| < draft-ietf-secevent-subject-identifiers-06.txt | draft-ietf-secevent-subject-identifiers-07.txt > | |||
|---|---|---|---|---|
| Security Events Working Group A. Backman, Ed. | Security Events Working Group A. Backman, Ed. | |||
| Internet-Draft Amazon | Internet-Draft Amazon | |||
| Intended status: Standards Track M. Scurtescu | Intended status: Standards Track M. Scurtescu | |||
| Expires: March 8, 2021 Coinbase | Expires: September 9, 2021 Coinbase | |||
| September 04, 2020 | March 08, 2021 | |||
| Subject Identifiers for Security Event Tokens | Subject Identifiers for Security Event Tokens | |||
| draft-ietf-secevent-subject-identifiers-06 | draft-ietf-secevent-subject-identifiers-07 | |||
| Abstract | Abstract | |||
| Security events communicated within Security Event Tokens may support | Security events communicated within Security Event Tokens may support | |||
| a variety of identifiers to identify the subject and/or other | a variety of identifiers to identify subjects related to the event. | |||
| principals related to the event. This specification formalizes the | This specification formalizes the notion of subject identifiers as | |||
| notion of subject identifiers as named sets of well-defined claims | structured information that describe a subject, and named formats | |||
| describing the subject, a mechanism for representing subject | that define the syntax and semantics for encoding subject identifiers | |||
| identifiers within a JSON object such as a JSON Web Token (JWT) or | as JSON objects. It also defines a registry for defining and | |||
| Security Event Token (SET), and a registry for defining and | allocating names for such formats, as well as the "sub_id" JSON Web | |||
| allocating names for these claim sets. | Token (JWT) claim. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on March 8, 2021. | This Internet-Draft will expire on September 9, 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Notational Conventions . . . . . . . . . . . . . . . . . . . 4 | 2. Notational Conventions . . . . . . . . . . . . . . . . . . . 5 | |||
| 2.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4 | 2.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3. Subject Identifiers . . . . . . . . . . . . . . . . . . . . . 4 | 3. Subject Identifiers . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3.1. Subject Identifier Types versus Principal Types . . . . . 5 | 3.1. Identifier Formats versus Principal Types . . . . . . . . 6 | |||
| 3.2. Subject Identifier Type Definitions . . . . . . . . . . . 5 | 3.2. Identifier Format Definitions . . . . . . . . . . . . . . 6 | |||
| 3.2.1. Account Subject Identifier Type . . . . . . . . . . . 6 | 3.2.1. Account Identifier Format . . . . . . . . . . . . . . 6 | |||
| 3.2.2. Email Subject Identifier Type . . . . . . . . . . . . 6 | 3.2.2. Email Identifier Format . . . . . . . . . . . . . . . 7 | |||
| 3.2.3. Phone Number Subject Identifier Type . . . . . . . . 7 | 3.2.3. Phone Number Identifier Format . . . . . . . . . . . 7 | |||
| 3.2.4. Issuer and Subject Subject Identifier Type . . . . . 7 | 3.2.4. Issuer and Subject Identifier Format . . . . . . . . 8 | |||
| 3.2.5. Aliases Subject Identifier Type . . . . . . . . . . . 8 | 3.2.5. Aliases Identifier Format . . . . . . . . . . . . . . 8 | |||
| 4. Subject Identifiers in JWTs . . . . . . . . . . . . . . . . . 9 | 3.2.6. Opaque Identifier Format . . . . . . . . . . . . . . 9 | |||
| 4.1. "sub_id" Claim . . . . . . . . . . . . . . . . . . . . . 9 | 4. Subject Identifiers in JWTs . . . . . . . . . . . . . . . . . 10 | |||
| 4.1. "sub_id" Claim . . . . . . . . . . . . . . . . . . . . . 10 | ||||
| 4.2. "sub_id" and "iss_sub" Subject Identifiers . . . . . . . 11 | 4.2. "sub_id" and "iss_sub" Subject Identifiers . . . . . . . 11 | |||
| 5. Privacy Considerations . . . . . . . . . . . . . . . . . . . 12 | 5. Considerations for Specifications that Define Identifier | |||
| 5.1. Identifier Correlation . . . . . . . . . . . . . . . . . 12 | Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 12 | 6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 13 | |||
| 6.1. Confidentiality and Integrity . . . . . . . . . . . . . . 12 | 6.1. Identifier Correlation . . . . . . . . . . . . . . . . . 13 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 13 | |||
| 7.1. Security Event Subject Identifier Types Registry . . . . 13 | 7.1. Confidentiality and Integrity . . . . . . . . . . . . . . 13 | |||
| 7.1.1. Registry Location . . . . . . . . . . . . . . . . . . 13 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 7.1.2. Registration Template . . . . . . . . . . . . . . . . 13 | 8.1. Security Event Identifier Formats Registry . . . . . . . 14 | |||
| 7.1.3. Initial Registry Contents . . . . . . . . . . . . . . 14 | 8.1.1. Registry Location . . . . . . . . . . . . . . . . . . 14 | |||
| 7.1.4. Guidance for Expert Reviewers . . . . . . . . . . . . 15 | 8.1.2. Registration Template . . . . . . . . . . . . . . . . 14 | |||
| 7.2. JSON Web Token Claims Registration . . . . . . . . . . . 16 | 8.1.3. Initial Registry Contents . . . . . . . . . . . . . . 15 | |||
| 7.2.1. Registry Contents . . . . . . . . . . . . . . . . . . 16 | 8.1.4. Guidance for Expert Reviewers . . . . . . . . . . . . 16 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 | 8.2. JSON Web Token Claims Registration . . . . . . . . . . . 17 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 16 | 8.2.1. Registry Contents . . . . . . . . . . . . . . . . . . 17 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 17 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 | |||
| Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 17 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 17 | |||
| Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 | 9.2. Informative References . . . . . . . . . . . . . . . . . 18 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 | Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 21 | ||||
| 1. Introduction | 1. Introduction | |||
| As described in Section 1.2 of SET [RFC8417], the subject of a | As described in Section 1.2 of SET [RFC8417], subjects related to | |||
| security event may take a variety of forms, including but not limited | security events may take a variety of forms, including but not | |||
| to a JWT [RFC7519] principal, an IP address, a URL, etc. | limited to a JWT [RFC7519] principal, an IP address, a URL, etc. | |||
| Furthermore, even in the case where the subject of an event is more | ||||
| narrowly scoped, there may be multiple ways by which a given subject | Different types of subjects may need to be identified in different | |||
| may be identified. For example, an account may be identified by an | ways. (e.g., a host might be identified by an IP or MAC address, | |||
| opaque identifier, an email address, a phone number, a JWT "iss" | while a user might be identified by an email address) Furthermore, | |||
| claim and "sub" claim, etc., depending on the nature and needs of the | even in the case where the type of the subject is known, there may be | |||
| transmitter and receiver. Even within the context of a given | multiple ways by which a given subject may be identified. For | |||
| transmitter and receiver relationship, it may be appropriate to | example, an account may be identified by an opaque identifier, an | |||
| identify different accounts in different ways, for example if some | email address, a phone number, a JWT "iss" claim and "sub" claim, | |||
