Security Events Working Group                            A. Backman, Ed.
Internet-Draft                                                    Amazon
Intended status: Standards Track                            M. Scurtescu
Expires: January 25, 2020 March 8, 2021                                          Coinbase
                                                           July 24, 2019
                                                      September 04, 2020

             Subject Identifiers for Security Event Tokens
               draft-ietf-secevent-subject-identifiers-05
               draft-ietf-secevent-subject-identifiers-06

Abstract

   Security events communicated within Security Event Tokens may support
   a variety of identifiers to identify the subject and/or other
   principals related to the event.  This specification formalizes the
   notion of subject identifiers as named sets of well-defined claims
   describing the subject, a mechanism for representing subject
   identifiers within a [JSON] JSON object such as a JSON Web Token [JWT] (JWT) or
   Security Event Token [SET], (SET), and a registry for defining and
   allocating names for these claim sets.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on January 25, 2020. March 8, 2021.

Copyright Notice

   Copyright (c) 2019 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Notational Conventions  . . . . . . . . . . . . . . . . . . .   3
   3.  Subject Identifiers   4
     2.1.  Definitions . . . . . . . . . . . . . . . . . . . . .   3
     3.1.  Account . .   4
   3.  Subject Identifier Type Identifiers . . . . . . . . . . . . .   3 . . . . . . . .   4
     3.1.  Subject Identifier Types versus Principal Types . . . . .   5
     3.2.  Email  Subject Identifier Type Definitions . . . . . . . . . . .   5
       3.2.1.  Account Subject Identifier Type . . . . . . .   4
       3.2.1.  Email Canonicalization . . . .   6
       3.2.2.  Email Subject Identifier Type . . . . . . . . . . .   4
     3.3. .   6
       3.2.3.  Phone Number Subject Identifier Type  . . . . . . . . . .   5
     3.4.   7
       3.2.4.  Issuer and Subject Subject Identifier Type  . . . . . . .   5
     3.5.   7
       3.2.5.  Aliases Subject Identifier Type . . . . . . . . . . . . .   6   8
   4.  Subject Identifiers in JWTs . . . . . . . . . . . . . . . . .   7   9
     4.1.  "sub_id" Claim  . . . . . . . . . . . . . . . . . . . . .   7   9
     4.2.  "sub_id" and "iss-sub" "iss_sub" Subject Identifiers  . . . . . . .   8  11
   5.  Privacy Considerations  . . . . . . . . . . . . . . . . . . .   9  12
     5.1.  Identifier Correlation  . . . . . . . . . . . . . . . . .   9  12
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .  10  12
     6.1.  Confidentiality and Integrity . . . . . . . . . . . . . .  12
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  10  13
     7.1.  Security Event Subject Identifier Types Registry  . . . .  10  13
       7.1.1.  Registry Location . . . . . . . . . . . . . . . . . .  13
       7.1.2.  Registration Template . . . . . . . . . . . . . . . .  10
       7.1.2.  13
       7.1.3.  Initial Registry Contents . . . . . . . . . . . . . .  11
       7.1.3.  14
       7.1.4.  Guidance for Expert Reviewers . . . . . . . . . . . .  12  15
     7.2.  JSON Web Token Claims Registration  . . . . . . . . . . .  12  16
       7.2.1.  Registry Contents . . . . . . . . . . . . . . . . . .  12  16
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  13  16
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .  13  16
     8.2.  Informative References  . . . . . . . . . . . . . . . . .  14  17
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  14  17
   Change Log  . . . . . . . . . . . . . . . . . . . . . . . . . . .  14  17
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  15  19

1.  Introduction

   As described in section Section 1.2 of [SET], SET [RFC8417], the subject of a
   security event may take a variety of forms, including but not limited
   to a JWT [RFC7519] principal, an IP address, a URL, etc.
   Furthermore, even in the case where the subject of an event is more
   narrowly scoped, there may be multiple ways by which a given subject
   may be identified.  For example, an account may be identified by an
   opaque identifier, an email address, a phone number, a JWT "iss"
   claim and "sub" claim, etc., depending on the nature and needs of the
   transmitter and receiver.  Even within the context of a given
   transmitter and receiver relationship, it may be appropriate to
   identify different accounts in different ways, for example if some
   accounts only have email addresses associated with them while others
   only have phone numbers.  Therefore it can be necessary to indicate
   within a SET the mechanism by which the subject of the security event
   is being identified.

