . 4
3.2.1. Email Canonicalization . . . . . . . . . . . . . . . 4 3.2.1. Email Canonicalization . . . . . . . . . . . . . . . 4
3.3. Phone Number Subject Identifier Type . . . . . . . . . . 5 3.3. Phone Number Subject Identifier Type . . . . . . . . . . 5
3.4. Issuer and Subject Subject Identifier Type . . . . . . . 5 3.4. Issuer and Subject Subject Identifier Type . . . . . . . 5
3.5. Aliases Subject Identifier Type . . . . . . . . . . . . . 5 3.5. Aliases Subject Identifier Type . . . . . . . . . . . . . 6
4. Subject Identifiers in JWTs . . . . . . . . . . . . . . . . . 6 4. Subject Identifiers in JWTs . . . . . . . . . . . . . . . . . 7
4.1. "sub_id" Claim . . . . . . . . . . . . . . . . . . . . . 6 4.1. "sub_id" Claim . . . . . . . . . . . . . . . . . . . . . 7
4.2. "sub_id" and "iss-sub" Subject Identifiers . . . . . . . 8 4.2. "sub_id" and "iss-sub" Subject Identifiers . . . . . . . 8
5. Privacy Considerations . . . . . . . . . . . . . . . . . . . 9 5. Privacy Considerations . . . . . . . . . . . . . . . . . . . 9
5.1. Identifier Correlation . . . . . . . . . . . . . . . . . 9 5.1. Identifier Correlation . . . . . . . . . . . . . . . . . 9
6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 6. Security Considerations . . . . . . . . . . . . . . . . . . . 10
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
7.1. Security Event Subject Identifier Types Registry . . . . 10 7.1. Security Event Subject Identifier Types Registry . . . . 10
7.1.1. Registration Template . . . . . . . . . . . . . . . . 10 7.1.1. Registration Template . . . . . . . . . . . . . . . . 10
7.1.2. Initial Registry Contents . . . . . . . . . . . . . . 10 7.1.2. Initial Registry Contents . . . . . . . . . . . . . . 11
7.1.3. Guidance for Expert Reviewers . . . . . . . . . . . . 12 7.1.3. Guidance for Expert Reviewers . . . . . . . . . . . . 12
7.2. JSON Web Token Claims Registration . . . . . . . . . . . 12 7.2. JSON Web Token Claims Registration . . . . . . . . . . . 12
7.2.1. Registry Contents . . . . . . . . . . . . . . . . . . 12 7.2.1. Registry Contents . . . . . . . . . . . . . . . . . . 12
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 13
8.1. Normative References . . . . . . . . . . . . . . . . . . 12 8.1. Normative References . . . . . . . . . . . . . . . . . . 13
8.2. Informative References . . . . . . . . . . . . . . . . . 13 8.2. Informative References . . . . . . . . . . . . . . . . . 14
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 14 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 14
Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction 1. Introduction
As described in section 1.2 of [SET], the subject of a security event As described in section 1.2 of [SET], the subject of a security event
may take a variety of forms, including but not limited to a JWT may take a variety of forms, including but not limited to a JWT
principal, an IP address, a URL, etc. Furthermore, even in the case principal, an IP address, a URL, etc. Furthermore, even in the case
where the subject of an event is more narrowly scoped, there may be where the subject of an event is more narrowly scoped, there may be
skipping to change at page 5, line 9 skipping to change at page 5, line 9
algorithms to ensure that email addresses entered by users resolve to algorithms to ensure that email addresses entered by users resolve to
the same canonical string. When receiving an Email Subject the same canonical string. When receiving an Email Subject
Identifier, the recipient SHOULD use their implementation's Identifier, the recipient SHOULD use their implementation's
canonicalization algorithm to resolve the email address to the same canonicalization algorithm to resolve the email address to the same
subject identifier string used in their system. subject identifier string used in their system.
3.3. Phone Number Subject Identifier Type 3.3. Phone Number Subject Identifier Type
The Phone Number Subject Identifier Type describes a principal The Phone Number Subject Identifier Type describes a principal
identified with a telephone number. Subject Identifiers of this type identified with a telephone number. Subject Identifiers of this type
MUST contain a "phone" claim whose value is a string containing the MUST contain a "phone_number" claim whose value is a string
full telephone number of the subject, including international dialing containing the full telephone number of the subject, including
prefix, formatted according to E.164 [E164]. The "phone" claim is international dialing prefix, formatted according to E.164 [E164].
