draft-ietf-secevent-subject-identifiers-06.txt   draft-ietf-secevent-subject-identifiers-07.txt 
Security Events Working Group A. Backman, Ed. Security Events Working Group A. Backman, Ed.
Internet-Draft Amazon Internet-Draft Amazon
Intended status: Standards Track M. Scurtescu Intended status: Standards Track M. Scurtescu
Expires: March 8, 2021 Coinbase Expires: September 9, 2021 Coinbase
September 04, 2020 March 08, 2021
Subject Identifiers for Security Event Tokens Subject Identifiers for Security Event Tokens
draft-ietf-secevent-subject-identifiers-06 draft-ietf-secevent-subject-identifiers-07
Abstract Abstract
Security events communicated within Security Event Tokens may support Security events communicated within Security Event Tokens may support
a variety of identifiers to identify the subject and/or other a variety of identifiers to identify subjects related to the event.
principals related to the event. This specification formalizes the This specification formalizes the notion of subject identifiers as
notion of subject identifiers as named sets of well-defined claims structured information that describe a subject, and named formats
describing the subject, a mechanism for representing subject that define the syntax and semantics for encoding subject identifiers
identifiers within a JSON object such as a JSON Web Token (JWT) or as JSON objects. It also defines a registry for defining and
Security Event Token (SET), and a registry for defining and allocating names for such formats, as well as the "sub_id" JSON Web
allocating names for these claim sets. Token (JWT) claim.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 8, 2021. This Internet-Draft will expire on September 9, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Notational Conventions . . . . . . . . . . . . . . . . . . . 4 2. Notational Conventions . . . . . . . . . . . . . . . . . . . 5
2.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4 2.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 5
3. Subject Identifiers . . . . . . . . . . . . . . . . . . . . . 4 3. Subject Identifiers . . . . . . . . . . . . . . . . . . . . . 5
3.1. Subject Identifier Types versus Principal Types . . . . . 5 3.1. Identifier Formats versus Principal Types . . . . . . . . 6
3.2. Subject Identifier Type Definitions . . . . . . . . . . . 5 3.2. Identifier Format Definitions . . . . . . . . . . . . . . 6
3.2.1. Account Subject Identifier Type . . . . . . . . . . . 6 3.2.1. Account Identifier Format . . . . . . . . . . . . . . 6
3.2.2. Email Subject Identifier Type . . . . . . . . . . . . 6 3.2.2. Email Identifier Format . . . . . . . . . . . . . . . 7
3.2.3. Phone Number Subject Identifier Type . . . . . . . . 7 3.2.3. Phone Number Identifier Format . . . . . . . . . . . 7
3.2.4. Issuer and Subject Subject Identifier Type . . . . . 7 3.2.4. Issuer and Subject Identifier Format . . . . . . . . 8
3.2.5. Aliases Subject Identifier Type . . . . . . . . . . . 8 3.2.5. Aliases Identifier Format . . . . . . . . . . . . . . 8
4. Subject Identifiers in JWTs . . . . . . . . . . . . . . . . . 9 3.2.6. Opaque Identifier Format . . . . . . . . . . . . . . 9
4.1. "sub_id" Claim . . . . . . . . . . . . . . . . . . . . . 9 4. Subject Identifiers in JWTs . . . . . . . . . . . . . . . . . 10
4.1. "sub_id" Claim . . . . . . . . . . . . . . . . . . . . . 10
4.2. "sub_id" and "iss_sub" Subject Identifiers . . . . . . . 11 4.2. "sub_id" and "iss_sub" Subject Identifiers . . . . . . . 11
5. Privacy Considerations . . . . . . . . . . . . . . . . . . . 12 5. Considerations for Specifications that Define Identifier
5.1. Identifier Correlation . . . . . . . . . . . . . . . . . 12 Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
6. Security Considerations . . . . . . . . . . . . . . . . . . . 12 6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 13
6.1. Confidentiality and Integrity . . . . . . . . . . . . . . 12 6.1. Identifier Correlation . . . . . . . . . . . . . . . . . 13
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 7. Security Considerations . . . . . . . . . . . . . . . . . . . 13
7.1. Security Event Subject Identifier Types Registry . . . . 13 7.1. Confidentiality and Integrity . . . . . . . . . . . . . . 13
7.1.1. Registry Location . . . . . . . . . . . . . . . . . . 13 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
7.1.2. Registration Template . . . . . . . . . . . . . . . . 13 8.1. Security Event Identifier Formats Registry . . . . . . . 14
7.1.3. Initial Registry Contents . . . . . . . . . . . . . . 14 8.1.1. Registry Location . . . . . . . . . . . . . . . . . . 14
7.1.4. Guidance for Expert Reviewers . . . . . . . . . . . . 15 8.1.2. Registration Template . . . . . . . . . . . . . . . . 14
7.2. JSON Web Token Claims Registration . . . . . . . . . . . 16 8.1.3. Initial Registry Contents . . . . . . . . . . . . . . 15
7.2.1. Registry Contents . . . . . . . . . . . . . . . . . . 16 8.1.4. Guidance for Expert Reviewers . . . . . . . . . . . . 16
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 8.2. JSON Web Token Claims Registration . . . . . . . . . . . 17
8.1. Normative References . . . . . . . . . . . . . . . . . . 16 8.2.1. Registry Contents . . . . . . . . . . . . . . . . . . 17
8.2. Informative References . . . . . . . . . . . . . . . . . 17 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 17
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 17 9.1. Normative References . . . . . . . . . . . . . . . . . . 17
Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 9.2. Informative References . . . . . . . . . . . . . . . . . 18
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 18
Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 21
1. Introduction 1. Introduction
As described in Section 1.2 of SET [RFC8417], the subject of a As described in Section 1.2 of SET [RFC8417], subjects related to
security event may take a variety of forms, including but not limited security events may take a variety of forms, including but not
to a JWT [RFC7519] principal, an IP address, a URL, etc. limited to a JWT [RFC7519] principal, an IP address, a URL, etc.