| accounts only have email addresses associated with them while others | etc., depending on the nature and needs of the transmitter and | |||
| only have phone numbers. Therefore it can be necessary to indicate | receiver. Even within the context of a given transmitter and | |||
| within a SET the mechanism by which the subject of the security event | receiver relationship, it may be appropriate to identify different | |||
| is being identified. | accounts in different ways, for example if some accounts only have | |||
| email addresses associated with them while others only have phone | ||||
| numbers. Therefore it can be necessary to indicate within a SET the | ||||
| mechanism by which a subject is being identified. | ||||
| To address this problem, this specification defines Subject | To address this problem, this specification defines Subject | |||
| Identifiers - JSON [RFC7159] objects containing information | Identifiers - JSON [RFC7159] objects containing information | |||
| identifying a subject - and Subject Identifier Types - named sets of | identifying a subject - and Identifier Formats - named sets of rules | |||
| rules describing how to encode different kinds of subject identifying | describing how to encode different kinds of subject identifying | |||
| information (e.g., an email address, or an issuer and subject pair) | information (e.g., an email address, or an issuer and subject pair) | |||
| as a Subject Identifier. | as a Subject Identifier. | |||
| Below is a non-normative example of a Subject Identifier that | Below is a non-normative example of a Subject Identifier that | |||
| identifies a subject by email address, using the Email Subject | identifies a subject by email address, using the Email Identifier | |||
| Identifier Type. | Format. | |||
| { | { | |||
| "subject_type": "email", | "format": "email", | |||
| "email": "user@example.com", | "email": "user@example.com", | |||
| } | } | |||
| Figure 1: Example: Subject Identifier using the Email Subject | Figure 1: Example: Subject Identifier using the Email Identifier | |||
| Identifier Type | Format | |||
| Subject Identifiers are intended to be a general purpose mechanism | Subject Identifiers are intended to be a general purpose mechanism | |||
| for identifying principals within JSON objects. Below is a non- | for identifying subjects within JSON objects and their usage need not | |||
| normative example of a JWT that uses a Subject Identifier in the | be limited to SETs. Below is a non-normative example of a JWT that | |||
| "sub_id" claim (defined in this specification) to identify its | uses a Subject Identifier in the "sub_id" claim (defined in this | |||
| subject. | specification) to identify the JWT Subject. | |||
| { | { | |||
| "iss": "issuer.example.com", | "iss": "issuer.example.com", | |||
| "sub_id": { | "sub_id": { | |||
| "subject_type": "phone_number", | "format": "phone_number", | |||
| "phone_number": "+12065550100", | "phone_number": "+12065550100", | |||
| }, | }, | |||
| } | } | |||
| Figure 2: Example: JWT using a Subject Identifier with the sub_id | Figure 2: Example: JWT using a Subject Identifier with the sub_id | |||
| claim | claim | |||
| Below is a non-normative example of a SET containing a hypothetical | Usage of Subject Identifiers also need not be limited to identifying | |||
| JWT Subjects. They are intended as a general purpose means of | ||||
| expressing identifying information in an unambiguous manner. Below | ||||
| is a non-normative example of a SET containing a hypothetical | ||||
| security event describing the interception of a message, using | security event describing the interception of a message, using | |||
| Subject Identifiers to identify the sender, intended recipient, and | Subject Identifiers to identify the sender, intended recipient, and | |||
| interceptor. | interceptor. | |||
| { | { | |||
| "iss": "issuer.example.com", | "iss": "issuer.example.com", | |||
| "iat": 1508184845, | "iat": 1508184845, | |||
| "aud": "aud.example.com", | "aud": "aud.example.com", | |||
| "events": { | "events": { | |||
| "https://secevent.example.com/events/message-interception": { | "https://secevent.example.com/events/message-interception": { | |||
| "from": { | "from": { | |||
| "subject_type": "email", | "format": "email", | |||
| "email": "alice@example.com", | "email": "alice@example.com", | |||
| }, | }, | |||
| "to": { | "to": { | |||
| "subject_type": "email", | "format": "email", | |||
| "email": "bob@example.com", | "email": "bob@example.com", | |||
| }, | }, | |||
| "interceptor": { | "interceptor": { | |||
| "subject_type": "email", | "format": "email", | |||
| "email": "eve@example.com", | "email": "eve@example.com", | |||
| }, | }, | |||
| }, | }, | |||
| }, | }, | |||
| } | } | |||
| Figure 3: Example: SET with an event payload containing multiple | Figure 3: Example: SET with an event payload containing multiple | |||
| Subject Identifiers | Subject Identifiers | |||
| 2. Notational Conventions | 2. Notational Conventions | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| 2.1. Definitions | 2.1. Definitions | |||
| This specification utilizes terminology defined in [RFC7159], | This specification utilizes terminology defined in [RFC7159], | |||
| [RFC7519], and [RFC8417]. | [RFC7519], and [RFC8417]. | |||
| Within this specification, the terms "Subject" and "subject" refer | ||||
| generically to anything being identified via one or more pieces of | ||||
| information. The term "JWT Subject" refers specifically to the to | ||||
| the subject of a JWT. (i.e., the subject that the JWT asserts claims | ||||
| about) | ||||
| 3. Subject Identifiers | 3. Subject Identifiers | |||
| A Subject Identifier is a JSON [RFC7159] object whose contents may be | A Subject Identifier is a JSON [RFC7159] object whose contents may be | |||
| used to identify a principal within some context. A Subject | used to identify a subject within some context. An Identifier Format | |||
| Identifier Type is a named definition of a set of information that | is a named definition of a set of information that may be used to | |||
| may be used to identify a principal, and the rules for encoding that | identify a subject, and the rules for encoding that information as a | |||
| information as a Subject Identifier. A Subject Identifier MUST | Subject Identifier; they define the syntax and semantics of Subject | |||
| conform to a specific Subject Identifier Type, and MUST contain a | Identifiers. A Subject Identifier MUST conform to a specific | |||
| "subject_type" member whose value is the name of that Subject | Identifier Format, and MUST contain a "format" member whose value is | |||
| Identifier Type. | the name of that Identifier Format. | |||
| Every Subject Identifier Type MUST have a unique name registered in | Every Identifier Format MUST have a unique name registered in the | |||
| the IANA "Security Event Subject Identifier Types" registry | IANA "Security Event Identifier Formats" registry established by | |||
| established by Section 7.1, or a Collision-Resistant Name as defined | Section 8.1, or a Collision-Resistant Name as defined in [RFC7519]. | |||
| in [RFC7519]. Subject Identifier Types that are expected to be used | Identifier Formats that are expected to be used broadly by a variety | |||
| broadly by a variety of parties SHOULD be registered in the "Security | of parties SHOULD be registered in the "Security Event Identifier | |||
| Event Subject Identifier Types" registry. | Formats" registry. | |||
| A Subject Identifier Type MAY describe more members than are strictly | An Identifier Format MAY describe more members than are strictly | |||
