| rfc9493.original | rfc9493.txt | |||
|---|---|---|---|---|
| Security Events Working Group A. Backman, Ed. | Internet Engineering Task Force (IETF) A. Backman, Ed. | |||
| Internet-Draft Amazon | Request for Comments: 9493 Amazon | |||
| Intended status: Standards Track M. Scurtescu | Category: Standards Track M. Scurtescu | |||
| Expires: 26 December 2023 Coinbase | ISSN: 2070-1721 Coinbase | |||
| P. Jain | P. Jain | |||
| Fastly | Fastly | |||
| 24 June 2023 | December 2023 | |||
| Subject Identifiers for Security Event Tokens | Subject Identifiers for Security Event Tokens | |||
| draft-ietf-secevent-subject-identifiers-18 | ||||
| Abstract | Abstract | |||
| Security events communicated within Security Event Tokens may support | Security events communicated within Security Event Tokens may support | |||
| a variety of identifiers to identify subjects related to the event. | a variety of identifiers to identify subjects related to the event. | |||
| This specification formalizes the notion of subject identifiers as | This specification formalizes the notion of Subject Identifiers as | |||
| structured information that describe a subject, and named formats | structured information that describes a subject and named formats | |||
| that define the syntax and semantics for encoding subject identifiers | that define the syntax and semantics for encoding Subject Identifiers | |||
| as JSON objects. It also defines a registry for defining and | as JSON objects. It also establishes a registry for defining and | |||
| allocating names for such formats, as well as the "sub_id" JSON Web | allocating names for such formats as well as the JSON Web Token (JWT) | |||
| Token (JWT) claim. | "sub_id" Claim. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This is an Internet Standards Track document. | |||
| provisions of BCP 78 and BCP 79. | ||||
| Internet-Drafts are working documents of the Internet Engineering | ||||
| Task Force (IETF). Note that other groups may also distribute | ||||
| working documents as Internet-Drafts. The list of current Internet- | ||||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | ||||
| Internet-Drafts are draft documents valid for a maximum of six months | This document is a product of the Internet Engineering Task Force | |||
| and may be updated, replaced, or obsoleted by other documents at any | (IETF). It represents the consensus of the IETF community. It has | |||
| time. It is inappropriate to use Internet-Drafts as reference | received public review and has been approved for publication by the | |||
| material or to cite them other than as "work in progress." | Internet Engineering Steering Group (IESG). Further information on | |||
| Internet Standards is available in Section 2 of RFC 7841. | ||||
| This Internet-Draft will expire on 26 December 2023. | Information about the current status of this document, any errata, | |||
| and how to provide feedback on it may be obtained at | ||||
| https://www.rfc-editor.org/info/rfc9493. | ||||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2023 IETF Trust and the persons identified as the | Copyright (c) 2023 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents | |||
| license-info) in effect on the date of publication of this document. | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | ||||
| Please review these documents carefully, as they describe your rights | carefully, as they describe your rights and restrictions with respect | |||
| and restrictions with respect to this document. Code Components | to this document. Code Components extracted from this document must | |||
| extracted from this document must include Revised BSD License text as | include Revised BSD License text as described in Section 4.e of the | |||
| described in Section 4.e of the Trust Legal Provisions and are | Trust Legal Provisions and are provided without warranty as described | |||
| provided without warranty as described in the Revised BSD License. | in the Revised BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction | |||
| 2. Notational Conventions . . . . . . . . . . . . . . . . . . . 5 | 2. Notational Conventions | |||
| 2.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 5 | 2.1. Definitions | |||
| 3. Subject Identifiers . . . . . . . . . . . . . . . . . . . . . 5 | 3. Subject Identifiers | |||
| 3.1. Identifier Formats versus Principal Types . . . . . . . . 6 | 3.1. Identifier Formats versus Principal Types | |||
| 3.2. Identifier Format Definitions . . . . . . . . . . . . . . 6 | 3.2. Identifier Format Definitions | |||
| 3.2.1. Account Identifier Format . . . . . . . . . . . . . . 7 | 3.2.1. Account Identifier Format | |||
| 3.2.2. Email Identifier Format . . . . . . . . . . . . . . . 7 | 3.2.2. Email Identifier Format | |||
| 3.2.3. Issuer and Subject Identifier Format . . . . . . . . 8 | 3.2.3. Issuer and Subject Identifier Format | |||
| 3.2.4. Opaque Identifier Format . . . . . . . . . . . . . . 9 | 3.2.4. Opaque Identifier Format | |||
| 3.2.5. Phone Number Identifier Format . . . . . . . . . . . 9 | 3.2.5. Phone Number Identifier Format | |||
| 3.2.6. Decentralized Identifier (DID) Format . . . . . . . . 10 | 3.2.6. Decentralized Identifier (DID) Format | |||
| 3.2.7. Uniform Resource Identifier (URI) Format . . . . . . 10 | 3.2.7. Uniform Resource Identifier (URI) Format | |||
| 3.2.8. Aliases Identifier Format . . . . . . . . . . . . . . 11 | 3.2.8. Aliases Identifier Format | |||
| 4. Subject Identifiers in JWTs . . . . . . . . . . . . . . . . . 12 | 4. Subject Identifiers in JWTs | |||
| 4.1. sub_id Claim . . . . . . . . . . . . . . . . . . . . . . 12 | 4.1. JWT "sub_id" Claim | |||
| 4.2. sub_id and iss_sub Subject Identifiers . . . . . . . . . 14 | 4.2. JWT "sub_id" Claim and "iss_sub" Subject Identifier | |||
| 5. Considerations for Specifications that Define Identifier | 5. Considerations for Specifications that Define Identifier | |||
| Formats . . . . . . . . . . . . . . . . . . . . . . . . . 15 | Formats | |||
| 6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 15 | 6. Privacy Considerations | |||
| 6.1. Identifier Correlation . . . . . . . . . . . . . . . . . 15 | 6.1. Identifier Correlation | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 16 | 7. Security Considerations | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 | 8. IANA Considerations | |||
| 8.1. Security Event Identifier Formats Registry . . . . . . . 16 | 8.1. Security Event Identifier Formats Registry | |||
| 8.1.1. Registry Location . . . . . . . . . . . . . . . . . . 16 | 8.1.1. Registration Template | |||
| 8.1.2. Registration Template . . . . . . . . . . . . . . . . 16 | 8.1.2. Initial Registry Contents | |||
| 8.1.3. Initial Registry Contents . . . . . . . . . . . . . . 17 | 8.1.3. Guidance for Expert Reviewers | |||
| 8.1.4. Guidance for Expert Reviewers . . . . . . . . . . . . 19 | 8.2. JSON Web Token Claims Registration | |||
| 8.2. JSON Web Token Claims Registration . . . . . . . . . . . 19 | 8.2.1. Registry Contents | |||
| 8.2.1. Registry Contents . . . . . . . . . . . . . . . . . . 19 | 9. References | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 | 9.1. Normative References | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 19 | 9.2. Informative References | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 21 | Acknowledgements | |||
| Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 21 | Authors' Addresses | |||
| Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 25 | ||||
| 1. Introduction | 1. Introduction | |||
| As described in Section 1.2 of SET [RFC8417], subjects related to | As described in Section 1.2 of [RFC8417] ("Security Event Token | |||
| security events may take a variety of forms, including but not | (SET)"), subjects related to security events may take a variety of | |||
| limited to a JWT [RFC7519] principal, an IP address, a URL, etc. | forms, including but not limited to a JWT [RFC7519] principal, an IP | |||