Furthermore, even in the case where the subject of an event is more
narrowly scoped, there may be multiple ways by which a given subject Different types of subjects may need to be identified in different
may be identified. For example, an account may be identified by an ways. (e.g., a host might be identified by an IP or MAC address,
opaque identifier, an email address, a phone number, a JWT "iss" while a user might be identified by an email address) Furthermore,
claim and "sub" claim, etc., depending on the nature and needs of the even in the case where the type of the subject is known, there may be
transmitter and receiver. Even within the context of a given multiple ways by which a given subject may be identified. For
transmitter and receiver relationship, it may be appropriate to example, an account may be identified by an opaque identifier, an
identify different accounts in different ways, for example if some email address, a phone number, a JWT "iss" claim and "sub" claim,
accounts only have email addresses associated with them while others etc., depending on the nature and needs of the transmitter and
only have phone numbers. Therefore it can be necessary to indicate receiver. Even within the context of a given transmitter and
within a SET the mechanism by which the subject of the security event receiver relationship, it may be appropriate to identify different
is being identified. accounts in different ways, for example if some accounts only have
email addresses associated with them while others only have phone
numbers. Therefore it can be necessary to indicate within a SET the
mechanism by which a subject is being identified.
To address this problem, this specification defines Subject To address this problem, this specification defines Subject
Identifiers - JSON [RFC7159] objects containing information Identifiers - JSON [RFC7159] objects containing information
identifying a subject - and Subject Identifier Types - named sets of identifying a subject - and Identifier Formats - named sets of rules
rules describing how to encode different kinds of subject identifying describing how to encode different kinds of subject identifying
information (e.g., an email address, or an issuer and subject pair) information (e.g., an email address, or an issuer and subject pair)
as a Subject Identifier. as a Subject Identifier.
Below is a non-normative example of a Subject Identifier that Below is a non-normative example of a Subject Identifier that
identifies a subject by email address, using the Email Subject identifies a subject by email address, using the Email Identifier
Identifier Type. Format.
{ {
"subject_type": "email", "format": "email",
"email": "user@example.com", "email": "user@example.com",
} }
Figure 1: Example: Subject Identifier using the Email Subject Figure 1: Example: Subject Identifier using the Email Identifier
Identifier Type Format
Subject Identifiers are intended to be a general purpose mechanism Subject Identifiers are intended to be a general purpose mechanism
for identifying principals within JSON objects. Below is a non- for identifying subjects within JSON objects and their usage need not
normative example of a JWT that uses a Subject Identifier in the be limited to SETs. Below is a non-normative example of a JWT that
"sub_id" claim (defined in this specification) to identify its uses a Subject Identifier in the "sub_id" claim (defined in this
subject. specification) to identify the JWT Subject.
{ {
"iss": "issuer.example.com", "iss": "issuer.example.com",
"sub_id": { "sub_id": {
"subject_type": "phone_number", "format": "phone_number",
"phone_number": "+12065550100", "phone_number": "+12065550100",
}, },
} }
Figure 2: Example: JWT using a Subject Identifier with the sub_id Figure 2: Example: JWT using a Subject Identifier with the sub_id
claim claim
Below is a non-normative example of a SET containing a hypothetical Usage of Subject Identifiers also need not be limited to identifying
JWT Subjects. They are intended as a general purpose means of
expressing identifying information in an unambiguous manner. Below
is a non-normative example of a SET containing a hypothetical
security event describing the interception of a message, using security event describing the interception of a message, using
Subject Identifiers to identify the sender, intended recipient, and Subject Identifiers to identify the sender, intended recipient, and
interceptor. interceptor.
{ {
"iss": "issuer.example.com", "iss": "issuer.example.com",
"iat": 1508184845, "iat": 1508184845,
"aud": "aud.example.com", "aud": "aud.example.com",
"events": { "events": {
"https://secevent.example.com/events/message-interception": { "https://secevent.example.com/events/message-interception": {
"from": { "from": {
"subject_type": "email", "format": "email",
"email": "alice@example.com", "email": "alice@example.com",
}, },
"to": { "to": {
"subject_type": "email", "format": "email",
"email": "bob@example.com", "email": "bob@example.com",
}, },
"interceptor": { "interceptor": {
"subject_type": "email", "format": "email",
"email": "eve@example.com", "email": "eve@example.com",
}, },
}, },
}, },
} }
Figure 3: Example: SET with an event payload containing multiple Figure 3: Example: SET with an event payload containing multiple
Subject Identifiers Subject Identifiers
2. Notational Conventions 2. Notational Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2.1. Definitions 2.1. Definitions
This specification utilizes terminology defined in [RFC7159], This specification utilizes terminology defined in [RFC7159],
[RFC7519], and [RFC8417]. [RFC7519], and [RFC8417].
Within this specification, the terms "Subject" and "subject" refer
generically to anything being identified via one or more pieces of
information. The term "JWT Subject" refers specifically to the to
the subject of a JWT. (i.e., the subject that the JWT asserts claims
about)
3. Subject Identifiers 3. Subject Identifiers
A Subject Identifier is a JSON [RFC7159] object whose contents may be A Subject Identifier is a JSON [RFC7159] object whose contents may be
used to identify a principal within some context. A Subject used to identify a subject within some context. An Identifier Format
Identifier Type is a named definition of a set of information that is a named definition of a set of information that may be used to
may be used to identify a principal, and the rules for encoding that identify a subject, and the rules for encoding that information as a
information as a Subject Identifier. A Subject Identifier MUST Subject Identifier; they define the syntax and semantics of Subject
conform to a specific Subject Identifier Type, and MUST contain a Identifiers. A Subject Identifier MUST conform to a specific
"subject_type" member whose value is the name of that Subject Identifier Format, and MUST contain a "format" member whose value is
Identifier Type. the name of that Identifier Format.