2.  Notational Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in

   To address this
   document are to be interpreted as described in [RFC2119].

3. problem, this specification defines Subject
   Identifiers

   A - JSON [RFC7159] objects containing information
   identifying a subject - and Subject Identifier Type is Types - named sets of
   rules describing how to encode different kinds of subject identifying
   information (e.g., an email address, or an issuer and subject pair)
   as a light-weight schema that describes Subject Identifier.

   Below is a
   set non-normative example of claims that identifies a subject.  Every Subject Identifier
   Type MUST have that
   identifies a unique name registered in subject by email address, using the IANA "Security Event Email Subject
   Identifier Types" registry established by Section 7.1.  A Type.

   {
     "subject_type": "email",
     "email": "user@example.com",
   }

       Figure 1: Example: Subject Identifier using the Email Subject
                              Identifier Type MAY describe more claims than

   Subject Identifiers are strictly
   necessary intended to be a general purpose mechanism
   for identifying principals within JSON objects.  Below is a non-
   normative example of a JWT that uses a Subject Identifier in the
   "sub_id" claim (defined in this specification) to identify its
   subject.

   {
     "iss": "issuer.example.com",
     "sub_id": {
       "subject_type": "phone_number",
       "phone_number": "+12065550100",
     },
   }

     Figure 2: Example: JWT using a subject, Subject Identifier with the sub_id
                                   claim

   Below is a non-normative example of a SET containing a hypothetical
   security event describing the interception of a message, using
   Subject Identifiers to identify the sender, intended recipient, and MAY describe conditions under
   which those claims
   interceptor.

   {
     "iss": "issuer.example.com",
     "iat": 1508184845,
     "aud": "aud.example.com",
     "events": {
       "https://secevent.example.com/events/message-interception": {
         "from": {
           "subject_type": "email",
           "email": "alice@example.com",
         },
         "to": {
           "subject_type": "email",
           "email": "bob@example.com",
         },
         "interceptor": {
           "subject_type": "email",
           "email": "eve@example.com",
         },
       },
     },
   }

     Figure 3: Example: SET with an event payload containing multiple
                            Subject Identifiers

2.  Notational Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are required, optional, or prohibited. to be interpreted as described in [RFC2119].

2.1.  Definitions

   This specification utilizes terminology defined in [RFC7159],
   [RFC7519], and [RFC8417].

3.  Subject Identifiers

   A Subject Identifier is a [JSON] JSON [RFC7159] object containing whose contents may be
   used to identify a principal within some context.  A Subject
   Identifier Type is a named definition of a set of information that
   may be used to identify a principal, and the rules for encoding that
   information as a Subject Identifier.  A Subject Identifier MUST
   conform to a specific Subject Identifier Type, and MUST contain a
   "subject_type"
   claim member whose value is the name of that Subject
   Identifier Type.

   Every Subject Identifier Type MUST have a unique name registered in
   the IANA "Security Event Subject Identifier Type, and Types" registry
   established by Section 7.1, or a set
   of additional "payload claims" which Collision-Resistant Name as defined
   in [RFC7519].  Subject Identifier Types that are expected to be interpreted according
   to the rules defined used
   broadly by that a variety of parties SHOULD be registered in the "Security
   Event Subject Identifier Types" registry.

   A Subject Identifier Type MAY describe more members than are strictly
   necessary to identify a subject, and MAY describe conditions under
   which those members are required, optional, or prohibited.