REQUIRED and MUST NOT be null or empty. The Phone Number Subject The "phone_number" claim is REQUIRED and MUST NOT be null or empty.
Identifier Type is identified by the name "phone". The Phone Number Subject Identifier Type is identified by the name
"phone-number".
Below is a non-normative example Subject Identifier for the Email Below is a non-normative example Subject Identifier for the Email
Subject Identifier Type: Subject Identifier Type:
{ {
"subject_type": "phone", "subject_type": "phone-number",
"phone": "+12065550100", "phone_number": "+12065550100",
} }
Figure 3: Example: Subject Identifier for the Phone Number Subject Figure 3: Example: Subject Identifier for the Phone Number Subject
Identifier Type. Identifier Type.
3.4. Issuer and Subject Subject Identifier Type 3.4. Issuer and Subject Subject Identifier Type
The Issuer and Subject Subject Identifier Type describes a principal The Issuer and Subject Subject Identifier Type describes a principal
identified with a pair of "iss" and "sub" claims, as defined by identified with a pair of "iss" and "sub" claims, as defined by
[JWT]. These claims MUST follow the formats of the "iss" claim and [JWT]. These claims MUST follow the formats of the "iss" claim and
skipping to change at page 6, line 30 skipping to change at page 6, line 36
Subject Identifier Type: Subject Identifier Type:
{ {
"subject_type": "aliases", "subject_type": "aliases",
"identifiers": [ "identifiers": [
{ {
"subject_type": "email", "subject_type": "email",
"email": "user@example.com", "email": "user@example.com",
}, },
{ {
"subject_type": "phone", "subject_type": "phone-number",
"phone": "+12065550100", "phone_number": "+12065550100",
}, },
{ {
"subject_type": "email", "subject_type": "email",
"email": "user+qualifier@example.com", "email": "user+qualifier@example.com",
} }
], ],
} }
Figure 5: Example: Subject Identifier for the Aliases Subject Figure 5: Example: Subject Identifier for the Aliases Subject
Identifier Type. Identifier Type.
skipping to change at page 11, line 32 skipping to change at page 11, line 42
o Type Description: Subject identifier based on an issuer and o Type Description: Subject identifier based on an issuer and
subject. subject.
o Change Controller: IETF secevent Working Group o Change Controller: IETF secevent Working Group
o Defining Document(s): Section 3 of this document. o Defining Document(s): Section 3 of this document.
7.1.2.4. Phone Number Subject Identifier Type 7.1.2.4. Phone Number Subject Identifier Type
o Type Name: "phone" o Type Name: "phone-number"
o Type Description: Subject identifier based on an phone number. o Type Description: Subject identifier based on an phone number.
o Change Controller: IETF secevent Working Group o Change Controller: IETF secevent Working Group
o Defining Document(s): Section 3 of this document. o Defining Document(s): Section 3 of this document.
7.1.2.5. Aliases Subject Identifier Type 7.1.2.5. Aliases Subject Identifier Type
o Type Name: "aliases" o Type Name: "aliases"
skipping to change at page 15, line 5 skipping to change at page 15, line 15
o Updated semantics for "email", "phone", and "iss-sub" types. o Updated semantics for "email", "phone", and "iss-sub" types.
Draft 04 - AB: Draft 04 - AB:
o Added "sub_id" JWT Claim definition, guidance, examples. o Added "sub_id" JWT Claim definition, guidance, examples.
o Added text prohibiting "aliases" nesting. o Added text prohibiting "aliases" nesting.
o Added privacy considerations for identifier correlation. o Added privacy considerations for identifier correlation.
Draft 05 - AB:
o Renamed the "phone" type to "phone-number" and its "phone" claim
to "phone_number".
Authors' Addresses Authors' Addresses
Annabelle Backman (editor) Annabelle Backman (editor)
Amazon Amazon
Email: richanna@amazon.com Email: richanna@amazon.com
Marius Scurtescu Marius Scurtescu
Coinbase Coinbase
 End of changes. 12 change blocks. 
22 lines changed or deleted 28 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/