Every Subject Identifier Type MUST have a unique name registered in Every Identifier Format MUST have a unique name registered in the
the IANA "Security Event Subject Identifier Types" registry IANA "Security Event Identifier Formats" registry established by
established by Section 7.1, or a Collision-Resistant Name as defined Section 8.1, or a Collision-Resistant Name as defined in [RFC7519].
in [RFC7519]. Subject Identifier Types that are expected to be used Identifier Formats that are expected to be used broadly by a variety
broadly by a variety of parties SHOULD be registered in the "Security of parties SHOULD be registered in the "Security Event Identifier
Event Subject Identifier Types" registry. Formats" registry.
A Subject Identifier Type MAY describe more members than are strictly An Identifier Format MAY describe more members than are strictly
necessary to identify a subject, and MAY describe conditions under necessary to identify a subject, and MAY describe conditions under
which those members are required, optional, or prohibited. which those members are required, optional, or prohibited. The
"format" member is reserved for use as described in this
specification; Identifier Formats MUST NOT declare any rules
regarding the "format" member.
Aside from the "subject_type" member whose definition is given above, Every member within a Subject Identifier MUST match the rules
every member within a Subject Identifier MUST match the format specified for that member by this specification or by Subject
specified for that member by the Subject Identifier's Subject Identifier's Identifier Format. A Subject Identifier MUST NOT
Identifier Type. A Subject Identifier MUST NOT contain any members contain any members prohibited or not described by its Identifier
prohibited or not described by its Subject Identifier Type, and MUST Format, and MUST contain all members required by its Identifier
contain all members required by its Subject Identifier Type. Format.
3.1. Subject Identifier Types versus Principal Types 3.1. Identifier Formats versus Principal Types
A Subject Identifier Type describes a way to identify a principal, Identifier Formats define how to encode identifying information for a
but does not explicitly indicate the type of that principal (e.g., subject. They do not define the type or nature of the subject
user, group, network connection, baseball team, astronomic object). itself. E.g., While the "email" Identifier Format declares that the
Consequently Subject Identifiers remove ambiguity around how a value of the "email" member is an email address, a subject in a
principal is being identified, and how to parse an identifying Security Event that is identified by an "email" Subject Identifier
structure, but they do not remove ambiguity around how to resolve could be an end user who controls that email address, the mailbox
that identifier to a principal. For example, consider a directory itself, or anything else that the transmitter and receiver both
management API that allows callers to identify users and groups understand to be associated with that email address. Consequently
through both immutable unique identifiers and mutable email Subject Identifiers remove ambiguity around how a subject is being
addresses. Such an API could use Subject Identifiers to disambiguate identified, and how to parse an identifying structure, but do not
between which of these two types of identifiers is in use. However, remove ambiguity around how to resolve that identifier to a subject.
the service would have to determine whether the principal is a user For example, consider a directory management API that allows callers
or group via some other means, such as by querying a database or by to identify users and groups through both opaque unique identifiers
inferring the type from the API contract. and email addresses. Such an API could use Subject Identifiers to
disambiguate between which of these two types of identifiers is in
use. However, the API would have to determine whether the subject is
a user or group via some other means, such as by querying a database,
interpreting other parameters in the request, or inferring the type
from the API contract.
3.2. Subject Identifier Type Definitions 3.2. Identifier Format Definitions
The following Subject Identifier Types are registered in the IANA The following Identifier Formats are registered in the IANA "Security
"Security Event Subject Identifier Types" registry established by Event Identifier Formats" registry established by Section 8.1.
Section 7.1.
3.2.1. Account Subject Identifier Type 3.2.1. Account Identifier Format
The Account Subject Identifier Type identifies a principal using an The Account Identifier Format identifies a subject using an account
account at a service provider, identified with an "acct" URI as at a service provider, identified with an "acct" URI as defined in
defined in [RFC7565]. Subject Identifiers of this type MUST contain [RFC7565]. Subject Identifiers in this format MUST contain a "uri"
a "uri" member whose value is the "acct" URI for the subject. The member whose value is the "acct" URI for the subject. The "uri"
"uri" member is REQUIRED and MUST NOT be null or empty. The Account member is REQUIRED and MUST NOT be null or empty. The Account
Subject Identifier Type is identified by the name "account". Identifier Format is identified by the name "account".
Below is a non-normative example Subject Identifier for the Account Below is a non-normative example Subject Identifier for the Account
Subject Identifier Type: Identifier Format:
{ {
"subject_type": "account", "format": "account",
"uri": "acct:example.user@service.example.com", "uri": "acct:example.user@service.example.com",
} }
Figure 4: Example: Subject Identifier for the Account Subject Figure 4: Example: Subject Identifier for the Account Identifier
Identifier Type Format
3.2.2. Email Subject Identifier Type 3.2.2. Email Identifier Format
The Email Subject Identifier Type identifies a principal using an The Email Identifier Format identifies a subject using an email
email address. Subject Identifiers of this type MUST contain an address. Subject Identifiers in this format MUST contain an "email"
"email" member whose value is a string containing the email address member whose value is a string containing the email address of the
of the principal, formatted as an "addr-spec" as defined in subject, formatted as an "addr-spec" as defined in Section 3.4.1 of
Section 3.4.1 of [RFC5322]. The "email" member is REQUIRED and MUST [RFC5322]. The "email" member is REQUIRED and MUST NOT be null or
NOT be null or empty. The value of the "email" member SHOULD empty. The value of the "email" member SHOULD identify a mailbox to
identify a mailbox to which email may be delivered, in accordance which email may be delivered, in accordance with [RFC5321]. The
with [RFC5321]. The Email Subject Identifier Type is identified by Email Identifier Format is identified by the name "email".
the name "email".
Below is a non-normative example Subject Identifier for the Email Below is a non-normative example Subject Identifier in the Email
Subject Identifier Type: Identifier Format:
{ {
"subject_type": "email", "format": "email",
"email": "user@example.com", "email": "user@example.com",
} }
Figure 5: Example: Subject Identifier for the Email Subject Figure 5: Example: Subject Identifier in the Email Identifier Format
Identifier Type
3.2.2.1. Email Canonicalization 3.2.2.1. Email Canonicalization
Many email providers will treat multiple email addresses as Many email providers will treat multiple email addresses as
equivalent. While the domain portion of an [RFC5322] email address equivalent. While the domain portion of an [RFC5322] email address
is consistently treated as case-insensitive per [RFC1034], some is consistently treated as case-insensitive per [RFC1034], some
providers treat the local part of the email address as case- providers treat the local part of the email address as case-
insensitive as well, and consider "user@example.com", insensitive as well, and consider "user@example.com",
"User@example.com", and "USER@example.com" as the same email address. "User@example.com", and "USER@example.com" as the same email address.