   Aside from the "subject_type" member whose definition is given above,
   every member within a Subject Identifier Type.  Payload claim
   values MUST match the format
   specified for the claim that member by the Subject Identifier's Subject
   Identifier Type.  A Subject Identifier MUST NOT contain any payload
   claims members
   prohibited or not described by its Subject Identifier Type, and MUST
   contain all payload claims members required by its Subject Identifier Type.

3.1.  Subject Identifier Types versus Principal Types

   A Subject Identifier Type describes a way to identify a principal,
   but does not explicitly indicate the type of that principal (e.g.,
   user, group, network connection, baseball team, astronomic object).
   Consequently Subject Identifiers remove ambiguity around how a
   principal is being identified, and how to parse an identifying
   structure, but they do not remove ambiguity around how to resolve
   that identifier to a principal.  For example, consider a directory
   management API that allows callers to identify users and groups
   through both immutable unique identifiers and mutable email
   addresses.  Such an API could use Subject Identifiers to disambiguate
   between which of these two types of identifiers is in use.  However,
   the service would have to determine whether the principal is a user
   or group via some other means, such as by querying a database or by
   inferring the type from the API contract.

3.2.  Subject Identifier Type Definitions

   The following Subject Identifier Types are registered in the IANA
   "Security Event Subject Identifier Types" registry established by
   Section 7.1.

3.1.

3.2.1.  Account Subject Identifier Type

   The Account Subject Identifier Type describes identifies a user principal using an
   account at a service provider, identified with an "acct" URI as
   defined in [RFC7565].  Subject Identifiers of this type MUST contain
   a "uri"
   claim member whose value is the "acct" URI for the subject.  The
   "uri" claim member is REQUIRED and MUST NOT be null or empty.  The Account
   Subject Identifier Type is identified by the name "account".

   Below is a non-normative example Subject Identifier for the Account
   Subject Identifier Type:

   {
     "subject_type": "account",
     "uri": "acct:example.user@service.example.com",
   }

       Figure 1: 4: Example: Subject Identifier for the Account Subject
                              Identifier Type.

3.2. Type

3.2.2.  Email Subject Identifier Type

   The Email Subject Identifier Type describes identifies a principal identified
   with using an
   email address.  Subject Identifiers of this type MUST contain an
   "email" claim member whose value is a string containing the email address
   of the subject, principal, formatted as an "addr-spec" as defined in
   Section 3.4.1 of [RFC5322].  The "email" claim member is REQUIRED and MUST
   NOT be null or empty.  The value of the "email" claim member SHOULD
   identify a mailbox to which email may be delivered, in accordance
   with [RFC5321].  The Email Subject Identifier Type is identified by
   the name "email".

   Below is a non-normative example Subject Identifier for the Email
   Subject Identifier Type:

   {
     "subject_type": "email",
     "email": "user@example.com",
   }

        Figure 2: 5: Example: Subject Identifier for the Email Subject
                              Identifier Type.

3.2.1. Type

3.2.2.1.  Email Canonicalization

   Many email providers will treat multiple email addresses as
   equivalent.  For example,  While the domain portion of an [RFC5322] email address
   is consistently treated as case-insensitive per [RFC1034], some
   providers treat the local part of the email addresses address as case-
   insensitive as
   case-insensitive, well, and consider "user@example.com",
   "User@example.com", and "USER@example.com" as the same email address.
   This has led users to view these strings as equivalent, driving
   service providers to implement proprietary email canonicalization
   algorithms to ensure that email addresses entered by users resolve to
   the same canonical string.  When receiving an Email Subject
   Identifier, the recipient SHOULD use their implementation's
   canonicalization algorithm to resolve the email address to the same
   subject identifier
   string used in their system.

3.3.

3.2.3.  Phone Number Subject Identifier Type

   The Phone Number Subject Identifier Type describes identifies a principal
   identified with using
   a telephone number.  Subject Identifiers of this type MUST contain a
   "phone_number" claim member whose value is a string containing the full
   telephone number of the subject, principal, including international dialing
   prefix, formatted according to E.164 [E164].  The "phone_number" claim
   member is REQUIRED and MUST NOT be null or empty.  The Phone Number
   Subject Identifier Type is identified by the name
   "phone-number". "phone_number".