| Different types of subjects may need to be identified in different | address, a URL, etc. Different types of subjects may need to be | |||
| ways (e.g., a user might be identified by an email address or a phone | identified in different ways (e.g., a user might be identified by an | |||
| number or an account number). Furthermore, even in the case where | email address, a phone number, or an account number). Furthermore, | |||
| the type of the subject is known, there may be multiple ways by which | even in the case where the type of the subject is known, there may be | |||
| a given subject may be identified. For example, an account may be | multiple ways by which a given subject may be identified. For | |||
| identified by an opaque identifier, an email address, a phone number, | example, an account may be identified by an opaque identifier, an | |||
| a JWT "iss" claim and "sub" claim, etc., depending on the nature and | email address, a phone number, a JWT "iss" Claim and "sub" Claim, | |||
| needs of the transmitter and receiver. Even within the context of a | etc., depending on the nature and needs of the transmitter and | |||
| given transmitter and receiver relationship, it may be appropriate to | receiver. Even within the context of a given transmitter and | |||
| identify different accounts in different ways, for example if some | receiver relationship, it may be appropriate to identify different | |||
| accounts only have email addresses associated with them while others | accounts in different ways, for example, if some accounts only have | |||
| only have phone numbers. Therefore it can be necessary to indicate | email addresses associated with them while others only have phone | |||
| within a SET the mechanism by which a subject is being identified. | numbers. Therefore, it can be necessary to indicate within a SET the | |||
| mechanism by which a subject is being identified. | ||||
| To address this problem, this specification defines Subject | To address this problem, this specification defines Subject | |||
| Identifiers - JSON [RFC8259] objects containing information | Identifiers as JSON [RFC8259] objects containing information | |||
| identifying a subject - and Identifier Formats - named sets of rules | identifying a subject and defines Identifier Formats as named sets of | |||
| describing how to encode different kinds of subject identifying | rules describing how to encode different kinds of subject-identifying | |||
| information (e.g., an email address, or an issuer and subject pair) | information (e.g., an email address or an issuer and subject pair) as | |||
| as a Subject Identifier. | a Subject Identifier. | |||
| Below is a non-normative example of a Subject Identifier that | Below is a non-normative example of a Subject Identifier that | |||
| identifies a subject by email address, using the Email Identifier | identifies a subject by email address, using the Email Identifier | |||
| Format. | Format. | |||
| { | { | |||
| "format": "email", | "format": "email", | |||
| "email": "user@example.com" | "email": "user@example.com" | |||
| } | } | |||
| Figure 1: Example: Subject Identifier using the Email Identifier | Figure 1: Example: Subject Identifier Using the Email Identifier | |||
| Format | Format | |||
| Subject Identifiers are intended to be a general-purpose mechanism | Subject Identifiers are intended to be a general-purpose mechanism | |||
| for identifying subjects within JSON objects and their usage need not | for identifying subjects within JSON objects, and their usage need | |||
| be limited to SETs. Below is a non-normative example of a JWT that | not be limited to SETs. Below is a non-normative example of a JWT | |||
| uses a Subject Identifier in the "sub_id" claim (defined in this | that uses a Subject Identifier in the JWT "sub_id" Claim (defined in | |||
| specification) to identify the JWT Subject. | this specification) to identify the JWT Subject. | |||
| { | { | |||
| "iss": "issuer.example.com", | "iss": "issuer.example.com", | |||
| "sub_id": { | "sub_id": { | |||
| "format": "phone_number", | "format": "phone_number", | |||
| "phone_number": "+12065550100" | "phone_number": "+12065550100" | |||
| } | } | |||
| } | } | |||
| Figure 2: Example: JWT using a Subject Identifier with the | Figure 2: Example: JWT Using a Subject Identifier with the JWT | |||
| "sub_id" claim | "sub_id" Claim | |||
| Usage of Subject Identifiers also need not be limited to identifying | Usage of Subject Identifiers also need not be limited to identifying | |||
| JWT Subjects. They are intended as a general-purpose means of | JWT Subjects. They are intended as a general-purpose means of | |||
| expressing identifying information in an unambiguous manner. Below | expressing identifying information in an unambiguous manner. Below | |||
| is a non-normative example of a SET containing a hypothetical | is a non-normative example of a SET containing a hypothetical | |||
| security event describing the interception of a message, using | security event describing the interception of a message, using | |||
| Subject Identifiers to identify the sender, intended recipient, and | Subject Identifiers to identify the sender, intended recipient, and | |||
| interceptor. | interceptor. | |||
| { | { | |||
| skipping to change at page 4, line 46 ¶ | skipping to change at line 175 ¶ | |||
| "email": "bob@example.com" | "email": "bob@example.com" | |||
| }, | }, | |||
| "interceptor": { | "interceptor": { | |||
| "format": "email", | "format": "email", | |||
| "email": "eve@example.com" | "email": "eve@example.com" | |||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| Figure 3: Example: SET with an event payload containing multiple | Figure 3: Example: SET with an Event Payload Containing Multiple | |||
| Subject Identifiers | Subject Identifiers | |||
| 2. Notational Conventions | 2. Notational Conventions | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| document are to be interpreted as described in BCP 14 | "OPTIONAL" in this document are to be interpreted as described in | |||
| [RFC2119][RFC8417]. | BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | ||||
| 2.1. Definitions | 2.1. Definitions | |||
| This specification utilizes terminology defined in [RFC8259] and | This specification utilizes terminology defined in [RFC8259] and | |||
| [RFC8417]. | [RFC8417]. | |||
| Within this specification, the terms "Subject" and "subject" refer | Within this specification, the terms "Subject" and "subject" refer | |||
| generically to anything being identified via one or more pieces of | generically to anything being identified via one or more pieces of | |||
| information. The term "JWT Subject" refers specifically to the | information. The term "JWT Subject" refers specifically to the | |||
| subject of a JWT (i.e., the subject that the JWT asserts claims | subject of a JWT (i.e., the subject that the JWT asserts claims | |||
| about). | about). | |||
| 3. Subject Identifiers | 3. Subject Identifiers | |||
| A Subject Identifier is a JSON [RFC8259] object whose contents may be | A Subject Identifier is a JSON object [RFC8259] whose contents may be | |||
| used to identify a subject within some context. An Identifier Format | used to identify a subject within some context. An Identifier Format | |||
| is a named definition of a set of information that may be used to | is a named definition of a set of information that may be used to | |||
| identify a subject, and the rules for encoding that information as a | identify a subject and the rules for encoding that information as a | |||
| Subject Identifier; they define the syntax and semantics of Subject | Subject Identifier; these rules define the syntax and semantics of | |||
| Identifiers. A Subject Identifier MUST conform to a specific | Subject Identifiers. A Subject Identifier MUST conform to a specific | |||
