Identity Events IIW April 2016.

Slides:

Advertisements

Similar presentations

SIP and Instant Messaging. SIP Summit SIP and Instant Messaging What Does Presence Have to Do With SIP? How to Deliver.

Advertisements

VON Europe /19/00 SIP and the Future of VON Protocols SIP and the Future of VON Protocols: Presence and IM Jonathan Rosenberg.

Fall VoN 2000 SIP for IP Communications Jonathan Rosenberg Chief Scientist.

Internet Printing Protocol Extensions BOF IETF46 in Washington, DC November 9, 1999.

Notification Explosion Calendaring –You have a new meeting request –Your meeting begins in 15 minutes SIP –Hello HTTP/WebDAV –A resource you want to edit.

SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.

IETF OAuth Proof-of-Possession

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

1 IETF OAuth Proof-of-Possession Hannes Tschofenig.

Hannes Tschofenig, Blaine Cook (IETF#79, Beijing).

3GPP Presence Requirements Requirements for Presence Service based on 3GPP specifications and wireless environment characteristics draft-kiss-simple-presence-wireless-

OpenID Connect Update and Discussion Mountain View Summit – September 12, 2011 Mike Jones – Microsoft John Bradley – Independent Nat Sakimura – Nomura.

Basics Dayton Metro Library Place photo here August 10, 2015.

Notification Protocol in MMS June 2001 Erez Reinschmidt, Rami Neudorfer 3GPP TSG-T2 SWG3#7 Braunschweig, Germany June, 2001 T2M

18 th TF-EMC2. WebEx, June 2011 Diego R. Lopez, RedIRIS On the Many Ways to Identity Exchange (Again) Digital identities are more valuable as they are.

XMPP – Extensible Messaging and Presence Protocol Vidya Satyanarayanan.

SCIM Use Cases Phil Hunt, Bhumip Khasnabish, Anthony.

(Business) Process Centric Exchanges

Intended Recipient and Folder Subscription (DSUB extension) 9th January, 2013 Mauro Zanardini (consorzio Arsenàl.IT)

Open Pluggable Edge Services (opes) 61st IETF Meeting Washington, D.C., USA.

FGDC Standards Facilitating data accessibility, and integration Sharon Shin FGDC Metadata Coordinator Air Force Space Command Emergency Services Symposium.

Abierman-netconf-mar07 1 NETCONF WG 68 th IETF Prague, CZ March 19, 2007.

Interworking with an External Dynamic Authorization System Group Name: SEC WG Source: Qualcomm Inc., Wolfgang Granzow & Phil Hawkes Meeting Date: SEC#20.2,

ISA 95 Working Group Process Centric Exchanges Gavan W Hood July 23, 2015 GWH 2.1.

E2EKey Resource Group Name: SEC WG Source: Qualcomm Inc., Wolfgang Granzow & Phil Hawkes Meeting Date: SEC#20.3, Agenda Item: End-to-End Security.

1 SIPREC Recording Metadata format (draft-ram-siprec-metadata-format- 00) Jan 25-26th SIPREC INTERIM MEETING R Parthasarathi On behalf of the team Team:

SIP file directory draft-garcia-sipping-file-sharing-framework-00.txt draft-garcia-sipping-file-event-package-00.txt draft-garcia-sipping-file-desc-pidf-00.txt.

OAuth WG Blaine Cook, Hannes Tschofenig. Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft.

1 Options Clearing Corporation Encore Data Distribution Services April 22, 2004.

I2rs Requirements for NETCONF IETF 93. Requirement Documents

OpenID Connect: An Overview Pat Patterson Developer Evangelist Architect

IETF Provisioning of Symmetric Keys (keyprov) WG Update WG Chairs: Phillip Hallam-Baker Hannes Tschofenig Presentation by Mingliang Pei 05/05/2008.

Web Authorization Protocol WG Hannes Tschofenig, Derek Atkins.

Eclipse Foundation, Inc. Eclipse Open Healthcare Framework v1.0 Interoperability Terminology HL7 v2 / v3 DICOM Archetypes Health Records Capture Storage.