| necessary to identify a subject, and MAY describe conditions under | necessary to identify a subject, and MAY describe conditions under | |||
| which those members are required, optional, or prohibited. | which those members are required, optional, or prohibited. The | |||
| "format" member is reserved for use as described in this | ||||
| specification; Identifier Formats MUST NOT declare any rules | ||||
| regarding the "format" member. | ||||
| Aside from the "subject_type" member whose definition is given above, | Every member within a Subject Identifier MUST match the rules | |||
| every member within a Subject Identifier MUST match the format | specified for that member by this specification or by Subject | |||
| specified for that member by the Subject Identifier's Subject | Identifier's Identifier Format. A Subject Identifier MUST NOT | |||
| Identifier Type. A Subject Identifier MUST NOT contain any members | contain any members prohibited or not described by its Identifier | |||
| prohibited or not described by its Subject Identifier Type, and MUST | Format, and MUST contain all members required by its Identifier | |||
| contain all members required by its Subject Identifier Type. | Format. | |||
| 3.1. Subject Identifier Types versus Principal Types | 3.1. Identifier Formats versus Principal Types | |||
| A Subject Identifier Type describes a way to identify a principal, | Identifier Formats define how to encode identifying information for a | |||
| but does not explicitly indicate the type of that principal (e.g., | subject. They do not define the type or nature of the subject | |||
| user, group, network connection, baseball team, astronomic object). | itself. E.g., While the "email" Identifier Format declares that the | |||
| Consequently Subject Identifiers remove ambiguity around how a | value of the "email" member is an email address, a subject in a | |||
| principal is being identified, and how to parse an identifying | Security Event that is identified by an "email" Subject Identifier | |||
| structure, but they do not remove ambiguity around how to resolve | could be an end user who controls that email address, the mailbox | |||
| that identifier to a principal. For example, consider a directory | itself, or anything else that the transmitter and receiver both | |||
| management API that allows callers to identify users and groups | understand to be associated with that email address. Consequently | |||
| through both immutable unique identifiers and mutable email | Subject Identifiers remove ambiguity around how a subject is being | |||
| addresses. Such an API could use Subject Identifiers to disambiguate | identified, and how to parse an identifying structure, but do not | |||
| between which of these two types of identifiers is in use. However, | remove ambiguity around how to resolve that identifier to a subject. | |||
| the service would have to determine whether the principal is a user | For example, consider a directory management API that allows callers | |||
| or group via some other means, such as by querying a database or by | to identify users and groups through both opaque unique identifiers | |||
| inferring the type from the API contract. | and email addresses. Such an API could use Subject Identifiers to | |||
| disambiguate between which of these two types of identifiers is in | ||||
| use. However, the API would have to determine whether the subject is | ||||
| a user or group via some other means, such as by querying a database, | ||||
| interpreting other parameters in the request, or inferring the type | ||||
| from the API contract. | ||||
| 3.2. Subject Identifier Type Definitions | 3.2. Identifier Format Definitions | |||
| The following Subject Identifier Types are registered in the IANA | The following Identifier Formats are registered in the IANA "Security | |||
| "Security Event Subject Identifier Types" registry established by | Event Identifier Formats" registry established by Section 8.1. | |||
| Section 7.1. | ||||
| 3.2.1. Account Subject Identifier Type | 3.2.1. Account Identifier Format | |||
| The Account Subject Identifier Type identifies a principal using an | The Account Identifier Format identifies a subject using an account | |||
| account at a service provider, identified with an "acct" URI as | at a service provider, identified with an "acct" URI as defined in | |||
| defined in [RFC7565]. Subject Identifiers of this type MUST contain | [RFC7565]. Subject Identifiers in this format MUST contain a "uri" | |||
| a "uri" member whose value is the "acct" URI for the subject. The | member whose value is the "acct" URI for the subject. The "uri" | |||
| "uri" member is REQUIRED and MUST NOT be null or empty. The Account | member is REQUIRED and MUST NOT be null or empty. The Account | |||
| Subject Identifier Type is identified by the name "account". | Identifier Format is identified by the name "account". | |||
| Below is a non-normative example Subject Identifier for the Account | Below is a non-normative example Subject Identifier for the Account | |||
| Subject Identifier Type: | Identifier Format: | |||
| { | { | |||
| "subject_type": "account", | "format": "account", | |||
| "uri": "acct:example.user@service.example.com", | "uri": "acct:example.user@service.example.com", | |||
| } | } | |||
| Figure 4: Example: Subject Identifier for the Account Subject | Figure 4: Example: Subject Identifier for the Account Identifier | |||
| Identifier Type | Format | |||
| 3.2.2. Email Subject Identifier Type | 3.2.2. Email Identifier Format | |||
| The Email Subject Identifier Type identifies a principal using an | The Email Identifier Format identifies a subject using an email | |||
| email address. Subject Identifiers of this type MUST contain an | address. Subject Identifiers in this format MUST contain an "email" | |||
| "email" member whose value is a string containing the email address | member whose value is a string containing the email address of the | |||
| of the principal, formatted as an "addr-spec" as defined in | subject, formatted as an "addr-spec" as defined in Section 3.4.1 of | |||
| Section 3.4.1 of [RFC5322]. The "email" member is REQUIRED and MUST | [RFC5322]. The "email" member is REQUIRED and MUST NOT be null or | |||
| NOT be null or empty. The value of the "email" member SHOULD | empty. The value of the "email" member SHOULD identify a mailbox to | |||
| identify a mailbox to which email may be delivered, in accordance | which email may be delivered, in accordance with [RFC5321]. The | |||
| with [RFC5321]. The Email Subject Identifier Type is identified by | Email Identifier Format is identified by the name "email". | |||
| the name "email". | ||||
| Below is a non-normative example Subject Identifier for the Email | Below is a non-normative example Subject Identifier in the Email | |||
| Subject Identifier Type: | Identifier Format: | |||
| { | { | |||
| "subject_type": "email", | "format": "email", | |||
| "email": "user@example.com", | "email": "user@example.com", | |||
| } | } | |||
| Figure 5: Example: Subject Identifier for the Email Subject | Figure 5: Example: Subject Identifier in the Email Identifier Format | |||
| Identifier Type | ||||
| 3.2.2.1. Email Canonicalization | 3.2.2.1. Email Canonicalization | |||
| Many email providers will treat multiple email addresses as | Many email providers will treat multiple email addresses as | |||
| equivalent. While the domain portion of an [RFC5322] email address | equivalent. While the domain portion of an [RFC5322] email address | |||