   Below is a non-normative example Subject Identifier for the Email
   Subject Identifier Type:

   {
     "subject_type": "phone-number", "phone_number",
     "phone_number": "+12065550100",
   }

    Figure 3: 6: Example: Subject Identifier for the Phone Number Subject
                             Identifier Type.

3.4.

3.2.4.  Issuer and Subject Subject Identifier Type

   The Issuer and Subject Subject Identifier Type describes identifies a principal
   identified with
   using a pair of "iss" and "sub" claims, as defined by
   [JWT].  These members, analagous to how subjects
   are identified using the "iss" and "sub" claims in OpenID Connect
   [OpenID.Core] ID Tokens.  These members MUST follow the formats of
   the "iss" claim member and "sub" claim member defined by [JWT], [RFC7519], respectively.
   Both the "iss" claim member and the "sub" claim member are REQUIRED and MUST NOT
   be null or empty.  The Issuer and Subject Subject Identifier Type is
   identified by the name
   "iss-sub". "iss_sub".

   Below is a non-normative example Subject Identifier for the Issuer
   and Subject Subject Identifier Type:

   {
     "subject_type": "iss-sub", "iss_sub",
     "iss": "http://issuer.example.com/",
     "sub": "145234573",
   }

     Figure 4: 7: Example: Subject Identifier for the Issuer and Subject
                          Subject Identifier Type.

3.5. Type

3.2.5.  Aliases Subject Identifier Type

   The Aliases Subject Identifier Type describes a subject that is
   identified with a list of different Subject Identifiers.  It is
   intended for use when a variety of identifiers have been shared with
   the party that will be interpreting the Subject Identifier, and it is
   unknown which of those identifiers they will recognize or support.
   Subject Identifiers of this type MUST contain an "identifiers" claim member
   whose value is a JSON array containing one or more Subject
   Identifiers.  Each Subject Identifier in the array MUST identify the
   same entity.  The "identifiers" claim member is REQUIRED and MUST NOT be
   null or empty.  It MAY contain multiple instances of the same Subject
   Identifier Type (e.g., multiple Email Subject Identifiers), but
   SHOULD NOT contain exact duplicates.  This type is identified by the
   name "aliases".

   "alias" Subject Identifiers MUST NOT be nested; i.e., the
   "identifiers" claim member of an "alias" Subject Identifier MUST NOT
   contain a Subject Identifier of type "aliases".

   Below is a non-normative example Subject Identifier for the Aliases
   Subject Identifier Type:

   {
     "subject_type": "aliases",
     "identifiers": [
       {
         "subject_type": "email",
         "email": "user@example.com",
       },
       {
         "subject_type": "phone-number", "phone_number",
         "phone_number": "+12065550100",
       },
       {
         "subject_type": "email",
         "email": "user+qualifier@example.com",
       }
     ],
   }

       Figure 5: 8: Example: Subject Identifier for the Aliases Subject
                              Identifier Type. Type

4.  Subject Identifiers in JWTs

4.1.  "sub_id" Claim

   The "sub" JWT Claim is defined in Section 4.1.2 of [RFC7519] as
   containing a string value, and therefore cannot contain a Subject
   Identifier (which is a JSON object) as its value.  This document
   defines the "sub_id" JWT Claim, in accordance with Section 4.2 of [RFC7519].
   [RFC7519], as a common claim that identifies the subject of the JWT
   using a Subject Identifier.  When present, the value of this claim
   MUST be a Subject Identifier that identifies the principal that is
   the subject of the JWT.  The "sub_id" claim MAY be included in a JWT,
   whether or not the "sub" claim is present.  When both the "sub" and
   "sub_id" claims are present in a JWT, they MUST identify the same
   principal.