Building Secure Microservices

Key management issues in PGP

Dr. Michael B. Jones Identity Standards Architect at Microsoft

Session-Independent Policies draft-ietf-sipping-session-indep-policy-02 Volker Hilt Jonathan Rosenberg Gonzalo.

Hannes Tschofenig, Derek Atkins

OAuth WG Conference Call, 11th Jan. 2013

Phil Hunt, Hannes Tschofenig

IP-NNI Joint Task Force Status Update

OAuth2 WG User Authentication for Clients

Capability Exchange Requirements

David P. Reed MIT CFP Draft May 2007

Carrying Location Objects in RADIUS

OAuth Assertion Documents

SP Roadmap Identifies “current”, “next”, and possibly “future” releases along with links.

OAuth2 SCIM Client Registration & Software Statement Exchange

Agenda OAuth WG IETF 87 July, 2013.

Configuration Framework draft-ietf-sipping-config-framework-06

iSIP: iTIP over SIP and Using iCalendar with SIP

IP-NNI Joint Task Force Status Update

OpenID Connect Working Group

Working Group Re-charter Draft Charter Reference Materials

OpenID Connect Working Group

ECE 544 Protocol Design Project: Description and Timeline

SCIM Use Case Scenario.

Subject Identifier Types

HingX Project Overview

STIR WG IETF-102 PASSPorT Extension for Resource-Priority Authorization (draft-ietf-stir-rph-06) July 18, 2018 Ray P. Singh, Martin Dolly, Subir Das, and.

WEB SERVICES From Chapter 19, Distributed Systems

OpenID Connect Working Group

OpenID Enhanced Authentication Profile (EAP) Working Group

OpenID Connect Working Group

OpenID Enhanced Authentication Profile (EAP) Working Group

Rifaat Shekh-Yusef IETF105, OAuth WG, Montreal, Canada 26 July 2019

IETF102 Montreal Web Authorization Protocol (OAuth)

JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens-02

Subject Identifiers for Security Event Tokens

Presentation transcript:

Identity Events IIW April 2016

Background IETF94 – Tokyo Informal get together to discuss common standard for OIDC Logout OAuth Revocation OIDF RISC Events SCIM Provisioning Events OIDF HEART Could we use JWT/JOSE to express and transport events?

What's Happening There is an IETF Mailing list called id-event See: https://www.ietf.org/mailman/listinfo/id-event Morteza, William, and Phil presented a new proposal at IETF95 in Buenos Aires (last month) 3 individual draft documents submitted We received informal meeting consensus to form a working group Next step is to agree on a charter (to be posted to id-event list)

Events A proposal to define a common format for expressing events between publishers and subscribers Events describe something that has occurred E.g. Session Logout Token Revocation Account Take-over Provisioning Events (SCIM)

Event Features Minimal data exchange Subscriber independent action Privacy by design Subscriber independent action subscriber decides action if any no state error signalling reverts to normal REST for secondary calls State remain independent and distinct Security and accuracy is improved

Current Drafts

ID Event Drafts draft-hunt-idevent-token Identity Event Tokens based on JWT draft-hunt-idevent-distribution Message format (how to convey one or more) Subscription Metadata E.g. watermarking, detecting and reconciling Delivery Method Registry HTTP POST (Web Callback) HTTP GET (Polling) draft-hunt-idevent-scim Id Event token profile for SCIM

The Identity Event Is just a JWT token JWT attributes Event attributes An EWT or Eee-aughT? JWT attributes jti, iat, nbf, sub, iss, aud iss is publisher, aud is the subscription Event attributes eventUris – the URIs of events contained in the message Each URI may have a JSON object that has event specific information

Example RISC Event The event type RISC Event Data { "jti": "4d3559ec67504aaba65d40b0363faad8", "eventUris":[ "urn:ietf:params:event:RISC:email_reassigned" ], "iat": 1458496404, "iss": "https://scim.example.com", "aud":[ "https://risc.example.com/inbound/5d7604516b1d08641d7676ee7" "sub": "8385937503959", "urn:ietf:params:event:RISC:email_reassigned":{ "email_hash":"39d4c90372a940205hdac835", }} The event type RISC Event Data