| Identifier Format, and MUST contain a "format" member whose value is | Identifier Format and MUST contain a "format" member whose value is | |||
| the name of that Identifier Format. | the name of that Identifier Format. | |||
| Every Identifier Format MUST have a unique name registered in the | Every Identifier Format MUST have a unique name registered in the | |||
| IANA "Security Event Identifier Formats" registry established by | IANA "Security Event Identifier Formats" registry established in | |||
| Section 8.1, or a Collision-Resistant Name as defined in [RFC7519]. | Section 8.1 or a Collision-Resistant Name as defined in [RFC7519]. | |||
| Identifier Formats that are expected to be used broadly by a variety | Identifier Formats that are expected to be used broadly by a variety | |||
| of parties SHOULD be registered in the "Security Event Identifier | of parties SHOULD be registered in the "Security Event Identifier | |||
| Formats" registry. | Formats" registry. | |||
| An Identifier Format MAY describe more members than are strictly | An Identifier Format MAY describe more members than are strictly | |||
| necessary to identify a subject, and MAY describe conditions under | necessary to identify a subject and MAY describe conditions under | |||
| which those members are required, optional, or prohibited. The | which those members are required, optional, or prohibited. The | |||
| "format" member is reserved for use as described in this | "format" member is reserved for use as described in this | |||
| specification; Identifier Formats MUST NOT declare any rules | specification; Identifier Formats MUST NOT declare any rules | |||
| regarding the "format" member. | regarding the "format" member. | |||
| Every member within a Subject Identifier MUST match the rules | Every member within a Subject Identifier MUST match the rules | |||
| specified for that member by this specification or by Subject | specified for that member by this specification or by a Subject | |||
| Identifier's Identifier Format. A Subject Identifier MUST NOT | Identifier's Identifier Format. A Subject Identifier MUST NOT | |||
| contain any members prohibited or not described by its Identifier | contain any members prohibited or not described by its Identifier | |||
| Format, and MUST contain all members required by its Identifier | Format and MUST contain all members required by its Identifier | |||
| Format. | Format. | |||
| 3.1. Identifier Formats versus Principal Types | 3.1. Identifier Formats versus Principal Types | |||
| Identifier Formats define how to encode identifying information for a | Identifier Formats define how to encode identifying information for a | |||
| subject. Unlike Principal Types, they do not define the type or | subject. Unlike Principal Types, they do not define the type or | |||
| nature of the subject itself. For example, while the "email" | nature of the subject itself. For example, while the Email | |||
| Identifier Format declares that the value of the "email" member is an | Identifier Format declares that the value of the "email" member is an | |||
| email address, a subject in a Security Event that is identified by an | email address, a subject in a security event that is identified by an | |||
| "email" Subject Identifier could be an end user who controls that | Email Subject Identifier could be an end user who controls that email | |||
| email address, the mailbox itself, or anything else that the | address, the mailbox itself, or anything else that the transmitter | |||
| transmitter and receiver both understand to be associated with that | and receiver both understand to be associated with that email | |||
| email address. Consequently Subject Identifiers remove ambiguity | address. Consequently, Subject Identifiers remove ambiguity around | |||
| around how a subject is being identified, and how to parse an | how a subject is being identified and how to parse an identifying | |||
| identifying structure, but do not remove ambiguity around how to | structure, but they do not remove ambiguity around how to resolve | |||
| resolve that identifier to a subject. For example, consider a | that identifier for a subject. For example, consider a directory | |||
| directory management API that allows callers to identify users and | management API that allows callers to identify users and groups | |||
| groups through both opaque unique identifiers and email addresses. | through both opaque unique identifiers and email addresses. Such an | |||
| Such an API could use Subject Identifiers to disambiguate between | API could use Subject Identifiers to disambiguate between which of | |||
| which of these two types of identifiers is in use. However, the API | these two types of identifiers is in use. However, the API would | |||
| would have to determine whether the subject is a user or group via | have to determine whether the subject is a user or group via some | |||
| some other means, such as by querying a database, interpreting other | other means, such as by querying a database, interpreting other | |||
| parameters in the request, or inferring the type from the API | parameters in the request, or inferring the type from the API | |||
| contract. | contract. | |||
| 3.2. Identifier Format Definitions | 3.2. Identifier Format Definitions | |||
| The following Identifier Formats are registered in the IANA "Security | The following Identifier Formats are registered in the IANA "Security | |||
| Event Identifier Formats" registry established by Section 8.1. | Event Identifier Formats" registry established in Section 8.1. | |||
| Since the subject identifier format conveys semantic information, | Since the Subject Identifier Format conveys semantic information, | |||
| applications SHOULD choose the most specific possible format for the | applications SHOULD choose the most specific possible format for the | |||
| identifier in question. For example, an email address can be | identifier in question. For example, an email address can be | |||
| conveyed using a mailto: URI and the uri identifier format, but since | conveyed using a "mailto:" URI and the URI Identifier Format, but | |||
| the value is known to be an email address, the application should | since the value is known to be an email address, the application | |||
| prefer to use the "email" identifier format instead. | should prefer to use the Email Identifier Format instead. | |||
| 3.2.1. Account Identifier Format | 3.2.1. Account Identifier Format | |||
| The Account Identifier Format identifies a subject using an account | The Account Identifier Format identifies a subject using an account | |||
| at a service provider, identified with an "acct" URI as defined in | at a service provider, identified with an "acct" URI as defined in | |||
| [RFC7565]. An account is an arrangement or agreement through which a | [RFC7565]. An account is an arrangement or agreement through which a | |||
| user gets access to a service and gets a unique identity with the | user gets access to a service and gets a unique identity with the | |||
| service provider. Subject Identifiers in this format MUST contain a | service provider. Subject Identifiers in this format MUST contain a | |||
| "uri" member whose value is the "acct" URI for the subject. The | "uri" member whose value is the "acct" URI for the subject. The | |||
| "uri" member is REQUIRED and MUST NOT be null or empty. The Account | "uri" member is REQUIRED and MUST NOT be null or empty. The Account | |||
| skipping to change at page 8, line 8 ¶ | skipping to change at line 311 ¶ | |||
| { | { | |||
| "format": "email", | "format": "email", | |||
| "email": "user@example.com" | "email": "user@example.com" | |||
| } | } | |||
| Figure 5: Example: Subject Identifier in the Email Identifier Format | Figure 5: Example: Subject Identifier in the Email Identifier Format | |||