This has led users to view these strings as equivalent, driving This has led users to view these strings as equivalent, driving
service providers to implement proprietary email canonicalization service providers to implement proprietary email canonicalization
algorithms to ensure that email addresses entered by users resolve to algorithms to ensure that email addresses entered by users resolve to
the same canonical string. When receiving an Email Subject the same canonical string. When receiving an Email Subject
Identifier, the recipient SHOULD use their implementation's Identifier, the recipient SHOULD use their implementation's
canonicalization algorithm to resolve the email address to the same canonicalization algorithm to resolve the email address to the same
string used in their system. string used in their system.
3.2.3. Phone Number Subject Identifier Type 3.2.3. Phone Number Identifier Format
The Phone Number Subject Identifier Type identifies a principal using The Phone Number Identifier Format identifies a subject using a
a telephone number. Subject Identifiers of this type MUST contain a telephone number. Subject Identifiers in this format MUST contain a
"phone_number" member whose value is a string containing the full "phone_number" member whose value is a string containing the full
telephone number of the principal, including international dialing telephone number of the subject, including international dialing
prefix, formatted according to E.164 [E164]. The "phone_number" prefix, formatted according to E.164 [E164]. The "phone_number"
member is REQUIRED and MUST NOT be null or empty. The Phone Number member is REQUIRED and MUST NOT be null or empty. The Phone Number
Subject Identifier Type is identified by the name "phone_number". Identifier Format is identified by the name "phone_number".
Below is a non-normative example Subject Identifier for the Email Below is a non-normative example Subject Identifier in the Email
Subject Identifier Type: Identifier Format:
{ {
"subject_type": "phone_number", "format": "phone_number",
"phone_number": "+12065550100", "phone_number": "+12065550100",
} }
Figure 6: Example: Subject Identifier for the Phone Number Subject Figure 6: Example: Subject Identifier in the Phone Number Identifier
Identifier Type. Format.
3.2.4. Issuer and Subject Subject Identifier Type 3.2.4. Issuer and Subject Identifier Format
The Issuer and Subject Subject Identifier Type identifies a principal The Issuer and Subject Identifier Format identifies a subject using a
using a pair of "iss" and "sub" members, analagous to how subjects pair of "iss" and "sub" members, analagous to how subjects are
are identified using the "iss" and "sub" claims in OpenID Connect identified using the "iss" and "sub" claims in OpenID Connect
[OpenID.Core] ID Tokens. These members MUST follow the formats of [OpenID.Core] ID Tokens. These members MUST follow the formats of
the "iss" member and "sub" member defined by [RFC7519], respectively. the "iss" member and "sub" member defined by [RFC7519], respectively.
Both the "iss" member and the "sub" member are REQUIRED and MUST NOT Both the "iss" member and the "sub" member are REQUIRED and MUST NOT
be null or empty. The Issuer and Subject Subject Identifier Type is be null or empty. The Issuer and Subject Identifier Format is
identified by the name "iss_sub". identified by the name "iss_sub".
Below is a non-normative example Subject Identifier for the Issuer Below is a non-normative example Subject Identifier in the Issuer and
and Subject Subject Identifier Type: Subject Identifier Format:
{ {
"subject_type": "iss_sub", "format": "iss_sub",
"iss": "http://issuer.example.com/", "iss": "http://issuer.example.com/",
"sub": "145234573", "sub": "145234573",
} }
Figure 7: Example: Subject Identifier for the Issuer and Subject Figure 7: Example: Subject Identifier in the Issuer and Subject
Subject Identifier Type Identifier Format
3.2.5. Aliases Subject Identifier Type 3.2.5. Aliases Identifier Format
The Aliases Subject Identifier Type describes a subject that is The Aliases Identifier Format describes a subject that is identified
identified with a list of different Subject Identifiers. It is with a list of different Subject Identifiers. It is intended for use
intended for use when a variety of identifiers have been shared with when a variety of identifiers have been shared with the party that
the party that will be interpreting the Subject Identifier, and it is will be interpreting the Subject Identifier, and it is unknown which
unknown which of those identifiers they will recognize or support. of those identifiers they will recognize or support. Subject
Subject Identifiers of this type MUST contain an "identifiers" member Identifiers in this format MUST contain an "identifiers" member whose
whose value is a JSON array containing one or more Subject value is a JSON array containing one or more Subject Identifiers.
Identifiers. Each Subject Identifier in the array MUST identify the Each Subject Identifier in the array MUST identify the same entity.
same entity. The "identifiers" member is REQUIRED and MUST NOT be The "identifiers" member is REQUIRED and MUST NOT be null or empty.
null or empty. It MAY contain multiple instances of the same Subject It MAY contain multiple instances of the same Identifier Format
Identifier Type (e.g., multiple Email Subject Identifiers), but (e.g., multiple Email Subject Identifiers), but SHOULD NOT contain
SHOULD NOT contain exact duplicates. This type is identified by the exact duplicates. This type is identified by the name "aliases".
name "aliases".
"alias" Subject Identifiers MUST NOT be nested; i.e., the "alias" Subject Identifiers MUST NOT be nested; i.e., the
"identifiers" member of an "alias" Subject Identifier MUST NOT "identifiers" member of an "alias" Subject Identifier MUST NOT
contain a Subject Identifier of type "aliases". contain a Subject Identifier of type "aliases".