| is consistently treated as case-insensitive per [RFC1034], some | is consistently treated as case-insensitive per [RFC1034], some | |||
| providers treat the local part of the email address as case- | providers treat the local part of the email address as case- | |||
| insensitive as well, and consider "user@example.com", | insensitive as well, and consider "user@example.com", | |||
| "User@example.com", and "USER@example.com" as the same email address. | "User@example.com", and "USER@example.com" as the same email address. | |||
| This has led users to view these strings as equivalent, driving | This has led users to view these strings as equivalent, driving | |||
| service providers to implement proprietary email canonicalization | service providers to implement proprietary email canonicalization | |||
| algorithms to ensure that email addresses entered by users resolve to | algorithms to ensure that email addresses entered by users resolve to | |||
| the same canonical string. When receiving an Email Subject | the same canonical string. When receiving an Email Subject | |||
| Identifier, the recipient SHOULD use their implementation's | Identifier, the recipient SHOULD use their implementation's | |||
| canonicalization algorithm to resolve the email address to the same | canonicalization algorithm to resolve the email address to the same | |||
| string used in their system. | string used in their system. | |||
| 3.2.3. Phone Number Subject Identifier Type | 3.2.3. Phone Number Identifier Format | |||
| The Phone Number Subject Identifier Type identifies a principal using | The Phone Number Identifier Format identifies a subject using a | |||
| a telephone number. Subject Identifiers of this type MUST contain a | telephone number. Subject Identifiers in this format MUST contain a | |||
| "phone_number" member whose value is a string containing the full | "phone_number" member whose value is a string containing the full | |||
| telephone number of the principal, including international dialing | telephone number of the subject, including international dialing | |||
| prefix, formatted according to E.164 [E164]. The "phone_number" | prefix, formatted according to E.164 [E164]. The "phone_number" | |||
| member is REQUIRED and MUST NOT be null or empty. The Phone Number | member is REQUIRED and MUST NOT be null or empty. The Phone Number | |||
| Subject Identifier Type is identified by the name "phone_number". | Identifier Format is identified by the name "phone_number". | |||
| Below is a non-normative example Subject Identifier for the Email | Below is a non-normative example Subject Identifier in the Email | |||
| Subject Identifier Type: | Identifier Format: | |||
| { | { | |||
| "subject_type": "phone_number", | "format": "phone_number", | |||
| "phone_number": "+12065550100", | "phone_number": "+12065550100", | |||
| } | } | |||
| Figure 6: Example: Subject Identifier for the Phone Number Subject | Figure 6: Example: Subject Identifier in the Phone Number Identifier | |||
| Identifier Type. | Format. | |||
| 3.2.4. Issuer and Subject Subject Identifier Type | 3.2.4. Issuer and Subject Identifier Format | |||
| The Issuer and Subject Subject Identifier Type identifies a principal | The Issuer and Subject Identifier Format identifies a subject using a | |||
| using a pair of "iss" and "sub" members, analagous to how subjects | pair of "iss" and "sub" members, analagous to how subjects are | |||
| are identified using the "iss" and "sub" claims in OpenID Connect | identified using the "iss" and "sub" claims in OpenID Connect | |||
| [OpenID.Core] ID Tokens. These members MUST follow the formats of | [OpenID.Core] ID Tokens. These members MUST follow the formats of | |||
| the "iss" member and "sub" member defined by [RFC7519], respectively. | the "iss" member and "sub" member defined by [RFC7519], respectively. | |||
| Both the "iss" member and the "sub" member are REQUIRED and MUST NOT | Both the "iss" member and the "sub" member are REQUIRED and MUST NOT | |||
| be null or empty. The Issuer and Subject Subject Identifier Type is | be null or empty. The Issuer and Subject Identifier Format is | |||
| identified by the name "iss_sub". | identified by the name "iss_sub". | |||
| Below is a non-normative example Subject Identifier for the Issuer | Below is a non-normative example Subject Identifier in the Issuer and | |||
| and Subject Subject Identifier Type: | Subject Identifier Format: | |||
| { | { | |||
| "subject_type": "iss_sub", | "format": "iss_sub", | |||
| "iss": "http://issuer.example.com/", | "iss": "http://issuer.example.com/", | |||
| "sub": "145234573", | "sub": "145234573", | |||
| } | } | |||
| Figure 7: Example: Subject Identifier for the Issuer and Subject | Figure 7: Example: Subject Identifier in the Issuer and Subject | |||
| Subject Identifier Type | Identifier Format | |||
| 3.2.5. Aliases Subject Identifier Type | 3.2.5. Aliases Identifier Format | |||
| The Aliases Subject Identifier Type describes a subject that is | The Aliases Identifier Format describes a subject that is identified | |||
| identified with a list of different Subject Identifiers. It is | with a list of different Subject Identifiers. It is intended for use | |||
| intended for use when a variety of identifiers have been shared with | when a variety of identifiers have been shared with the party that | |||
| the party that will be interpreting the Subject Identifier, and it is | will be interpreting the Subject Identifier, and it is unknown which | |||
| unknown which of those identifiers they will recognize or support. | of those identifiers they will recognize or support. Subject | |||
| Subject Identifiers of this type MUST contain an "identifiers" member | Identifiers in this format MUST contain an "identifiers" member whose | |||
| whose value is a JSON array containing one or more Subject | value is a JSON array containing one or more Subject Identifiers. | |||
| Identifiers. Each Subject Identifier in the array MUST identify the | Each Subject Identifier in the array MUST identify the same entity. | |||
| same entity. The "identifiers" member is REQUIRED and MUST NOT be | The "identifiers" member is REQUIRED and MUST NOT be null or empty. | |||
| null or empty. It MAY contain multiple instances of the same Subject | It MAY contain multiple instances of the same Identifier Format | |||
| Identifier Type (e.g., multiple Email Subject Identifiers), but | (e.g., multiple Email Subject Identifiers), but SHOULD NOT contain | |||
| SHOULD NOT contain exact duplicates. This type is identified by the | exact duplicates. This type is identified by the name "aliases". | |||
| name "aliases". | ||||
| "alias" Subject Identifiers MUST NOT be nested; i.e., the | "alias" Subject Identifiers MUST NOT be nested; i.e., the | |||
| "identifiers" member of an "alias" Subject Identifier MUST NOT | "identifiers" member of an "alias" Subject Identifier MUST NOT | |||
| contain a Subject Identifier of type "aliases". | contain a Subject Identifier of type "aliases". | |||
| Below is a non-normative example Subject Identifier for the Aliases | Below is a non-normative example Subject Identifier in the Aliases | |||
| Subject Identifier Type: | Identifier Format: | |||
| { | { | |||
| "subject_type": "aliases", | "format": "aliases", | |||
| "identifiers": [ | "identifiers": [ | |||
| { | { | |||
| "subject_type": "email", | "format": "email", | |||
| "email": "user@example.com", | "email": "user@example.com", | |||
| }, | }, | |||