| 3.2.2.1. Email Canonicalization | 3.2.2.1. Email Canonicalization | |||
| Many email providers will treat multiple email addresses as | Many email providers will treat multiple email addresses as | |||
| equivalent. While the domain portion of an [RFC5322] email address | equivalent. While the domain portion of an email address [RFC5322] | |||
| is consistently treated as case-insensitive per [RFC1034], most | is consistently treated as case-insensitive per [RFC1034], most | |||
| providers treat the local part of the email address as case- | providers treat the local part of the email address as case- | |||
| insensitive as well, and consider "user@example.com", | insensitive as well and consider "user@example.com", | |||
| "User@example.com", and "USER@example.com" as the same email address. | "User@example.com", and "USER@example.com" as the same email address. | |||
| Some providers also treat dots (".") as optional; for example, | Some providers also treat dots (".") as optional; for example, | |||
| "user.name@example.com", "username@example.com", | "user.name@example.com", "username@example.com", | |||
| "u.s.e.r.name@example.com", and "u.s.e.r.n.a.m.e@example.com" might | "u.s.e.r.name@example.com", and "u.s.e.r.n.a.m.e@example.com" might | |||
| all be treated as equivalent. This has led users to view these | all be treated as equivalent. This has led users to view these | |||
| strings as equivalent, driving service providers to implement | strings as equivalent, driving service providers to implement | |||
| proprietary email canonicalization algorithms to ensure that email | proprietary email canonicalization algorithms to ensure that email | |||
| addresses entered by users resolve to the same canonical string. | addresses entered by users resolve to the same canonical string. | |||
| Email canonicalization is not standardized, and there is no way for | Email canonicalization is not standardized, and there is no way for | |||
| the event recipient to determine the mail provider’s canonicalization | the event recipient to determine the mail provider's canonicalization | |||
| method. Therefore, the recipient SHOULD apply its own | method. Therefore, the recipient SHOULD apply its own | |||
| canonicalization algorithm to incoming events that reproduces the | canonicalization algorithm to incoming events in order to reproduce | |||
| translation done by the local email system. | the translation done by the local email system. | |||
| 3.2.3. Issuer and Subject Identifier Format | 3.2.3. Issuer and Subject Identifier Format | |||
| The Issuer and Subject Identifier Format identifies a subject using a | The Issuer and Subject Identifier Format identifies a subject using a | |||
| pair of "iss" and "sub" members, analogous to how subjects are | pair of "iss" and "sub" members, analogous to how subjects are | |||
| identified using the "iss" and "sub" claims in OpenID Connect | identified using the JWT "iss" and "sub" Claims in OpenID Connect | |||
| [OpenID.Core] ID Tokens. These members MUST follow the formats of | [OpenID.Core] ID Tokens. These members MUST follow the formats of | |||
| the "iss" member and "sub" member defined by [RFC7519], respectively. | the "iss" member and "sub" member defined by [RFC7519], respectively. | |||
| Both the "iss" member and the "sub" member are REQUIRED and MUST NOT | Both the "iss" member and the "sub" member are REQUIRED and MUST NOT | |||
| be null or empty. The Issuer and Subject Identifier Format is | be null or empty. The Issuer and Subject Identifier Format is | |||
| identified by the name "iss_sub". | identified by the name "iss_sub". | |||
| Below is a non-normative example Subject Identifier in the Issuer and | Below is a non-normative example Subject Identifier in the Issuer and | |||
| Subject Identifier Format: | Subject Identifier Format: | |||
| { | { | |||
| skipping to change at page 9, line 9 ¶ | skipping to change at line 356 ¶ | |||
| "sub": "145234573" | "sub": "145234573" | |||
| } | } | |||
| Figure 6: Example: Subject Identifier in the Issuer and Subject | Figure 6: Example: Subject Identifier in the Issuer and Subject | |||
| Identifier Format | Identifier Format | |||
| 3.2.4. Opaque Identifier Format | 3.2.4. Opaque Identifier Format | |||
| The Opaque Identifier Format describes a subject that is identified | The Opaque Identifier Format describes a subject that is identified | |||
| with a string with no semantics asserted beyond its usage as an | with a string with no semantics asserted beyond its usage as an | |||
| identifier for the subject, such as a UUID or hash used as a | identifier for the subject, such as a Universally Unique Identifier | |||
| surrogate identifier for a record in a database. Subject Identifiers | (UUID) or hash used as a surrogate identifier for a record in a | |||
| in this format MUST contain an "id" member whose value is a JSON | database. Subject Identifiers in this format MUST contain an "id" | |||
| string containing the opaque string identifier for the subject. The | member whose value is a JSON string containing the opaque string | |||
| "id" member is REQUIRED and MUST NOT be null or empty. The Opaque | identifier for the subject. The "id" member is REQUIRED and MUST NOT | |||
| Identifier Format is identified by the name "opaque". | be null or empty. The Opaque Identifier Format is identified by the | |||
| name "opaque". | ||||
| Below is a non-normative example Subject Identifier in the Opaque | Below is a non-normative example Subject Identifier in the Opaque | |||
| Identifier Format: | Identifier Format: | |||
| { | { | |||
| "format": "opaque", | "format": "opaque", | |||
| "id": "11112222333344445555" | "id": "11112222333344445555" | |||
| } | } | |||
| Figure 7: Example: Subject Identifier in the Opaque Identifier Format | Figure 7: Example: Subject Identifier in the Opaque Identifier Format | |||
| 3.2.5. Phone Number Identifier Format | 3.2.5. Phone Number Identifier Format | |||
| The Phone Number Identifier Format identifies a subject using a | The Phone Number Identifier Format identifies a subject using a | |||
| telephone number. Subject Identifiers in this format MUST contain a | telephone number. Subject Identifiers in this format MUST contain a | |||
| "phone_number" member whose value is a string containing the full | "phone_number" member whose value is a string containing the full | |||
| telephone number of the subject, including international dialing | telephone number of the subject, including an international dialing | |||
| prefix, formatted according to E.164 [E164]. The "phone_number" | prefix, formatted according to E.164 [E164]. The "phone_number" | |||
| member is REQUIRED and MUST NOT be null or empty. The Phone Number | member is REQUIRED and MUST NOT be null or empty. The Phone Number | |||
| Identifier Format is identified by the name "phone_number". | Identifier Format is identified by the name "phone_number". | |||
| Below is a non-normative example Subject Identifier in the Email | Below is a non-normative example Subject Identifier in the Phone | |||
| Identifier Format: | Number Identifier Format: | |||
| { | { | |||
| "format": "phone_number", | "format": "phone_number", | |||
| "phone_number": "+12065550100" | "phone_number": "+12065550100" | |||
| } | } | |||
| Figure 8: Example: Subject Identifier in the Phone Number | Figure 8: Example: Subject Identifier in the Phone Number | |||
| Identifier Format | Identifier Format | |||
| 3.2.6. Decentralized Identifier (DID) Format | 3.2.6. Decentralized Identifier (DID) Format | |||
| The Decentralized Identifier Format identifies a subject using a | The Decentralized Identifier (DID) Format identifies a subject using | |||
| Decentralized Identifier (DID) URL as defined in [DID]. Subject | a DID URL as defined in [DID]. Subject Identifiers in this format | |||