Below is a non-normative example Subject Identifier for the Aliases Below is a non-normative example Subject Identifier in the Aliases
Subject Identifier Type: Identifier Format:
{ {
"subject_type": "aliases", "format": "aliases",
"identifiers": [ "identifiers": [
{ {
"subject_type": "email", "format": "email",
"email": "user@example.com", "email": "user@example.com",
}, },
{ {
"subject_type": "phone_number", "format": "phone_number",
"phone_number": "+12065550100", "phone_number": "+12065550100",
}, },
{ {
"subject_type": "email", "format": "email",
"email": "user+qualifier@example.com", "email": "user+qualifier@example.com",
} }
], ],
} }
Figure 8: Example: Subject Identifier for the Aliases Subject Figure 8: Example: Subject Identifier in the Aliases Identifier
Identifier Type Format
3.2.6. Opaque Identifier Format
The Opaque Identifier Format describes a subject that is identified
with a string with no semantics asserted beyond its usage as an
identifier for the subject, such as a UUID or hash used as a
surrogate identifier for a record in a database. Subject Identifiers
in this format MUST contain an "id" member whose value is a JSON
string containing the opaque string identifier for the subject. The
"id" member is REQUIRED and MUST NOT be null or empty. The Opaque
Identifier Format is identified by the name "opaque".
Below is a non-normative example Subject Identifier in the Opaque
Identifier Format:
{
"format": "opaque",
"id": "11112222333344445555",
}
Figure 9: Example: Subject Identifier in the Opaque Identifier Format
4. Subject Identifiers in JWTs 4. Subject Identifiers in JWTs
4.1. "sub_id" Claim 4.1. "sub_id" Claim
The "sub" JWT Claim is defined in Section 4.1.2 of [RFC7519] as The "sub" JWT Claim is defined in Section 4.1.2 of [RFC7519] as
containing a string value, and therefore cannot contain a Subject containing a string value, and therefore cannot contain a Subject
Identifier (which is a JSON object) as its value. This document Identifier (which is a JSON object) as its value. This document
defines the "sub_id" JWT Claim, in accordance with Section 4.2 of defines the "sub_id" JWT Claim, in accordance with Section 4.2 of
[RFC7519], as a common claim that identifies the subject of the JWT [RFC7519], as a common claim that identifies the JWT Subject using a
using a Subject Identifier. When present, the value of this claim Subject Identifier. When present, the value of this claim MUST be a
MUST be a Subject Identifier that identifies the principal that is Subject Identifier that identifies the subject of the JWT. The
the subject of the JWT. The "sub_id" claim MAY be included in a JWT, "sub_id" claim MAY be included in a JWT, whether or not the "sub"
whether or not the "sub" claim is present. When both the "sub" and claim is present. When both the "sub" and "sub_id" claims are
"sub_id" claims are present in a JWT, they MUST identify the same present in a JWT, they MUST identify the same subject, as a JWT has
principal. one and only one JWT Subject.
When processing a JWT with both "sub" and "sub_id" claims, When processing a JWT with both "sub" and "sub_id" claims,
implementations MUST NOT rely on both claims to determine the implementations MUST NOT rely on both claims to determine the JWT
subject. An implementation MAY attempt to determine the subject from Subject. An implementation MAY attempt to determine the JWT Subject
one claim and fall back to using the other if it determines it does from one claim and fall back to using the other if it determines it
not understand the format of the first claim. For example, an does not understand the format of the first claim. For example, an
implementation may attempt to use "sub_id", and fall back to using implementation may attempt to use "sub_id", and fall back to using
"sub" upon finding that "sub_id" contains a Subject Identifier whose "sub" upon finding that "sub_id" contains a Subject Identifier whose
type is not recognized by the implementation. type is not recognized by the implementation.
Below are non-normative examples of JWTs containing the "sub_id" Below are non-normative examples of JWTs containing the "sub_id"
claim: claim:
{ {
"iss": "issuer.example.com", "iss": "issuer.example.com",
"sub_id": { "sub_id": {
"subject_type": "email", "format": "email",
"email": "user@example.com", "email": "user@example.com",
}, },
} }
Figure 9: Example: JWT containing a `sub_id` claim and no `sub` claim Figure 10: Example: JWT containing a `sub_id` claim and no `sub`
claim
{ {
"iss": "issuer.example.com", "iss": "issuer.example.com",
"sub": "user@example.com", "sub": "user@example.com",
"sub_id": { "sub_id": {
"subject_type": "email", "format": "email",
"email": "user@example.com", "email": "user@example.com",
}, },
} }
Figure 10: Example: JWT where both the `sub` and `sub_id` claims Figure 11: Example: JWT where both the `sub` and `sub_id` claims
identify the subject using the same identifier identify the JWT Subject using the same identifier
{ {
"iss": "issuer.example.com", "iss": "issuer.example.com",
"sub": "user@example.com", "sub": "user@example.com",
"sub_id": { "sub_id": {
"subject_type": "email", "format": "email",
"email": "elizabeth@example.com", "email": "elizabeth@example.com",
}, },
} }
Figure 11: Example: JWT where both the `sub` and `sub_id` claims Figure 12: Example: JWT where both the `sub` and `sub_id` claims
identify the subject using different values of the same identifier identify the JWT Subject using different values of the same
type identifier type
{ {
"iss": "issuer.example.com", "iss": "issuer.example.com",
"sub": "user@example.com", "sub": "user@example.com",
"sub_id": { "sub_id": {
"subject_type": "account", "format": "account",
"uri": "acct:example.user@service.example.com", "uri": "acct:example.user@service.example.com",
}, },
} }
Figure 12: Example: JWT where the `sub` and `sub_id` claims identify Figure 13: Example: JWT where the `sub` and `sub_id` claims identify
the subject via different types of identifiers the JWT Subject via different types of identifiers
4.2. "sub_id" and "iss_sub" Subject Identifiers 4.2. "sub_id" and "iss_sub" Subject Identifiers
The "sub_id" claim MAY contain an "iss_sub" Subject Identifier. In The "sub_id" claim MAY contain an "iss_sub" Subject Identifier. In
this case, the JWT's "iss" claim and the Subject Identifier's "iss" this case, the JWT's "iss" claim and the Subject Identifier's "iss"
member MAY be different. For example, an OpenID Connect member MAY be different. For example, in OpenID Connect
[OpenID.Core] client may construct such a JWT when issuing a JWT back [OpenID.Core] client may construct such a JWT when sending JWTs back
to its OpenID Connect Identity Provider, in order to communicate to its OpenID Connect Identity Provider, in order to identify the JWT
information about the services' shared subject principal using an Subject using an identifier known to be understood by both parties.
identifier the Identity Provider is known to understand. Similarly, Similarly, the JWT's "sub" claim and the Subject Identifier's "sub"
the JWT's "sub" claim and the Subject Identifier's "sub" member MAY member MAY be different. For example, this may be used by an OpenID
be different. For example, this may be used by an OpenID Connect Connect client to communicate the JWT Subject's local identifier at
client to communicate the subject principal's local identifier at the the client back to its Identity Provider.
client back to its Identity Provider.