   Below

   When processing a JWT with both "sub" and "sub_id" claims,
   implementations MUST NOT rely on both claims to determine the
   subject.  An implementation MAY attempt to determine the subject from
   one claim and fall back to using the other if it determines it does
   not understand the format of the first claim.  For example, an
   implementation may attempt to use "sub_id", and fall back to using
   "sub" upon finding that "sub_id" contains a Subject Identifier whose
   type is not recognized by the implementation.

   Below are non-normative examples of JWTs containing the "sub_id"
   claim:

   {
     "iss": "issuer.example.com",
     "sub_id": {
       "subject_type": "email",
       "email": "user@example.com",
     },
   }

   Figure 6: 9: Example: JWT containing a `sub_id` claim and no `sub`
                                  claim. claim

   {
     "iss": "issuer.example.com",
     "sub": "user@example.com",
     "sub_id": {
       "subject_type": "email",
       "email": "user@example.com",
     },
   }

     Figure 7: 10: Example: JWT where both the `sub` and `sub_id` claims
              identify the subject using the same identifier. identifier

   {
     "iss": "issuer.example.com",
     "sub": "user@example.com",
     "sub_id": {
       "subject_type": "email",
       "email": "elizabeth@example.com",
     },
   }

     Figure 8: 11: Example: JWT where both the `sub` and `sub_id` claims
    identify the subject using different values of the same identifier
                                   type.
                                   type

   {
     "iss": "issuer.example.com",
     "sub": "user@example.com",
     "sub_id": {
       "subject_type": "account",
       "uri": "acct:example.user@service.example.com",
     },
   }

   Figure 9: 12: Example: JWT where the `sub` and `sub_id` claims identify
              the subject via different types of identifiers. identifiers

4.2.  "sub_id" and "iss-sub" "iss_sub" Subject Identifiers

   The "sub_id" claim MAY contain an "iss-sub" "iss_sub" Subject Identifier.  In
   this case, the JWT's "iss" claim and the Subject Identifier's "iss"
   claim
   member MAY be different.  For example, an OpenID Connect [OIDC]
   [OpenID.Core] client may construct such a JWT when issuing a JWT back
   to its OpenID Connect Identity Provider, in order to communicate
   information about the services' shared subject principal using an
   identifier the Identity Provider is known to understand.  Similarly,
   the JWT's "sub" claim and the Subject Identifier's "sub" claim member MAY
   be different.  For example, this may be used by an OpenID Connect
   client to communicate the subject principal's local identifier at the
   client back to its Identity Provider.

   Below are non-normative examples of a JWT where the "iss" claims claim and
   "iss" member within the "sub_id" claim are the same, and a JWT where
   they are different.

   {
     "iss": "issuer.example.com",
     "sub_id": {
       "subject_type": "iss-sub", "iss_sub",
       "iss": "issuer.example.com",
       "sub": "example_user",
     },
   }

   Figure 10: 13: Example: JWT with a `iss-sub` `iss_sub` Subject Identifier where JWT
                  issuer and subject issuer are the same. same

   {
     "iss": "client.example.com",
     "sub_id": {
       "subject_type": "iss-sub", "iss_sub",
       "iss": "issuer.example.com",
       "sub": "example_user",
     },
   }

    Figure 11: 14: Example: JWT with an `iss-sub` `iss_sub` Subject Identifier where
              the JWT issuer and subject issuer are different. different

   {
     "iss": "client.example.com",
     "sub": "client_user",
     "sub_id": {
       "subject_type": "iss-sub", "iss_sub",
       "iss": "issuer.example.com",
       "sub": "example_user",
     },
   }

    Figure 12: 15: Example: JWT with an `iss-sub` `iss_sub` Subject Identifier where
    the JWT `iss` and `sub` claims differ from the Subject Identifier's
                          `iss` and `sub` claims. members

5.  Privacy Considerations

5.1.  Identifier Correlation

   The act of presenting two or more identifiers for a single principal
   together (e.g., within an "aliases" Subject Identifier, or via the
   "sub" and "sub_id" JWT claims) may communicate more information about
   the principal than was intended.  For example, the entity to which
   the identifiers are presented, now knows that both identifiers relate
   to the same principal, and may be able to correlate additional data
   based on that.  When transmitting Subject Identifiers, the
   transmitter SHOULD take care that they are only transmitting multiple
   identifiers together when it is known that the recipient already
   knows that the identifiers are related (e.g., because they were
   previously sent to the recipient as claims in an OpenID Connect ID
   Token).
   Token), or when correlation is essential to the use case.