| Identifiers in this format MUST contain a "URL" member whose value is | MUST contain a "url" member whose value is a DID URL for the DID | |||
| a DID URL for the DID Subject being identified. The value of the | Subject being identified. The value of the "url" member MUST be a | |||
| "url" member MUST be a valid DID URL and MAY be a bare DID. The | valid DID URL and MAY be a bare DID. The "url" member is REQUIRED | |||
| "url" member is REQUIRED and MUST NOT be null or empty. The | and MUST NOT be null or empty. The Decentralized Identifier Format | |||
| Decentralized Identifier Format is identified by the name "did". | is identified by the name "did". | |||
| Below are non-normative example Subject Identifiers for the | Below are non-normative example Subject Identifiers for the | |||
| Decentralized Identifier Format: | Decentralized Identifier Format: | |||
| { | { | |||
| "format": "did", | "format": "did", | |||
| "url": "did:example:123456" | "url": "did:example:123456" | |||
| } | } | |||
| Figure 9: Example: Subject Identifier for the Decentralized | Figure 9: Example: Subject Identifier for the Decentralized | |||
| Identifier Format, identifying a subject with a bare DID | Identifier Format, Identifying a Subject with a Bare DID | |||
| { | { | |||
| "format": "did", | "format": "did", | |||
| "url": "did:example:123456/did/url/path?versionId=1" | "url": "did:example:123456/did/url/path?versionId=1" | |||
| } | } | |||
| Figure 10: Example: Subject Identifier for the Decentralized | Figure 10: Example: Subject Identifier for the Decentralized | |||
| Identifier Format, identifying a subject with a DID URL with non- | Identifier Format, Identifying a Subject with a DID URL with Non- | |||
| empty path and query components | empty Path and Query Components | |||
| 3.2.7. Uniform Resource Identifier (URI) Format | 3.2.7. Uniform Resource Identifier (URI) Format | |||
| The Uniform Resource Identifier (URI) Format identifies a subject | The Uniform Resource Identifier (URI) Format identifies a subject | |||
| using a URI as defined in [RFC3986]. This identifier format makes no | using a URI as defined in [RFC3986]. This Identifier Format makes no | |||
| assumptions or guarantees with regard to the content, scheme, or | assumptions or guarantees with regard to the content, scheme, or | |||
| reachability of the URI within the field. Subject Identifiers in | reachability of the URI within the field. Subject Identifiers in | |||
| this format MUST contain a "uri" member whose value is a URI for the | this format MUST contain a "uri" member whose value is a URI for the | |||
| subject being identified. The "uri" member is REQUIRED and MUST NOT | subject being identified. The "uri" member is REQUIRED and MUST NOT | |||
| be null or empty. The URI format is identified by the name "uri". | be null or empty. The URI Format is identified by the name "uri". | |||
| Below are non-normative example Subject Identifiers for the URI | Below are non-normative example Subject Identifiers for the URI | |||
| format: | Format: | |||
| { | { | |||
| "format": "uri", | "format": "uri", | |||
| "uri": "https://user.example.com/" | "uri": "https://user.example.com/" | |||
| } | } | |||
| Figure 11: Example: Subject Identifier for the URI Format, | Figure 11: Example: Subject Identifier for the URI Format, | |||
| identifying a subject with a website URI | Identifying a Subject with a Website URI | |||
| { | { | |||
| "format": "uri", | "format": "uri", | |||
| "uri": "urn:uuid:4e851e98-83c4-4743-a5da-150ecb53042f" | "uri": "urn:uuid:4e851e98-83c4-4743-a5da-150ecb53042f" | |||
| } | } | |||
| Figure 12: Example: Subject Identifier for the URI Format, | Figure 12: Example: Subject Identifier for the URI Format, | |||
| identifying a subject with a random URN | Identifying a Subject with a Random URN | |||
| 3.2.8. Aliases Identifier Format | 3.2.8. Aliases Identifier Format | |||
| The Aliases Identifier Format describes a subject that is identified | The Aliases Identifier Format describes a subject that is identified | |||
| with a list of different Subject Identifiers. It is intended for use | with a list of different Subject Identifiers. It is intended for use | |||
| when a variety of identifiers have been shared with the party that | when a variety of identifiers have been shared with the party that | |||
| will be interpreting the Subject Identifier, and it is unknown which | will be interpreting the Subject Identifier, and it is unknown which | |||
| of those identifiers they will recognize or support. Subject | of those identifiers they will recognize or support. Subject | |||
| Identifiers in this format MUST contain an "identifiers" member whose | Identifiers in this format MUST contain an "identifiers" member whose | |||
| value is a JSON array containing one or more Subject Identifiers. | value is a JSON array containing one or more Subject Identifiers. | |||
| Each Subject Identifier in the array MUST identify the same entity. | Each Subject Identifier in the array MUST identify the same entity. | |||
| The "identifiers" member is REQUIRED and MUST NOT be null or empty. | The "identifiers" member is REQUIRED and MUST NOT be null or empty. | |||
| It MAY contain multiple instances of the same Identifier Format | It MAY contain multiple instances of the same Identifier Format | |||
| (e.g., multiple Email Subject Identifiers), but SHOULD NOT contain | (e.g., multiple Email Subject Identifiers) but SHOULD NOT contain | |||
| exact duplicates. This format is identified by the name "aliases". | exact duplicates. This format is identified by the name "aliases". | |||
| "aliases" Subject Identifiers MUST NOT be nested; i.e., the | "aliases" Subject Identifiers MUST NOT be nested, i.e., the | |||
| "identifiers" member of an "aliases" Subject Identifier MUST NOT | "identifiers" member of an "aliases" Subject Identifier MUST NOT | |||
| contain a Subject Identifier in the "aliases" format. | contain a Subject Identifier in the Aliases Identifier Format. | |||
| Below is a non-normative example Subject Identifier in the Aliases | Below is a non-normative example Subject Identifier in the Aliases | |||
| Identifier Format: | Identifier Format: | |||
| { | { | |||
| "format": "aliases", | "format": "aliases", | |||
| "identifiers": [ | "identifiers": [ | |||
| { | { | |||
| "format": "email", | "format": "email", | |||
| "email": "user@example.com" | "email": "user@example.com" | |||
| skipping to change at page 12, line 28 ¶ | skipping to change at line 499 ¶ | |||
| "email": "user+qualifier@example.com" | "email": "user+qualifier@example.com" | |||
| } | } | |||
| ] | ] | |||
| } | } | |||
| Figure 13: Example: Subject Identifier in the Aliases Identifier | Figure 13: Example: Subject Identifier in the Aliases Identifier | |||
| Format | Format | |||
| 4. Subject Identifiers in JWTs | 4. Subject Identifiers in JWTs | |||
| 4.1. sub_id Claim | 4.1. JWT "sub_id" Claim | |||
| The "sub" JWT Claim is defined in Section 4.1.2 of [RFC7519] as | The JWT "sub" Claim is defined in Section 4.1.2 of [RFC7519] as | |||
| containing a string value, and therefore cannot contain a Subject | containing a string value; therefore, it cannot contain a Subject | |||
| Identifier (which is a JSON object) as its value. This document | Identifier (which is a JSON object) as its value. This document | |||
| defines the "sub_id" JWT Claim, in accordance with Section 4.2 of | defines the JWT "sub_id" Claim, in accordance with Section 4.2 of | |||
| [RFC7519], as a common claim that identifies the JWT Subject using a | [RFC7519], as a common claim that identifies the JWT Subject using a | |||
| Subject Identifier. When present, the value of this claim MUST be a | Subject Identifier. When present, the value of this claim MUST be a | |||
| Subject Identifier that identifies the subject of the JWT. The | Subject Identifier that identifies the subject of the JWT. The JWT | |||