Below are non-normative examples of a JWT where the "iss" claim and Below are non-normative examples of a JWT where the "iss" claim and
"iss" member within the "sub_id" claim are the same, and a JWT where "iss" member within the "sub_id" claim are the same, and a JWT where
they are different. they are different.
{ {
"iss": "issuer.example.com", "iss": "issuer.example.com",
"sub_id": { "sub_id": {
"subject_type": "iss_sub", "format": "iss_sub",
"iss": "issuer.example.com", "iss": "issuer.example.com",
"sub": "example_user", "sub": "example_user",
}, },
} }
Figure 13: Example: JWT with a `iss_sub` Subject Identifier where JWT Figure 14: Example: JWT with a `iss_sub` Subject Identifier where JWT
issuer and subject issuer are the same issuer and JWT Subject issuer are the same
{ {
"iss": "client.example.com", "iss": "client.example.com",
"sub_id": { "sub_id": {
"subject_type": "iss_sub", "format": "iss_sub",
"iss": "issuer.example.com", "iss": "issuer.example.com",
"sub": "example_user", "sub": "example_user",
}, },
} }
Figure 14: Example: JWT with an `iss_sub` Subject Identifier where Figure 15: Example: JWT with an `iss_sub` Subject Identifier where
the JWT issuer and subject issuer are different the JWT issuer and JWT Subject issuer are different
{ {
"iss": "client.example.com", "iss": "client.example.com",
"sub": "client_user", "sub": "client_user",
"sub_id": { "sub_id": {
"subject_type": "iss_sub", "format": "iss_sub",
"iss": "issuer.example.com", "iss": "issuer.example.com",
"sub": "example_user", "sub": "example_user",
}, },
} }
Figure 15: Example: JWT with an `iss_sub` Subject Identifier where Figure 16: Example: JWT with an `iss_sub` Subject Identifier where
the JWT `iss` and `sub` claims differ from the Subject Identifier's the JWT `iss` and `sub` claims differ from the JWT Subject's `iss`
`iss` and `sub` members and `sub` members
5. Privacy Considerations 5. Considerations for Specifications that Define Identifier Formats
5.1. Identifier Correlation Identifier Format definitions MUST NOT make assertions or
declarations regarding the subject being identified by the Subject
Identifier (e.g., an Identifier Format cannot be defined as
specifically identifying human end users), as such statements are
outside the scope of Identifier Formats and Subject Identifiers, and
expanding that scope for some Identifier Formats but not others would
harm interoperability, as applications that depend on this expanded
scope to disambiguate the subject type would be unable to use
Identifier Formats that do not provide such rules.
The act of presenting two or more identifiers for a single principal 6. Privacy Considerations
6.1. Identifier Correlation
The act of presenting two or more identifiers for a single subject
together (e.g., within an "aliases" Subject Identifier, or via the together (e.g., within an "aliases" Subject Identifier, or via the
"sub" and "sub_id" JWT claims) may communicate more information about "sub" and "sub_id" JWT claims) may communicate more information about
the principal than was intended. For example, the entity to which the subject than was intended. For example, the entity to which the
the identifiers are presented, now knows that both identifiers relate identifiers are presented now knows that both identifiers relate to
to the same principal, and may be able to correlate additional data the same subject, and may be able to correlate additional data based
based on that. When transmitting Subject Identifiers, the on that. When transmitting Subject Identifiers, the transmitter
transmitter SHOULD take care that they are only transmitting multiple SHOULD take care that they are only transmitting multiple identifiers
identifiers together when it is known that the recipient already together when it is known that the recipient already knows that the
knows that the identifiers are related (e.g., because they were identifiers are related (e.g., because they were previously sent to
previously sent to the recipient as claims in an OpenID Connect ID the recipient as claims in an OpenID Connect ID Token), or when
Token), or when correlation is essential to the use case. correlation is essential to the use case.
The considerations described in Section 6 of [RFC8417] also apply The considerations described in Section 6 of [RFC8417] also apply
when Subject Identifiers are used within SETs. The considerations when Subject Identifiers are used within SETs. The considerations
described in Section 12 of [RFC7519] also apply when Subject described in Section 12 of [RFC7519] also apply when Subject
Identifiers are used within JWTs. Identifiers are used within JWTs.
6. Security Considerations 7. Security Considerations
6.1. Confidentiality and Integrity 7.1. Confidentiality and Integrity
This specification does not define any mechanism for ensuring the This specification does not define any mechanism for ensuring the
confidentiality or integrityi of a Subject Identifier. Where such confidentiality or integrityi of a Subject Identifier. Where such
properties are required, implementations MUST use mechanisms provided properties are required, implementations MUST use mechanisms provided
by the containing format (e.g., integrity protecting SETs or JWTs by the containing format (e.g., integrity protecting SETs or JWTs
using JWS [RFC7515]), or at the transport layer or other layer in the using JWS [RFC7515]), or at the transport layer or other layer in the
application stack (e.g., using TLS [RFC8446]). application stack (e.g., using TLS [RFC8446]).
Further considerations regarding confidentiality and integrity of Further considerations regarding confidentiality and integrity of
SETs can be found in Section 5.1 of [RFC8417]. SETs can be found in Section 5.1 of [RFC8417].