Example SCIM Create Event { "jti": "4d3559ec67504aaba65d40b0363faad8", "eventUris":[ "urn:ietf:params:event:SCIM:create" ], "iat": 1458496404, "iss": "https://scim.example.com", "aud":[ "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754", "https://scim.example.com/Feeds/5d7604516b1d08641d7676ee7" "sub": "https://scim.example.com/Users/44f6142df96bd6ab61e7521d9", "urn:ietf:params:event:SCIM:create":{ "attributes":["id","name","userName","emails"], "values":{ "emails":[ {"type":"work","value":"jdoe@example.com"} "userName":"jdoe", "id":"44f6142df96bd6ab61e7521d9", "name":{ "givenName":"John", "familyName":"Doe" } }}} The event type SCIM Event Data

Example Extended Event { "jti": "3d0c3cf797584bd193bd0fb1bd4e7d30", "eventUris":[ "urn:ietf:params:event:SCIM:password", "urn:ietf:params:event:extension:example.com:password" ], "iat": 1458496025, "iss": "https://scim.example.com", "aud":[ "https://jhub.example.com/Feeds/98d52461fa5bbc879593b7754", "https://jhub.example.com/Feeds/5d7604516b1d08641d7676ee7" "sub": "https://scim.example.com/Users/44f6142df96bd6ab61e7521d9", "urn:ietf:params:event:SCIM:password":{ "id":"44f6142df96bd6ab61e7521d9", }, "urn:ietf:params:event:extension:example.com:password":{ "resetAttempts":5 } SCIM Password Reset Event An extension

Event Delivery Message { "eventTkns":[ "eyJhbGciOiJub25lIn0 . eyJwdWJsaXNoZXJVcmkiOiJodHRwczovL3NjaW0uZXhhbXBsZS5jb20iLCJmZWV kVXJpcyI6WyJodHRwczovL2podWIuZXhhbXBsZS5jb20vRmVlZHMvOThkNTI0Nj FmYTViYmM4Nzk1OTNiNzc1NCIsImh0dHBzOi8vamh1Yi5leGFtcGxlLmNvbS9GZ WVkcy81ZDc2MDQ1MTZiMWQwODY0MWQ3Njc2ZWU3Il0sInJlc291cmNlVXJpcyI6 WyJodHRwczovL3NjaW0uZXhhbXBsZS5jb20vVXNlcnMvNDRmNjE0MmRmOTZiZDZ hYjYxZTc1MjFkOSJdLCJldmVudFR5cGVzIjpbIkNSRUFURSJdLCJhdHRyaWJ1dG VzIjpbImlkIiwibmFtZSIsInVzZXJOYW1lIiwicGFzc3dvcmQiLCJlbWFpbHMiX SwidmFsdWVzIjp7ImVtYWlscyI6W3sidHlwZSI6IndvcmsiLCJ2YWx1ZSI6Impk b2VAZXhhbXBsZS5jb20ifV0sInBhc3N3b3JkIjoibm90NHUybm8iLCJ1c2VyTmF tZSI6Impkb2UiLCJpZCI6IjQ0ZjYxNDJkZjk2YmQ2YWI2MWU3NTIxZDkiLCJuYW 1lIjp7ImdpdmVuTmFtZSI6IkpvaG4iLCJmYW1pbHlOYW1lIjoiRG9lIn19fQ ."], "eventCnt":1, "eventPend":false }

Discussion Items Distribution Schemes? One-to-one, One-to-many, Many-to-Many*, P-2-P* Ability to lookup events by date or by etag Issue: Impact on scale and ability to story history vs. audit Ability to detect missing events E.g. each message gives the JTI of the last event delivered – issue: requires state Issued at Time the event happened or JWT issued? Need to distinguish? Privacy Considerations Even the resource identifier may be considered PII Is this a privacy by design, privacy enhancing approach?