| { | { | |||
| "subject_type": "phone_number", | "format": "phone_number", | |||
| "phone_number": "+12065550100", | "phone_number": "+12065550100", | |||
| }, | }, | |||
| { | { | |||
| "subject_type": "email", | "format": "email", | |||
| "email": "user+qualifier@example.com", | "email": "user+qualifier@example.com", | |||
| } | } | |||
| ], | ], | |||
| } | } | |||
| Figure 8: Example: Subject Identifier for the Aliases Subject | Figure 8: Example: Subject Identifier in the Aliases Identifier | |||
| Identifier Type | Format | |||
| 3.2.6. Opaque Identifier Format | ||||
| The Opaque Identifier Format describes a subject that is identified | ||||
| with a string with no semantics asserted beyond its usage as an | ||||
| identifier for the subject, such as a UUID or hash used as a | ||||
| surrogate identifier for a record in a database. Subject Identifiers | ||||
| in this format MUST contain an "id" member whose value is a JSON | ||||
| string containing the opaque string identifier for the subject. The | ||||
| "id" member is REQUIRED and MUST NOT be null or empty. The Opaque | ||||
| Identifier Format is identified by the name "opaque". | ||||
| Below is a non-normative example Subject Identifier in the Opaque | ||||
| Identifier Format: | ||||
| { | ||||
| "format": "opaque", | ||||
| "id": "11112222333344445555", | ||||
| } | ||||
| Figure 9: Example: Subject Identifier in the Opaque Identifier Format | ||||
| 4. Subject Identifiers in JWTs | 4. Subject Identifiers in JWTs | |||
| 4.1. "sub_id" Claim | 4.1. "sub_id" Claim | |||
| The "sub" JWT Claim is defined in Section 4.1.2 of [RFC7519] as | The "sub" JWT Claim is defined in Section 4.1.2 of [RFC7519] as | |||
| containing a string value, and therefore cannot contain a Subject | containing a string value, and therefore cannot contain a Subject | |||
| Identifier (which is a JSON object) as its value. This document | Identifier (which is a JSON object) as its value. This document | |||
| defines the "sub_id" JWT Claim, in accordance with Section 4.2 of | defines the "sub_id" JWT Claim, in accordance with Section 4.2 of | |||
| [RFC7519], as a common claim that identifies the subject of the JWT | [RFC7519], as a common claim that identifies the JWT Subject using a | |||
| using a Subject Identifier. When present, the value of this claim | Subject Identifier. When present, the value of this claim MUST be a | |||
| MUST be a Subject Identifier that identifies the principal that is | Subject Identifier that identifies the subject of the JWT. The | |||
| the subject of the JWT. The "sub_id" claim MAY be included in a JWT, | "sub_id" claim MAY be included in a JWT, whether or not the "sub" | |||
| whether or not the "sub" claim is present. When both the "sub" and | claim is present. When both the "sub" and "sub_id" claims are | |||
| "sub_id" claims are present in a JWT, they MUST identify the same | present in a JWT, they MUST identify the same subject, as a JWT has | |||
| principal. | one and only one JWT Subject. | |||
| When processing a JWT with both "sub" and "sub_id" claims, | When processing a JWT with both "sub" and "sub_id" claims, | |||
| implementations MUST NOT rely on both claims to determine the | implementations MUST NOT rely on both claims to determine the JWT | |||
| subject. An implementation MAY attempt to determine the subject from | Subject. An implementation MAY attempt to determine the JWT Subject | |||
| one claim and fall back to using the other if it determines it does | from one claim and fall back to using the other if it determines it | |||
| not understand the format of the first claim. For example, an | does not understand the format of the first claim. For example, an | |||
| implementation may attempt to use "sub_id", and fall back to using | implementation may attempt to use "sub_id", and fall back to using | |||
| "sub" upon finding that "sub_id" contains a Subject Identifier whose | "sub" upon finding that "sub_id" contains a Subject Identifier whose | |||
| type is not recognized by the implementation. | type is not recognized by the implementation. | |||
| Below are non-normative examples of JWTs containing the "sub_id" | Below are non-normative examples of JWTs containing the "sub_id" | |||
| claim: | claim: | |||
| { | { | |||
| "iss": "issuer.example.com", | "iss": "issuer.example.com", | |||
| "sub_id": { | "sub_id": { | |||
| "subject_type": "email", | "format": "email", | |||
| "email": "user@example.com", | "email": "user@example.com", | |||
| }, | }, | |||
| } | } | |||
| Figure 9: Example: JWT containing a `sub_id` claim and no `sub` claim | Figure 10: Example: JWT containing a `sub_id` claim and no `sub` | |||
| claim | ||||
| { | { | |||
| "iss": "issuer.example.com", | "iss": "issuer.example.com", | |||
| "sub": "user@example.com", | "sub": "user@example.com", | |||
| "sub_id": { | "sub_id": { | |||
| "subject_type": "email", | "format": "email", | |||
| "email": "user@example.com", | "email": "user@example.com", | |||
| }, | }, | |||
| } | } | |||
| Figure 10: Example: JWT where both the `sub` and `sub_id` claims | Figure 11: Example: JWT where both the `sub` and `sub_id` claims | |||
| identify the subject using the same identifier | identify the JWT Subject using the same identifier | |||
| { | { | |||
| "iss": "issuer.example.com", | "iss": "issuer.example.com", | |||
| "sub": "user@example.com", | "sub": "user@example.com", | |||
| "sub_id": { | "sub_id": { | |||
| "subject_type": "email", | "format": "email", | |||
| "email": "elizabeth@example.com", | "email": "elizabeth@example.com", | |||
| }, | }, | |||
| } | } | |||
| Figure 11: Example: JWT where both the `sub` and `sub_id` claims | Figure 12: Example: JWT where both the `sub` and `sub_id` claims | |||
| identify the subject using different values of the same identifier | identify the JWT Subject using different values of the same | |||
| type | identifier type | |||
| { | { | |||
| "iss": "issuer.example.com", | "iss": "issuer.example.com", | |||
| "sub": "user@example.com", | "sub": "user@example.com", | |||
| "sub_id": { | "sub_id": { | |||
| "subject_type": "account", | "format": "account", | |||
| "uri": "acct:example.user@service.example.com", | "uri": "acct:example.user@service.example.com", | |||
| }, | }, | |||
| } | } | |||
| Figure 12: Example: JWT where the `sub` and `sub_id` claims identify | Figure 13: Example: JWT where the `sub` and `sub_id` claims identify | |||
| the subject via different types of identifiers | the JWT Subject via different types of identifiers | |||
| 4.2. "sub_id" and "iss_sub" Subject Identifiers | 4.2. "sub_id" and "iss_sub" Subject Identifiers | |||
| The "sub_id" claim MAY contain an "iss_sub" Subject Identifier. In | The "sub_id" claim MAY contain an "iss_sub" Subject Identifier. In | |||
| this case, the JWT's "iss" claim and the Subject Identifier's "iss" | this case, the JWT's "iss" claim and the Subject Identifier's "iss" | |||
| member MAY be different. For example, an OpenID Connect | member MAY be different. For example, in OpenID Connect | |||
| [OpenID.Core] client may construct such a JWT when issuing a JWT back | [OpenID.Core] client may construct such a JWT when sending JWTs back | |||
| to its OpenID Connect Identity Provider, in order to communicate | to its OpenID Connect Identity Provider, in order to identify the JWT | |||
| information about the services' shared subject principal using an | Subject using an identifier known to be understood by both parties. | |||
| identifier the Identity Provider is known to understand. Similarly, | Similarly, the JWT's "sub" claim and the Subject Identifier's "sub" | |||