7. IANA Considerations 8. IANA Considerations
7.1. Security Event Subject Identifier Types Registry 8.1. Security Event Identifier Formats Registry
This document defines Subject Identifier Types, for which IANA is This document defines Identifier Formats, for which IANA is asked to
asked to create and maintain a new registry titled "Security Event create and maintain a new registry titled "Security Event Identifier
Subject Identifier Types". Initial values for the Security Event Formats". Initial values for the Security Event Identifier Formats
Subject Identifier Types registry are given in Section 3. Future registry are given in Section 3. Future assignments are to be made
assignments are to be made through the Expert Review registration through the Expert Review registration policy [BCP26] and shall
policy [BCP26] and shall follow the template presented in follow the template presented in Section 8.1.2.
Section 7.1.2.
It is suggested that multiple Designated Experts be appointed who are It is suggested that multiple Designated Experts be appointed who are
able to represent the perspectives of different applications using able to represent the perspectives of different applications using
this specification, in order to enable broadly informed review of this specification, in order to enable broadly informed review of
registration decisions. In cases where a registration decision could registration decisions. In cases where a registration decision could
be perceived as creating a conflict of interest for a particular be perceived as creating a conflict of interest for a particular
Expert, that Expert should defer to the judgment of the other Expert, that Expert should defer to the judgment of the other
Experts. Experts.
7.1.1. Registry Location 8.1.1. Registry Location
(This section to be removed by the RFC Editor before publication as (This section to be removed by the RFC Editor before publication as
an RFC.) an RFC.)
The authors recommend that the Subject Identifier Types registry be The authors recommend that the Identifier Formats registry be located
located at "https://www.iana.org/assignments/secevent/". at "https://www.iana.org/assignments/secevent/".
7.1.2. Registration Template 8.1.2. Registration Template
Type Name Type Name
The name of the Subject Identifier Type, as described in The name of the Identifier Format, as described in Section 3. The
Section 3. The name MUST be an ASCII string consisting only of name MUST be an ASCII string consisting only of lower-case
lower-case characters ("a" - "z"), digits ("0" - "9"), underscores characters ("a" - "z"), digits ("0" - "9"), underscores ("_"), and
("_"), and hyphens ("-"), and SHOULD NOT exceed 20 characters in hyphens ("-"), and SHOULD NOT exceed 20 characters in length.
length.
Type Description Type Description
A brief description of the Subject Identifier Type. A brief description of the Identifier Format.
Change Controller Change Controller
For types defined in documents published by the IETF or its For types defined in documents published by the IETF or its
working groups, list "IETF". For all other types, list the name working groups, list "IETF". For all other types, list the name
of the party responsible for the registration. Contact of the party responsible for the registration. Contact
information such as mailing address, email address, or phone information such as mailing address, email address, or phone
number may also be provided. number may also be provided.
Defining Document(s) Defining Document(s)
A reference to the document or documents that define the Subject A reference to the document or documents that define the
Identifier Type. The definition MUST specify the name, format, Identifier Format. The definition MUST specify the name, format,
and meaning of each member that may occur within a Subject and meaning of each member that may occur within a Subject
Identifier of the defined type, as well as whether each member is Identifier of the defined type, as well as whether each member is
optional, required, prohibited, or the circumstances under which optional, required, prohibited, or the circumstances under which
the member may be optional, required, or prohibited. URIs that the member may be optional, required, or prohibited. URIs that
can be used to retrieve copies of each document SHOULD be can be used to retrieve copies of each document SHOULD be
included. included.
7.1.3. Initial Registry Contents 8.1.3. Initial Registry Contents
7.1.3.1. Account Subject Identifier Type 8.1.3.1. Account Identifier Format
o Type Name: "account" o Type Name: "account"
o Type Description: Subject identifier based on "acct" URI. o Type Description: Subject identifier based on "acct" URI.
o Change Controller: IETF o Change Controller: IETF
o Defining Document(s): Section 3 of this document. o Defining Document(s): Section 3 of this document.
7.1.3.2. Email Subject Identifier Type 8.1.3.2. Email Identifier Format
o Type Name: "email" o Type Name: "email"
o Type Description: Subject identifier based on email address. o Type Description: Subject identifier based on email address.
o Change Controller: IETF o Change Controller: IETF
o Defining Document(s): Section 3 of this document. o Defining Document(s): Section 3 of this document.
7.1.3.3. Issuer and Subject Subject Identifier Type 8.1.3.3. Issuer and Subject Identifier Format
o Type Name: "iss_sub" o Type Name: "iss_sub"
o Type Description: Subject identifier based on an issuer and o Type Description: Subject identifier based on an issuer and
subject. subject.
o Change Controller: IETF o Change Controller: IETF
o Defining Document(s): Section 3 of this document. o Defining Document(s): Section 3 of this document.
7.1.3.4. Phone Number Subject Identifier Type 8.1.3.4. Phone Number Identifier Format
o Type Name: "phone_number" o Type Name: "phone_number"
o Type Description: Subject identifier based on an phone number. o Type Description: Subject identifier based on an phone number.
o Change Controller: IETF o Change Controller: IETF
o Defining Document(s): Section 3 of this document. o Defining Document(s): Section 3 of this document.
7.1.3.5. Aliases Subject Identifier Type 8.1.3.5. Aliases Identifier Format
o Type Name: "aliases" o Type Name: "aliases"
o Type Description: Subject identifier that groups together multiple o Type Description: Subject identifier that groups together multiple
different subject identifiers for the same subject. different subject identifiers for the same subject.
o Change Controller: IETF o Change Controller: IETF
o Defining Document(s): Section 3 of this document. o Defining Document(s): Section 3 of this document.
7.1.4. Guidance for Expert Reviewers 8.1.3.6. Opaque Identifier Format
o Type Name: "opaque"
o Type Description: Subject identifier based on an opaque string.
o Change Controller: IETF
o Defining Document(s): Section 3 of this document.