   The considerations described in Section 6 of [RFC8417] also apply
   when Subject Identifiers are used within SETs.  The considerations
   described in Section 12 of [RFC7519] also apply when Subject
   Identifiers are used within JWTs.

6.  Security Considerations

   There

6.1.  Confidentiality and Integrity

   This specification does not define any mechanism for ensuring the
   confidentiality or integrityi of a Subject Identifier.  Where such
   properties are no security considerations. required, implementations MUST use mechanisms provided
   by the containing format (e.g., integrity protecting SETs or JWTs
   using JWS [RFC7515]), or at the transport layer or other layer in the
   application stack (e.g., using TLS [RFC8446]).

   Further considerations regarding confidentiality and integrity of
   SETs can be found in Section 5.1 of [RFC8417].

7.  IANA Considerations

7.1.  Security Event Subject Identifier Types Registry

   This document defines Subject Identifier Types, for which IANA is
   asked to create and maintain a new registry titled "Security Event
   Subject Identifier Types".  Initial values for the Security Event
   Subject Identifier Types registry are given in Section 3.  Future
   assignments are to be made through the Expert Review registration
   policy [BCP26] and shall follow the template presented in
   Section 7.1.2.

   It is suggested that multiple Designated Experts be appointed who are
   able to represent the perspectives of different applications using
   this specification, in order to enable broadly informed review of
   registration decisions.  In cases where a registration decision could
   be perceived as creating a conflict of interest for a particular
   Expert, that Expert should defer to the judgment of the other
   Experts.

7.1.1.

7.1.1.  Registry Location

   (This section to be removed by the RFC Editor before publication as
   an RFC.)

   The authors recommend that the Subject Identifier Types registry be
   located at "https://www.iana.org/assignments/secevent/".

7.1.2.  Registration Template

   Type Name
      The name of the Subject Identifier Type, as described in
      Section 3.  The name MUST be an ASCII string consisting only of
      lower-case characters ("a" - "z"), digits ("0" - "9"), underscores
      ("_"), and hyphens ("-"), and SHOULD NOT exceed 20 characters in
      length.

   Type Description
      A brief description of the Subject Identifier Type.

   Change Controller
      For types defined in documents published by the OpenID Foundation IETF or its
      working groups, list "OpenID Foundation RISC Working
      Group". "IETF".  For all other types, list the name
      of the party responsible for the registration.  Contact
      information such as mailing address, email address, or phone
      number may also be provided.

   Defining Document(s)
      A reference to the document or documents that define the Subject
      Identifier Type.  The definition MUST specify the name, format,
      and meaning of each claim member that may occur within a Subject
      Identifier of the defined type, as well as whether each claim member is
      optional or
      optional, required, prohibited, or the circumstances under which
      the claim
      is optional member may be optional, required, or required. prohibited.  URIs that
      can be used to retrieve copies of each document SHOULD be
      included.

7.1.2.

7.1.3.  Initial Registry Contents

7.1.2.1.

7.1.3.1.  Account Subject Identifier Type

   o  Type Name: "account"

   o  Type Description: Subject identifier based on "acct" URI.

   o  Change Controller: IETF secevent Working Group

   o  Defining Document(s): Section 3 of this document.

7.1.2.2.

7.1.3.2.  Email Subject Identifier Type

   o  Type Name: "email"

   o  Type Description: Subject identifier based on email address.

   o  Change Controller: IETF secevent Working Group

   o  Defining Document(s): Section 3 of this document.