| the JWT's "sub" claim and the Subject Identifier's "sub" member MAY | member MAY be different. For example, this may be used by an OpenID | |||
| be different. For example, this may be used by an OpenID Connect | Connect client to communicate the JWT Subject's local identifier at | |||
| client to communicate the subject principal's local identifier at the | the client back to its Identity Provider. | |||
| client back to its Identity Provider. | ||||
| Below are non-normative examples of a JWT where the "iss" claim and | Below are non-normative examples of a JWT where the "iss" claim and | |||
| "iss" member within the "sub_id" claim are the same, and a JWT where | "iss" member within the "sub_id" claim are the same, and a JWT where | |||
| they are different. | they are different. | |||
| { | { | |||
| "iss": "issuer.example.com", | "iss": "issuer.example.com", | |||
| "sub_id": { | "sub_id": { | |||
| "subject_type": "iss_sub", | "format": "iss_sub", | |||
| "iss": "issuer.example.com", | "iss": "issuer.example.com", | |||
| "sub": "example_user", | "sub": "example_user", | |||
| }, | }, | |||
| } | } | |||
| Figure 13: Example: JWT with a `iss_sub` Subject Identifier where JWT | Figure 14: Example: JWT with a `iss_sub` Subject Identifier where JWT | |||
| issuer and subject issuer are the same | issuer and JWT Subject issuer are the same | |||
| { | { | |||
| "iss": "client.example.com", | "iss": "client.example.com", | |||
| "sub_id": { | "sub_id": { | |||
| "subject_type": "iss_sub", | "format": "iss_sub", | |||
| "iss": "issuer.example.com", | "iss": "issuer.example.com", | |||
| "sub": "example_user", | "sub": "example_user", | |||
| }, | }, | |||
| } | } | |||
| Figure 14: Example: JWT with an `iss_sub` Subject Identifier where | Figure 15: Example: JWT with an `iss_sub` Subject Identifier where | |||
| the JWT issuer and subject issuer are different | the JWT issuer and JWT Subject issuer are different | |||
| { | { | |||
| "iss": "client.example.com", | "iss": "client.example.com", | |||
| "sub": "client_user", | "sub": "client_user", | |||
| "sub_id": { | "sub_id": { | |||
| "subject_type": "iss_sub", | "format": "iss_sub", | |||
| "iss": "issuer.example.com", | "iss": "issuer.example.com", | |||
| "sub": "example_user", | "sub": "example_user", | |||
| }, | }, | |||
| } | } | |||
| Figure 15: Example: JWT with an `iss_sub` Subject Identifier where | Figure 16: Example: JWT with an `iss_sub` Subject Identifier where | |||
| the JWT `iss` and `sub` claims differ from the Subject Identifier's | the JWT `iss` and `sub` claims differ from the JWT Subject's `iss` | |||
| `iss` and `sub` members | and `sub` members | |||
| 5. Privacy Considerations | 5. Considerations for Specifications that Define Identifier Formats | |||
| 5.1. Identifier Correlation | Identifier Format definitions MUST NOT make assertions or | |||
| declarations regarding the subject being identified by the Subject | ||||
| Identifier (e.g., an Identifier Format cannot be defined as | ||||
| specifically identifying human end users), as such statements are | ||||
| outside the scope of Identifier Formats and Subject Identifiers, and | ||||
| expanding that scope for some Identifier Formats but not others would | ||||
| harm interoperability, as applications that depend on this expanded | ||||
| scope to disambiguate the subject type would be unable to use | ||||
| Identifier Formats that do not provide such rules. | ||||
| The act of presenting two or more identifiers for a single principal | 6. Privacy Considerations | |||
| 6.1. Identifier Correlation | ||||
| The act of presenting two or more identifiers for a single subject | ||||
| together (e.g., within an "aliases" Subject Identifier, or via the | together (e.g., within an "aliases" Subject Identifier, or via the | |||
| "sub" and "sub_id" JWT claims) may communicate more information about | "sub" and "sub_id" JWT claims) may communicate more information about | |||
| the principal than was intended. For example, the entity to which | the subject than was intended. For example, the entity to which the | |||
| the identifiers are presented, now knows that both identifiers relate | identifiers are presented now knows that both identifiers relate to | |||
| to the same principal, and may be able to correlate additional data | the same subject, and may be able to correlate additional data based | |||
| based on that. When transmitting Subject Identifiers, the | on that. When transmitting Subject Identifiers, the transmitter | |||
| transmitter SHOULD take care that they are only transmitting multiple | SHOULD take care that they are only transmitting multiple identifiers | |||
| identifiers together when it is known that the recipient already | together when it is known that the recipient already knows that the | |||
| knows that the identifiers are related (e.g., because they were | identifiers are related (e.g., because they were previously sent to | |||
| previously sent to the recipient as claims in an OpenID Connect ID | the recipient as claims in an OpenID Connect ID Token), or when | |||
| Token), or when correlation is essential to the use case. | correlation is essential to the use case. | |||
| The considerations described in Section 6 of [RFC8417] also apply | The considerations described in Section 6 of [RFC8417] also apply | |||
| when Subject Identifiers are used within SETs. The considerations | when Subject Identifiers are used within SETs. The considerations | |||
| described in Section 12 of [RFC7519] also apply when Subject | described in Section 12 of [RFC7519] also apply when Subject | |||
| Identifiers are used within JWTs. | Identifiers are used within JWTs. | |||
| 6. Security Considerations | 7. Security Considerations | |||
| 6.1. Confidentiality and Integrity | 7.1. Confidentiality and Integrity | |||
| This specification does not define any mechanism for ensuring the | This specification does not define any mechanism for ensuring the | |||
| confidentiality or integrityi of a Subject Identifier. Where such | confidentiality or integrityi of a Subject Identifier. Where such | |||
| properties are required, implementations MUST use mechanisms provided | properties are required, implementations MUST use mechanisms provided | |||
| by the containing format (e.g., integrity protecting SETs or JWTs | by the containing format (e.g., integrity protecting SETs or JWTs | |||
| using JWS [RFC7515]), or at the transport layer or other layer in the | using JWS [RFC7515]), or at the transport layer or other layer in the | |||
| application stack (e.g., using TLS [RFC8446]). | application stack (e.g., using TLS [RFC8446]). | |||
| Further considerations regarding confidentiality and integrity of | Further considerations regarding confidentiality and integrity of | |||
| SETs can be found in Section 5.1 of [RFC8417]. | SETs can be found in Section 5.1 of [RFC8417]. | |||
| 7. IANA Considerations | 8. IANA Considerations | |||
| 7.1. Security Event Subject Identifier Types Registry | 8.1. Security Event Identifier Formats Registry | |||
| This document defines Subject Identifier Types, for which IANA is | This document defines Identifier Formats, for which IANA is asked to | |||
| asked to create and maintain a new registry titled "Security Event | create and maintain a new registry titled "Security Event Identifier | |||
| Subject Identifier Types". Initial values for the Security Event | Formats". Initial values for the Security Event Identifier Formats | |||