8.1.4. Guidance for Expert Reviewers
The Expert Reviewer is expected to review the documentation The Expert Reviewer is expected to review the documentation
referenced in a registration request to verify its completeness. The referenced in a registration request to verify its completeness. The
Expert Reviewer must base their decision to accept or reject the Expert Reviewer must base their decision to accept or reject the
request on a fair and impartial assessment of the request. If the request on a fair and impartial assessment of the request. If the
Expert Reviewer has a conflict of interest, such as being an author Expert Reviewer has a conflict of interest, such as being an author
of a defining document referenced by the request, they must recuse of a defining document referenced by the request, they must recuse
themselves from the approval process for that request. In the case themselves from the approval process for that request. In the case
where a request is rejected, the Expert Reviewer should provide the where a request is rejected, the Expert Reviewer should provide the
requesting party with a written statement expressing the reason for requesting party with a written statement expressing the reason for
rejection, and be prepared to cite any sources of information that rejection, and be prepared to cite any sources of information that
went into that decision. went into that decision.
Subject Identifier Types need not be generally applicable and may be Identifier Formats need not be generally applicable and may be highly
highly specific to a particular domain; it is expected that types may specific to a particular domain; it is expected that types may be
be registered for niche or industry-specific use cases. The Expert registered for niche or industry-specific use cases. The Expert
Reviewer should focus on whether the type is thoroughly documented, Reviewer should focus on whether the type is thoroughly documented,
and whether its registration will promote or harm interoperability. and whether its registration will promote or harm interoperability.
In most cases, the Expert Reviewer should not approve a request if In most cases, the Expert Reviewer should not approve a request if
the registration would contribute to confusion, or amount to a the registration would contribute to confusion, or amount to a
synonym for an existing type. synonym for an existing type.
7.2. JSON Web Token Claims Registration 8.2. JSON Web Token Claims Registration
This document defines the "sub_id" JWT Claim, which IANA is asked to This document defines the "sub_id" JWT Claim, which IANA is asked to
register in the "JSON Web Token Claims" registry IANA JSON Web Token register in the "JSON Web Token Claims" registry IANA JSON Web Token
Claims Registry [IANA.JWT.Claims] established by [RFC7519]. Claims Registry [IANA.JWT.Claims] established by [RFC7519].
7.2.1. Registry Contents 8.2.1. Registry Contents
o Claim Name: "sub_id" o Claim Name: "sub_id"
o Claim Description: Subject Identifier o Claim Description: Subject Identifier
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): Section 4.1 of this document. o Specification Document(s): Section 4.1 of this document.
8. References 9. References
8.1. Normative References 9.1. Normative References
[BCP26] Cotton, M., Leiba, B., and T. Narten, "Guidelines for [BCP26] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26, Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017, RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>. <https://www.rfc-editor.org/info/rfc8126>.
[E164] International Telecommunication Union, "The international [E164] International Telecommunication Union, "The international
public telecommunication numbering plan", 2010, public telecommunication numbering plan", 2010,
<http://www.itu.int/rec/T-REC-E.164-201011-I/en>. <http://www.itu.int/rec/T-REC-E.164-201011-I/en>.
skipping to change at page 17, line 22 skipping to change at page 18, line 22
[RFC7565] Saint-Andre, P., "The 'acct' URI Scheme", RFC 7565, [RFC7565] Saint-Andre, P., "The 'acct' URI Scheme", RFC 7565,
DOI 10.17487/RFC7565, May 2015, DOI 10.17487/RFC7565, May 2015,
<https://www.rfc-editor.org/info/rfc7565>. <https://www.rfc-editor.org/info/rfc7565>.
[RFC8417] Hunt, P., Ed., Jones, M., Denniss, W., and M. Ansari, [RFC8417] Hunt, P., Ed., Jones, M., Denniss, W., and M. Ansari,
"Security Event Token (SET)", RFC 8417, "Security Event Token (SET)", RFC 8417,
DOI 10.17487/RFC8417, July 2018, DOI 10.17487/RFC8417, July 2018,
<https://www.rfc-editor.org/info/rfc8417>. <https://www.rfc-editor.org/info/rfc8417>.
8.2. Informative References 9.2. Informative References
[OpenID.Core] [OpenID.Core]
Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and
C. Mortimore, "OpenID Connect Core 1.0", November 2014, C. Mortimore, "OpenID Connect Core 1.0", November 2014,
<http://openid.net/specs/openid-connect-core-1_0.html>. <http://openid.net/specs/openid-connect-core-1_0.html>.
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<https://www.rfc-editor.org/info/rfc1034>. <https://www.rfc-editor.org/info/rfc1034>.
skipping to change at page 19, line 31 skipping to change at page 20, line 31
o Clarified that Subject Identifiers don't provide confidentiality o Clarified that Subject Identifiers don't provide confidentiality
or integrity protection. or integrity protection.
o Added references to SET, JWT privacy and security considerations. o Added references to SET, JWT privacy and security considerations.
o Added section describing the difference between subject identifier o Added section describing the difference between subject identifier
type and principal type that hopefully clarifies things and type and principal type that hopefully clarifies things and
doesn't just muddy the water further. doesn't just muddy the water further.
Draft 07 - AB:
o Emphasized that the spec is about identifiers, not the things they
identify:
* Renamed "Subject Identifier Type" to "Identifier Format".
* Renamed "subject_type" to "format".
* Renamed "Security Event Subject Identifier Type Registry" to
"Security Event Identifier Format Registry".
* Added new section with guidance for specs defining Identifier
Formats, with normative prohibition on formats that describe
the subject itself, rather than the identifier.
o Clarified the meaning of "subject":
* Defined "subject" as applying generically and "JWT Subject" as
applying specifically to the subject of a JWT.
* Replaced most instances of the word "principal" with "subject".
o Added "opaque" Identifier Format
Authors' Addresses Authors' Addresses
Annabelle Backman (editor) Annabelle Backman (editor)
Amazon Amazon
Email: richanna@amazon.com Email: richanna@amazon.com
Marius Scurtescu Marius Scurtescu
Coinbase Coinbase
 End of changes. 106 change blocks. 
274 lines changed or deleted 358 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/