7.1.2.3.

7.1.3.3.  Issuer and Subject Subject Identifier Type

   o  Type Name: "iss-sub" "iss_sub"

   o  Type Description: Subject identifier based on an issuer and
      subject.

   o  Change Controller: IETF secevent Working Group

   o  Defining Document(s): Section 3 of this document.

7.1.2.4.

7.1.3.4.  Phone Number Subject Identifier Type

   o  Type Name: "phone-number" "phone_number"

   o  Type Description: Subject identifier based on an phone number.

   o  Change Controller: IETF secevent Working Group

   o  Defining Document(s): Section 3 of this document.

7.1.2.5.

7.1.3.5.  Aliases Subject Identifier Type

   o  Type Name: "aliases"

   o  Type Description: Subject identifier that groups together multiple
      different subject identifiers for the same subject.

   o  Change Controller: IETF secevent Working Group

   o  Defining Document(s): Section 3 of this document.

7.1.3.

7.1.4.  Guidance for Expert Reviewers

   The Expert Reviewer is expected to review the documentation
   referenced in a registration request to verify its completeness.  The
   Expert Reviewer must base their decision to accept or reject the
   request on a fair and impartial assessment of the request.  If the
   Expert Reviewer has a conflict of interest, such as being an author
   of a defining document referenced by the request, they must recuse
   themselves from the approval process for that request.  In the case
   where a request is rejected, the Expert Reviewer should provide the
   requesting party with a written statement expressing the reason for
   rejection, and be prepared to cite any sources of information that
   went into that decision.

   Subject Identifier Types need not be generally applicable and may be
   highly specific to a particular domain; it is expected that types may
   be registered for niche or industry-specific use cases.  The Expert
   Reviewer should focus on whether the type is thoroughly documented,
   and whether its registration will promote or harm interoperability.
   In most cases, the Expert Reviewer should not approve a request if
   the registration would contribute to confusion, or amount to a
   synonym for an existing type.

7.2.  JSON Web Token Claims Registration

   This document defines the "sub_id" JWT Claim, which IANA is asked to
   register in the "JSON Web Token Claims" registry IANA JSON Web Token
   Claims Registry [IANA.JWT.Claims] established by [SET]. [RFC7519].

7.2.1.  Registry Contents

   o  Claim Name: "sub_id"

   o  Claim Description: Subject Identifier

   o  Change Controller: IESG

   o  Specification Document(s): Section 4.1 of this document.

8.  References

8.1.  Normative References

   [BCP26]    Cotton, M., Leiba, B., and T. Narten, "Guidelines for
              Writing an IANA Considerations Section in RFCs", BCP 26,
              RFC 8126, DOI 10.17487/RFC8126, June 2017,
              <https://www.rfc-editor.org/info/rfc8126>.

   [E164]     International Telecommunication Union, "The international
              public telecommunication numbering plan", 2010,
              <http://www.itu.int/rec/T-REC-E.164-201011-I/en>.

   [IANA.JWT.Claims]
              IANA, "JSON Web Token Claims", n.d.,
              <http://www.iana.org/assignments/jwt>.

   [JSON]     Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
              Interchange Format", RFC 7159, DOI 10.17487/RFC7159, March
              2014, <https://www.rfc-editor.org/info/rfc7159>.

   [JWT]      Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
              (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015,
              <https://www.rfc-editor.org/info/rfc7519>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC5321]  Klensin, J., "Simple Mail Transfer Protocol", RFC 5321,
              DOI 10.17487/RFC5321, October 2008,
              <https://www.rfc-editor.org/info/rfc5321>.

   [RFC5322]  Resnick, P., Ed., "Internet Message Format", RFC 5322,
              DOI 10.17487/RFC5322, October 2008,
              <https://www.rfc-editor.org/info/rfc5322>.