| Subject Identifier Types registry are given in Section 3. Future | registry are given in Section 3. Future assignments are to be made | |||
| assignments are to be made through the Expert Review registration | through the Expert Review registration policy [BCP26] and shall | |||
| policy [BCP26] and shall follow the template presented in | follow the template presented in Section 8.1.2. | |||
| Section 7.1.2. | ||||
| It is suggested that multiple Designated Experts be appointed who are | It is suggested that multiple Designated Experts be appointed who are | |||
| able to represent the perspectives of different applications using | able to represent the perspectives of different applications using | |||
| this specification, in order to enable broadly informed review of | this specification, in order to enable broadly informed review of | |||
| registration decisions. In cases where a registration decision could | registration decisions. In cases where a registration decision could | |||
| be perceived as creating a conflict of interest for a particular | be perceived as creating a conflict of interest for a particular | |||
| Expert, that Expert should defer to the judgment of the other | Expert, that Expert should defer to the judgment of the other | |||
| Experts. | Experts. | |||
| 7.1.1. Registry Location | 8.1.1. Registry Location | |||
| (This section to be removed by the RFC Editor before publication as | (This section to be removed by the RFC Editor before publication as | |||
| an RFC.) | an RFC.) | |||
| The authors recommend that the Subject Identifier Types registry be | The authors recommend that the Identifier Formats registry be located | |||
| located at "https://www.iana.org/assignments/secevent/". | at "https://www.iana.org/assignments/secevent/". | |||
| 7.1.2. Registration Template | 8.1.2. Registration Template | |||
| Type Name | Type Name | |||
| The name of the Subject Identifier Type, as described in | The name of the Identifier Format, as described in Section 3. The | |||
| Section 3. The name MUST be an ASCII string consisting only of | name MUST be an ASCII string consisting only of lower-case | |||
| lower-case characters ("a" - "z"), digits ("0" - "9"), underscores | characters ("a" - "z"), digits ("0" - "9"), underscores ("_"), and | |||
| ("_"), and hyphens ("-"), and SHOULD NOT exceed 20 characters in | hyphens ("-"), and SHOULD NOT exceed 20 characters in length. | |||
| length. | ||||
| Type Description | Type Description | |||
| A brief description of the Subject Identifier Type. | A brief description of the Identifier Format. | |||
| Change Controller | Change Controller | |||
| For types defined in documents published by the IETF or its | For types defined in documents published by the IETF or its | |||
| working groups, list "IETF". For all other types, list the name | working groups, list "IETF". For all other types, list the name | |||
| of the party responsible for the registration. Contact | of the party responsible for the registration. Contact | |||
| information such as mailing address, email address, or phone | information such as mailing address, email address, or phone | |||
| number may also be provided. | number may also be provided. | |||
| Defining Document(s) | Defining Document(s) | |||
| A reference to the document or documents that define the Subject | A reference to the document or documents that define the | |||
| Identifier Type. The definition MUST specify the name, format, | Identifier Format. The definition MUST specify the name, format, | |||
| and meaning of each member that may occur within a Subject | and meaning of each member that may occur within a Subject | |||
| Identifier of the defined type, as well as whether each member is | Identifier of the defined type, as well as whether each member is | |||
| optional, required, prohibited, or the circumstances under which | optional, required, prohibited, or the circumstances under which | |||
| the member may be optional, required, or prohibited. URIs that | the member may be optional, required, or prohibited. URIs that | |||
| can be used to retrieve copies of each document SHOULD be | can be used to retrieve copies of each document SHOULD be | |||
| included. | included. | |||
| 7.1.3. Initial Registry Contents | 8.1.3. Initial Registry Contents | |||
| 7.1.3.1. Account Subject Identifier Type | 8.1.3.1. Account Identifier Format | |||
| o Type Name: "account" | o Type Name: "account" | |||
| o Type Description: Subject identifier based on "acct" URI. | o Type Description: Subject identifier based on "acct" URI. | |||
| o Change Controller: IETF | o Change Controller: IETF | |||
| o Defining Document(s): Section 3 of this document. | o Defining Document(s): Section 3 of this document. | |||
| 7.1.3.2. Email Subject Identifier Type | 8.1.3.2. Email Identifier Format | |||
| o Type Name: "email" | o Type Name: "email" | |||
| o Type Description: Subject identifier based on email address. | o Type Description: Subject identifier based on email address. | |||
| o Change Controller: IETF | o Change Controller: IETF | |||
| o Defining Document(s): Section 3 of this document. | o Defining Document(s): Section 3 of this document. | |||
| 7.1.3.3. Issuer and Subject Subject Identifier Type | 8.1.3.3. Issuer and Subject Identifier Format | |||
| o Type Name: "iss_sub" | o Type Name: "iss_sub" | |||
| o Type Description: Subject identifier based on an issuer and | o Type Description: Subject identifier based on an issuer and | |||
| subject. | subject. | |||
| o Change Controller: IETF | o Change Controller: IETF | |||
| o Defining Document(s): Section 3 of this document. | o Defining Document(s): Section 3 of this document. | |||
| 7.1.3.4. Phone Number Subject Identifier Type | 8.1.3.4. Phone Number Identifier Format | |||
| o Type Name: "phone_number" | o Type Name: "phone_number" | |||
| o Type Description: Subject identifier based on an phone number. | o Type Description: Subject identifier based on an phone number. | |||
| o Change Controller: IETF | o Change Controller: IETF | |||
| o Defining Document(s): Section 3 of this document. | o Defining Document(s): Section 3 of this document. | |||
| 7.1.3.5. Aliases Subject Identifier Type | 8.1.3.5. Aliases Identifier Format | |||
| o Type Name: "aliases" | o Type Name: "aliases" | |||
| o Type Description: Subject identifier that groups together multiple | o Type Description: Subject identifier that groups together multiple | |||
| different subject identifiers for the same subject. | different subject identifiers for the same subject. | |||
| o Change Controller: IETF | o Change Controller: IETF | |||
| o Defining Document(s): Section 3 of this document. | o Defining Document(s): Section 3 of this document. | |||
| 7.1.4. Guidance for Expert Reviewers | 8.1.3.6. Opaque Identifier Format | |||
| o Type Name: "opaque" | ||||
| o Type Description: Subject identifier based on an opaque string. | ||||
| o Change Controller: IETF | ||||
| o Defining Document(s): Section 3 of this document. | ||||
| 8.1.4. Guidance for Expert Reviewers | ||||
| The Expert Reviewer is expected to review the documentation | The Expert Reviewer is expected to review the documentation | |||
| referenced in a registration request to verify its completeness. The | referenced in a registration request to verify its completeness. The | |||
| Expert Reviewer must base their decision to accept or reject the | Expert Reviewer must base their decision to accept or reject the | |||