| "sub_id" claim MAY be included in a JWT, whether or not the "sub" | "sub_id" Claim MAY be included in a JWT, whether or not the JWT "sub" | |||
| claim is present. When both the "sub" and "sub_id" claims are | Claim is present. When both the JWT "sub" and "sub_id" Claims are | |||
| present in a JWT, they MUST identify the same subject, as a JWT has | present in a JWT, they MUST identify the same subject, as a JWT has | |||
| one and only one JWT Subject. | one and only one JWT Subject. | |||
| When processing a JWT with both "sub" and "sub_id" claims, | When processing a JWT with both JWT "sub" and "sub_id" Claims, | |||
| implementations MUST NOT rely on both claims to determine the JWT | implementations MUST NOT rely on both claims to determine the JWT | |||
| Subject. An implementation MAY attempt to determine the JWT Subject | Subject. An implementation MAY attempt to determine the JWT Subject | |||
| from one claim and fall back to using the other if it determines it | from one claim and fall back to using the other if it determines it | |||
| does not understand the format of the first claim. For example, an | does not understand the format of the first claim. For example, an | |||
| implementation may attempt to use "sub_id", and fall back to using | implementation may attempt to use "sub_id" and fall back to using | |||
| "sub" upon finding that "sub_id" contains a Subject Identifier whose | "sub" upon finding that "sub_id" contains a Subject Identifier with a | |||
| format is not recognized by the implementation. | format that is not recognized by the implementation. | |||
| Below are non-normative examples of JWTs containing the "sub_id" | Below are non-normative examples of JWTs containing the JWT "sub_id" | |||
| claim: | Claim: | |||
| { | { | |||
| "iss": "issuer.example.com", | "iss": "issuer.example.com", | |||
| "sub_id": { | "sub_id": { | |||
| "format": "email", | "format": "email", | |||
| "email": "user@example.com" | "email": "user@example.com" | |||
| } | } | |||
| } | } | |||
| Figure 14: Example: JWT containing a "sub_id" claim and no "sub" | Figure 14: Example: JWT Containing a JWT "sub_id" Claim and No | |||
| claim | "sub" Claim | |||
| { | { | |||
| "iss": "issuer.example.com", | "iss": "issuer.example.com", | |||
| "sub": "user@example.com", | "sub": "user@example.com", | |||
| "sub_id": { | "sub_id": { | |||
| "format": "email", | "format": "email", | |||
| "email": "user@example.com" | "email": "user@example.com" | |||
| } | } | |||
| } | } | |||
| Figure 15: Example: JWT where both the "sub" and "sub_id" claims | Figure 15: Example: JWT Where the JWT "sub" and "sub_id" Claims | |||
| identify the JWT Subject using the same identifier | Identify the JWT Subject Using the Same Identifier | |||
| { | { | |||
| "iss": "issuer.example.com", | "iss": "issuer.example.com", | |||
| "sub": "liz@example.com", | "sub": "liz@example.com", | |||
| "sub_id": { | "sub_id": { | |||
| "format": "email", | "format": "email", | |||
| "email": "elizabeth@example.com" | "email": "elizabeth@example.com" | |||
| } | } | |||
| } | } | |||
| Figure 16: Example: JWT where both the "sub" and "sub_id" claims | Figure 16: Example: JWT Where the JWT "sub" and "sub_id" Claims | |||
| identify the JWT Subject using different values of the same | Identify the JWT Subject Using Different Values of the Same | |||
| identifier type | Identifier Type | |||
| { | { | |||
| "iss": "issuer.example.com", | "iss": "issuer.example.com", | |||
| "sub": "user@example.com", | "sub": "user@example.com", | |||
| "sub_id": { | "sub_id": { | |||
| "format": "account", | "format": "account", | |||
| "uri": "acct:example.user@service.example.com" | "uri": "acct:example.user@service.example.com" | |||
| } | } | |||
| } | } | |||
| Figure 17: Example: JWT where the "sub" and "sub_id" claims | Figure 17: Example: JWT Where the JWT "sub" and "sub_id" Claims | |||
| identify the JWT Subject via different types of identifiers | Identify the JWT Subject via Different Types of Identifiers | |||
| 4.2. sub_id and iss_sub Subject Identifiers | 4.2. JWT "sub_id" Claim and "iss_sub" Subject Identifier | |||
| The "sub_id" claim MAY contain an "iss_sub" Subject Identifier. In | The JWT "sub_id" Claim MAY contain an "iss_sub" Subject Identifier. | |||
| this case, the JWT's "iss" claim and the Subject Identifier's "iss" | In this case, the JWT's "iss" Claim and the Subject Identifier's | |||
| member MAY be different. For example, in OpenID Connect | "iss" member MAY be different. For example, an OpenID Connect | |||
| [OpenID.Core] client may construct such a JWT when sending JWTs back | [OpenID.Core] client may construct such a JWT when sending JWTs back | |||
| to its OpenID Connect Identity Provider, in order to identify the JWT | to its OpenID Connect Identity Provider in order to identify the JWT | |||
| Subject using an identifier known to be understood by both parties. | Subject using an identifier known to be understood by both parties. | |||
| Similarly, the JWT's "sub" claim and the Subject Identifier's "sub" | Similarly, the JWT's "sub" Claim and the Subject Identifier's "sub" | |||
| member MAY be different. For example, this may be used by an OpenID | member MAY be different. For example, this may be used by an OpenID | |||
| Connect client to communicate the JWT Subject's local identifier at | Connect client to communicate the JWT Subject's local identifier at | |||
| the client back to its Identity Provider. | the client back to its Identity Provider. | |||
| Below are non-normative examples of a JWT where the "iss" claim and | Below are non-normative examples of a JWT where the JWT "iss" Claim | |||
| "iss" member within the "sub_id" claim are the same, and a JWT where | and "iss" member within the JWT "sub_id" Claim are the same and a JWT | |||
| they are different. | where they are different. | |||
| { | { | |||
| "iss": "issuer.example.com", | "iss": "issuer.example.com", | |||
| "sub_id": { | "sub_id": { | |||
| "format": "iss_sub", | "format": "iss_sub", | |||
| "iss": "issuer.example.com", | "iss": "issuer.example.com", | |||
| "sub": "example_user" | "sub": "example_user" | |||
| } | } | |||
| } | } | |||
| Figure 18: Example: JWT with an "iss_sub" Subject Identifier | Figure 18: Example: JWT with an "iss_sub" Subject Identifier | |||
| where JWT issuer and JWT Subject issuer are the same | Where the JWT Issuer and JWT Subject Issuer Are the Same | |||
| { | { | |||
| "iss": "client.example.com", | "iss": "client.example.com", | |||
| "sub_id": { | "sub_id": { | |||
| "format": "iss_sub", | "format": "iss_sub", | |||
| "iss": "issuer.example.com", | "iss": "issuer.example.com", | |||
| "sub": "example_user" | "sub": "example_user" | |||
| } | } | |||
| } | } | |||
| Figure 19: Example: JWT with an "iss_sub" Subject Identifier | Figure 19: Example: JWT with an "iss_sub" Subject Identifier | |||
| where the JWT issuer and JWT Subject issuer are different | Where the JWT Issuer and JWT Subject Issuer Are Different | |||
| { | { | |||
| "iss": "client.example.com", | "iss": "client.example.com", | |||
| "sub": "client_user", | "sub": "client_user", | |||
| "sub_id": { | "sub_id": { | |||
| "format": "iss_sub", | "format": "iss_sub", | |||
| "iss": "issuer.example.com", | "iss": "issuer.example.com", | |||
| "sub": "example_user" | "sub": "example_user" | |||
| } | } | |||
| } | } | |||
| Figure 20: Example: JWT with an "iss_sub" Subject Identifier | Figure 20: Example: JWT with an "iss_sub" Subject Identifier | |||
| where the JWT "iss" and "sub" claims differ from the JWT | Where the JWT "iss" and "sub" Claims Differ from the JWT | |||
| Subject's "iss" and "sub" members | Subject's "iss" and "sub" Members | |||
| 5. Considerations for Specifications that Define Identifier Formats | 5. Considerations for Specifications that Define Identifier Formats | |||
| Identifier Format definitions MUST NOT make assertions or | Identifier Format definitions MUST NOT make assertions or | |||