   [RFC7159]  Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
              Interchange Format", RFC 7159, DOI 10.17487/RFC7159, March
              2014, <https://www.rfc-editor.org/info/rfc7159>.

   [RFC7519]  Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
              (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015,
              <https://www.rfc-editor.org/info/rfc7519>.

   [RFC7565]  Saint-Andre, P., "The 'acct' URI Scheme", RFC 7565,
              DOI 10.17487/RFC7565, May 2015,
              <https://www.rfc-editor.org/info/rfc7565>.

   [SET]

   [RFC8417]  Hunt, P., Ed., Jones, M., Denniss, W., and M. Ansari,
              "Security Event Token (SET)", RFC 8417,
              DOI 10.17487/RFC8417, July 2018,
              <https://www.rfc-editor.org/info/rfc8417>.

8.2.  Informative References

   [OIDC]

   [OpenID.Core]
              Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and
              C. Mortimore, "OpenID Connect Core 1.0", November 2014,
              <http://openid.net/specs/openid-connect-core-1_0.html>.

   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
              STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
              <https://www.rfc-editor.org/info/rfc1034>.

   [RFC7515]  Jones, M., Bradley, J., and N. Sakimura, "JSON Web
              Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May
              2015, <https://www.rfc-editor.org/info/rfc7515>.

   [RFC8446]  Rescorla, E., "The Transport Layer Security (TLS) Protocol
              Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
              <https://www.rfc-editor.org/info/rfc8446>.

Acknowledgements

   This document is based on work developed within the OpenID RISC
   Working Group.

   The authors would like to thank the members of this
   group for their hard work the IETF Security
   Events working group, as well as those of the OpenID Shared Signals
   and contributions. Events Working Group, whose work provided the original basis for
   this document.

Change Log

   (This section to be removed by the RFC Editor before publication as
   an RFC.)
   Draft 00 - AB - First draft

   Draft 01 - AB:

   o  Added reference to RFC 5322 for format of "email" claim.

   o  Renamed "iss_sub" type to "iss-sub".

   o  Renamed "id_token_claims" type to "id-token-claims".

   o  Added text specifying the nature of the subjects described by each
      type.

   Draft 02 - AB:

   o  Corrected format of phone numbers in examples.

   o  Updated author info.

   Draft 03 - AB:

   o  Added "account" type for "acct" URIs.

   o  Replaced "id-token-claims" type with "aliases" type.

   o  Added email canonicalization guidance.

   o  Updated semantics for "email", "phone", and "iss-sub" types.

   Draft 04 - AB:

   o  Added "sub_id" JWT Claim definition, guidance, examples.

   o  Added text prohibiting "aliases" nesting.

   o  Added privacy considerations for identifier correlation.

   Draft 05 - AB:

   o  Renamed the "phone" type to "phone-number" and its "phone" claim
      to "phone_number".

   Draft 06 - AB:

   o  Replaced usage of the word "claim" to describe members of a
      Subject Identifier with the word "member", in accordance with
      terminology in RFC7159.

   o  Renamed the "phone-number" type to "phone_number" and "iss-sub" to
      "iss_sub".

   o  Added normative requirements limiting the use of both "sub" and
      "sub_id" claims together when processing a JWT.

   o  Clarified that identifier correlation may be acceptable when it is
      a core part of the use case.

   o  Replaced references to OIDF with IETF in IANA Considerations.

   o  Recommended the appointment of multiple Designated Experts, and a
      location for the Subject Identifier Types registry.

   o  Added "_" to list of allowed characters in the Type Name for
      Subject Identifier Types.

   o  Clarified that Subject Identifiers don't provide confidentiality
      or integrity protection.

   o  Added references to SET, JWT privacy and security considerations.

   o  Added section describing the difference between subject identifier
      type and principal type that hopefully clarifies things and
      doesn't just muddy the water further.

Authors' Addresses

   Annabelle Backman (editor)
   Amazon

   Email: richanna@amazon.com

   Marius Scurtescu
   Coinbase

   Email: marius.scurtescu@coinbase.com