| request on a fair and impartial assessment of the request. If the | request on a fair and impartial assessment of the request. If the | |||
| Expert Reviewer has a conflict of interest, such as being an author | Expert Reviewer has a conflict of interest, such as being an author | |||
| of a defining document referenced by the request, they must recuse | of a defining document referenced by the request, they must recuse | |||
| themselves from the approval process for that request. In the case | themselves from the approval process for that request. In the case | |||
| where a request is rejected, the Expert Reviewer should provide the | where a request is rejected, the Expert Reviewer should provide the | |||
| requesting party with a written statement expressing the reason for | requesting party with a written statement expressing the reason for | |||
| rejection, and be prepared to cite any sources of information that | rejection, and be prepared to cite any sources of information that | |||
| went into that decision. | went into that decision. | |||
| Subject Identifier Types need not be generally applicable and may be | Identifier Formats need not be generally applicable and may be highly | |||
| highly specific to a particular domain; it is expected that types may | specific to a particular domain; it is expected that types may be | |||
| be registered for niche or industry-specific use cases. The Expert | registered for niche or industry-specific use cases. The Expert | |||
| Reviewer should focus on whether the type is thoroughly documented, | Reviewer should focus on whether the type is thoroughly documented, | |||
| and whether its registration will promote or harm interoperability. | and whether its registration will promote or harm interoperability. | |||
| In most cases, the Expert Reviewer should not approve a request if | In most cases, the Expert Reviewer should not approve a request if | |||
| the registration would contribute to confusion, or amount to a | the registration would contribute to confusion, or amount to a | |||
| synonym for an existing type. | synonym for an existing type. | |||
| 7.2. JSON Web Token Claims Registration | 8.2. JSON Web Token Claims Registration | |||
| This document defines the "sub_id" JWT Claim, which IANA is asked to | This document defines the "sub_id" JWT Claim, which IANA is asked to | |||
| register in the "JSON Web Token Claims" registry IANA JSON Web Token | register in the "JSON Web Token Claims" registry IANA JSON Web Token | |||
| Claims Registry [IANA.JWT.Claims] established by [RFC7519]. | Claims Registry [IANA.JWT.Claims] established by [RFC7519]. | |||
| 7.2.1. Registry Contents | 8.2.1. Registry Contents | |||
| o Claim Name: "sub_id" | o Claim Name: "sub_id" | |||
| o Claim Description: Subject Identifier | o Claim Description: Subject Identifier | |||
| o Change Controller: IESG | o Change Controller: IESG | |||
| o Specification Document(s): Section 4.1 of this document. | o Specification Document(s): Section 4.1 of this document. | |||
| 8. References | 9. References | |||
| 8.1. Normative References | 9.1. Normative References | |||
| [BCP26] Cotton, M., Leiba, B., and T. Narten, "Guidelines for | [BCP26] Cotton, M., Leiba, B., and T. Narten, "Guidelines for | |||
| Writing an IANA Considerations Section in RFCs", BCP 26, | Writing an IANA Considerations Section in RFCs", BCP 26, | |||
| RFC 8126, DOI 10.17487/RFC8126, June 2017, | RFC 8126, DOI 10.17487/RFC8126, June 2017, | |||
| <https://www.rfc-editor.org/info/rfc8126>. | <https://www.rfc-editor.org/info/rfc8126>. | |||
| [E164] International Telecommunication Union, "The international | [E164] International Telecommunication Union, "The international | |||
| public telecommunication numbering plan", 2010, | public telecommunication numbering plan", 2010, | |||
| <http://www.itu.int/rec/T-REC-E.164-201011-I/en>. | <http://www.itu.int/rec/T-REC-E.164-201011-I/en>. | |||
| skipping to change at page 17, line 22 ¶ | skipping to change at page 18, line 22 ¶ | |||
| [RFC7565] Saint-Andre, P., "The 'acct' URI Scheme", RFC 7565, | [RFC7565] Saint-Andre, P., "The 'acct' URI Scheme", RFC 7565, | |||
| DOI 10.17487/RFC7565, May 2015, | DOI 10.17487/RFC7565, May 2015, | |||
| <https://www.rfc-editor.org/info/rfc7565>. | <https://www.rfc-editor.org/info/rfc7565>. | |||
| [RFC8417] Hunt, P., Ed., Jones, M., Denniss, W., and M. Ansari, | [RFC8417] Hunt, P., Ed., Jones, M., Denniss, W., and M. Ansari, | |||
| "Security Event Token (SET)", RFC 8417, | "Security Event Token (SET)", RFC 8417, | |||
| DOI 10.17487/RFC8417, July 2018, | DOI 10.17487/RFC8417, July 2018, | |||
| <https://www.rfc-editor.org/info/rfc8417>. | <https://www.rfc-editor.org/info/rfc8417>. | |||
| 8.2. Informative References | 9.2. Informative References | |||
| [OpenID.Core] | [OpenID.Core] | |||
| Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and | Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and | |||
| C. Mortimore, "OpenID Connect Core 1.0", November 2014, | C. Mortimore, "OpenID Connect Core 1.0", November 2014, | |||
| <http://openid.net/specs/openid-connect-core-1_0.html>. | <http://openid.net/specs/openid-connect-core-1_0.html>. | |||
| [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", | [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", | |||
| STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, | STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, | |||
| <https://www.rfc-editor.org/info/rfc1034>. | <https://www.rfc-editor.org/info/rfc1034>. | |||
| skipping to change at page 19, line 31 ¶ | skipping to change at page 20, line 31 ¶ | |||
| o Clarified that Subject Identifiers don't provide confidentiality | o Clarified that Subject Identifiers don't provide confidentiality | |||
| or integrity protection. | or integrity protection. | |||
| o Added references to SET, JWT privacy and security considerations. | o Added references to SET, JWT privacy and security considerations. | |||
| o Added section describing the difference between subject identifier | o Added section describing the difference between subject identifier | |||
| type and principal type that hopefully clarifies things and | type and principal type that hopefully clarifies things and | |||
| doesn't just muddy the water further. | doesn't just muddy the water further. | |||
| Draft 07 - AB: | ||||
| o Emphasized that the spec is about identifiers, not the things they | ||||
| identify: | ||||
| * Renamed "Subject Identifier Type" to "Identifier Format". | ||||
| * Renamed "subject_type" to "format". | ||||
| * Renamed "Security Event Subject Identifier Type Registry" to | ||||
| "Security Event Identifier Format Registry". | ||||
| * Added new section with guidance for specs defining Identifier | ||||
| Formats, with normative prohibition on formats that describe | ||||
| the subject itself, rather than the identifier. | ||||
| o Clarified the meaning of "subject": | ||||
| * Defined "subject" as applying generically and "JWT Subject" as | ||||
| applying specifically to the subject of a JWT. | ||||
| * Replaced most instances of the word "principal" with "subject". | ||||
| o Added "opaque" Identifier Format | ||||
| Authors' Addresses | Authors' Addresses | |||
| Annabelle Backman (editor) | Annabelle Backman (editor) | |||
| Amazon | Amazon | |||
| Email: richanna@amazon.com | Email: richanna@amazon.com | |||
| Marius Scurtescu | Marius Scurtescu | |||
| Coinbase | Coinbase | |||
| End of changes. 106 change blocks. | ||||
| 274 lines changed or deleted | 358 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||