| declarations regarding the subject being identified by the Subject | declarations regarding the subject being identified by the Subject | |||
| Identifier (e.g., an Identifier Format cannot be defined as | Identifier (e.g., an Identifier Format cannot be defined as | |||
| specifically identifying human end users), as such statements are | specifically identifying human end users). Such statements are | |||
| outside the scope of Identifier Formats and Subject Identifiers, and | outside the scope of Identifier Formats and Subject Identifiers. | |||
| expanding that scope for some Identifier Formats but not others would | Expanding that scope for some Identifier Formats but not others would | |||
| harm interoperability, as applications that depend on this expanded | harm interoperability because applications that depend on this | |||
| scope to disambiguate the subject type would be unable to use | expanded scope to disambiguate the subject type would be unable to | |||
| Identifier Formats that do not provide such rules. | use Identifier Formats that do not provide such rules. | |||
| 6. Privacy Considerations | 6. Privacy Considerations | |||
| 6.1. Identifier Correlation | 6.1. Identifier Correlation | |||
| The act of presenting two or more identifiers for a single subject | The act of presenting two or more identifiers for a single subject | |||
| together (e.g., within an "aliases" Subject Identifier, or via the | together (e.g., within an "aliases" Subject Identifier or via the JWT | |||
| "sub" and "sub_id" JWT claims) may communicate more information about | "sub" and "sub_id" Claims) may communicate more information about the | |||
| the subject than was intended. For example, the entity to which the | subject than was intended. For example, the entity to which the | |||
| identifiers are presented now knows that both identifiers relate to | identifiers are presented now knows that both identifiers relate to | |||
| the same subject, and may be able to correlate additional data based | the same subject and may be able to correlate additional data based | |||
| on that. When transmitting Subject Identifiers, the transmitter | on that. When transmitting Subject Identifiers, the transmitter | |||
| SHOULD take care that they are only transmitting multiple identifiers | SHOULD take care that they are only transmitting multiple identifiers | |||
| together when it is known that the recipient already knows that the | together when it is known that the recipient already knows that the | |||
| identifiers are related (e.g., because they were previously sent to | identifiers are related (e.g., because they were previously sent to | |||
| the recipient as claims in an OpenID Connect ID Token), or when | the recipient as claims in an OpenID Connect ID Token) or when | |||
| correlation is essential to the use case. Implementers must consider | correlation is essential to the use case. Implementers must consider | |||
| such risks, and specifications that use subject identifiers must | such risks, and specifications that use Subject Identifiers must | |||
| provide appropriate privacy considerations of their own. | provide appropriate privacy considerations of their own. | |||
| The considerations described in Section 6 of [RFC8417] also apply | The considerations described in Section 6 of [RFC8417] also apply | |||
| when Subject Identifiers are used within SETs. The considerations | when Subject Identifiers are used within SETs. The considerations | |||
| described in Section 12 of [RFC7519] also apply when Subject | described in Section 12 of [RFC7519] also apply when Subject | |||
| Identifiers are used within JWTs. | Identifiers are used within JWTs. | |||
| 7. Security Considerations | 7. Security Considerations | |||
| This specification does not define any mechanism for ensuring the | This specification does not define any mechanism for ensuring the | |||
| confidentiality or integrity of a Subject Identifier. Where such | confidentiality or integrity of a Subject Identifier. Where such | |||
| properties are required, implementations MUST use mechanisms provided | properties are required, implementations MUST use mechanisms provided | |||
| by the containing format (e.g., integrity protecting SETs or JWTs | by the containing format (e.g., integrity protecting SETs or JWTs | |||
| using JWS [RFC7515]), or at the transport layer or other layer in the | using JSON Web Signature (JWS) [RFC7515]) or at the transport layer | |||
| application stack (e.g., using TLS [RFC8446]). | or other layer in the application stack (e.g., using TLS [RFC8446]). | |||
| Further considerations regarding confidentiality and integrity of | Further considerations regarding confidentiality and integrity of | |||
| SETs can be found in Section 5.1 of [RFC8417]. | SETs can be found in Section 5.1 of [RFC8417]. | |||
| 8. IANA Considerations | 8. IANA Considerations | |||
| 8.1. Security Event Identifier Formats Registry | 8.1. Security Event Identifier Formats Registry | |||
| This document defines Identifier Formats, for which IANA is asked to | This document defines Identifier Formats, for which IANA has created | |||
| create and maintain a new registry titled "Security Event Identifier | and maintains a new registry titled "Security Event Identifier | |||
| Formats". Initial values for the Security Event Identifier Formats | Formats". Initial values for the "Security Event Identifier Formats" | |||
| registry are given in Section 3. Future assignments are to be made | registry are given in Section 3. Future assignments are to be made | |||
| through the Specification Required registration policy [BCP26] and | through the Specification Required registration policy [BCP26] and | |||
| shall follow the template presented in Section 8.1.2. | shall follow the template presented in Section 8.1.1. | |||
| It is suggested that multiple Designated Experts be appointed who are | It is suggested that multiple designated experts be appointed who are | |||
| able to represent the perspectives of different applications using | able to represent the perspectives of different applications using | |||
| this specification, in order to enable broadly informed review of | this specification in order to enable broadly informed review of | |||
| registration decisions. | registration decisions. | |||
| 8.1.1. Registry Location | 8.1.1. Registration Template | |||
| (This section to be removed by the RFC Editor before publication as | ||||
| an RFC.) | ||||
| The authors recommend that the Identifier Formats registry be located | ||||
| at https://www.iana.org/assignments/secevent/. | ||||
| 8.1.2. Registration Template | ||||
| Format Name | Format Name: | |||
| The name of the Identifier Format, as described in Section 3. The | The name of the Identifier Format, as described in Section 3. The | |||
| name MUST be an ASCII string consisting only of lower-case | name MUST be an ASCII string consisting only of lowercase | |||
| characters ("a" - "z"), digits ("0" - "9"), underscores ("_"), and | characters ("a" - "z"), digits ("0" - "9"), underscores ("_"), and | |||
| hyphens ("-"), and SHOULD NOT exceed 20 characters in length. | hyphens ("-") and SHOULD NOT exceed 20 characters in length. | |||
| Format Description | Format Description: | |||
| A brief description of the Identifier Format. | A brief description of the Identifier Format. | |||
| Change Controller | Change Controller: | |||
| For formats defined in documents published by the IETF or its | For formats defined in documents published by the IETF or its | |||
| working groups, list "IETF". For all other formats, list the name | working groups, list "IETF". For all other formats, list the name | |||
| of the party responsible for the registration. Contact | of the party responsible for the registration. Contact | |||
| information such as mailing address, email address, or phone | information, such as mailing address, email address, or phone | |||
| number must also be provided. | number, must also be provided. | |||
| Defining Document(s) | Reference: | |||
| A reference to the document or documents that define the | A reference to the document or documents that define the | |||
| Identifier Format. The reference document(s) MUST specify the | Identifier Format. The reference document(s) MUST specify the | |||
| name, format,and meaning of each member that may occur within a | name, format, and meaning of each member that may occur within a | |||
| Subject Identifier of the defined format, as well as whether each | Subject Identifier of the defined format as well as whether each | |||
| member is optional, required or conditional, and the circumstances | member is optional, required, or conditional and the circumstances | |||
| under which these optional or conditional fields would be used. | under which these optional or conditional fields would be used. | |||
| URIs that can be used to retrieve copies of each document SHOULD | URIs that can be used to retrieve copies of each document SHOULD | |||
| be included. | be included. | |||
| 8.1.3. Initial Registry Contents | 8.1.2. Initial Registry Contents | |||
| 8.1.3.1. Account Identifier Format | ||||
| * Format Name: "account" | ||||
| * Format Description: Subject identifier based on acct URI. | ||||
| * Change Controller: IETF | ||||
| * Defining Document(s): Section 3 of this document. | ||||
| 8.1.3.2. Email Identifier Format | ||||
| * Format Name: email | ||||
| * Format Description: Subject identifier based on email address. | ||||
| * Change Controller: IETF | ||||
| * Defining Document(s): Section 3 of this document. | ||||
| 8.1.3.3. Issuer and Subject Identifier Format | ||||
| * Format Name: "iss_sub" | ||||
| * Format Description: Subject identifier based on an issuer and | ||||
| subject. | ||||
| * Change Controller: IETF | ||||
| * Defining Document(s): Section 3 of this document. | ||||
| 8.1.3.4. Opaque Identifier Format | ||||
| * Format Name: "opaque" | ||||
| * Format Description: Subject identifier based on an opaque string. | ||||
| * Change Controller: IETF | ||||
| * Defining Document(s): Section 3 of this document. | ||||
| 8.1.3.5. Phone Number Identifier Format | ||||
| * Format Name: "phone_number" | ||||
| * Format Description: Subject identifier based on an phone number. | ||||
| * Change Controller: IETF | 8.1.2.1. Account Identifier Format | |||
| * Defining Document(s): Section 3 of this document. | Format Name: account | |||
| Format Description: Subject Identifier based on "acct" URI | ||||
| Change Controller: IETF | ||||
| Reference: Section 3 of RFC 9493 | ||||
| 8.1.3.6. Decentralized Identifier Format | 8.1.2.2. Email Identifier Format | |||
| * Format Name: "did" | Format Name: email | |||
| Format Description: Subject Identifier based on an email address | ||||
| Change Controller: IETF | ||||
| Reference: Section 3 of RFC 9493 | ||||
| * Format Description: Subject identifier based on a decentralized | 8.1.2.3. Issuer and Subject Identifier Format | |||
| identifier (DID). | ||||
| * Change Controller: IETF | Format Name: iss_sub | |||
| Format Description: Subject Identifier based on an issuer and | ||||
| subject | ||||
| Change Controller: IETF | ||||
| Reference: Section 3 of RFC 9493 | ||||
| * Defining Document(s): Section 3 of this document. | 8.1.2.4. Opaque Identifier Format | |||
| 8.1.3.7. Uniform Resource Identifier Format | Format Name: opaque | |||
| Format Description: Subject Identifier based on an opaque string | ||||
| Change Controller: IETF | ||||
| Reference: Section 3 of RFC 9493 | ||||
| * Format Name: "uri" | 8.1.2.5. Phone Number Identifier Format | |||
| * Format Description: Subject identifier based on a uniform resource | Format Name: phone_number | |||
| identifier (URI). | Format Description: Subject Identifier based on a phone number | |||
| Change Controller: IETF | ||||
| Reference: Section 3 of RFC 9493 | ||||
| * Change Controller: IETF | 8.1.2.6. Decentralized Identifier Format | |||
| * Defining Document(s): Section 3 of this document. | Format Name: did | |||
| Format Description: Subject Identifier based on a decentralized | ||||
| identifier (DID) | ||||
| Change Controller: IETF | ||||
| Reference: Section 3 of RFC 9493 | ||||
| 8.1.3.8. Aliases Identifier Format | 8.1.2.7. Uniform Resource Identifier Format | |||
| * Format Name: "aliases" | ||||
| * Format Description: Subject identifier that groups together | Format Name: uri | |||
| multiple different subject identifiers for the same subject. | Format Description: Subject Identifier based on a Uniform Resource | |||
| Identifier (URI) | ||||
| Change Controller: IETF | ||||
| Reference: Section 3 of RFC 9493 | ||||
| * Change Controller: IETF | 8.1.2.8. Aliases Identifier Format | |||
| * Defining Document(s): Section 3 of this document. | Format Name: aliases | |||
| Format Description: Subject Identifier that groups together multiple | ||||
| different Subject Identifiers for the same subject | ||||
| Change Controller: IETF | ||||
| Reference: Section 3 of RFC 9493 | ||||
| 8.1.4. Guidance for Expert Reviewers | 8.1.3. Guidance for Expert Reviewers | |||
| The Expert Reviewer is expected to review the documentation | The Expert Reviewer is expected to review the documentation | |||
| referenced in a registration request to verify its completeness. The | referenced in a registration request to verify its completeness. The | |||
| Expert Reviewer must base their decision to accept or reject the | Expert Reviewer must base their decision to accept or reject the | |||
| request on a fair and impartial assessment of the request. If the | request on a fair and impartial assessment of the request. If the | |||
| Expert Reviewer has a conflict of interest, such as being an author | Expert Reviewer has a conflict of interest, such as being an author | |||
| of a defining document referenced by the request, they must recuse | of a defining document referenced by the request, they must recuse | |||
| themselves from the approval process for that request. | themselves from the approval process for that request. | |||
| Identifier Formats need not be generally applicable and may be highly | Identifier Formats need not be generally applicable and may be highly | |||
| specific to a particular domain; it is expected that formats may be | specific to a particular domain; it is expected that formats may be | |||
| registered for niche or industry-specific use cases. The Expert | registered for niche or industry-specific use cases. The Expert | |||
| Reviewer should focus on whether the format is thoroughly documented, | Reviewer should focus on whether the format is thoroughly documented | |||
| and whether its registration will promote or harm interoperability. | and whether its registration will promote or harm interoperability. | |||
| In most cases, the Expert Reviewer should not approve a request if | In most cases, the Expert Reviewer should not approve a request if | |||
| the registration would contribute to confusion, or amount to a | the registration would contribute to confusion or amount to a synonym | |||
| synonym for an existing format. | for an existing format. | |||
| 8.2. JSON Web Token Claims Registration | 8.2. JSON Web Token Claims Registration | |||
| This document defines the sub_id JWT Claim, which IANA is asked to | This document defines the JWT "sub_id" Claim, which IANA has | |||
| register in the "JSON Web Token Claims" registry IANA JSON Web Token | registered in the "JSON Web Token Claims" registry [IANA.JWT.Claims] | |||
| Claims Registry [IANA.JWT.Claims] established by [RFC7519]. | established by [RFC7519]. | |||
| 8.2.1. Registry Contents | 8.2.1. Registry Contents | |||
| * Claim Name: "sub_id" | Claim Name: sub_id | |||
| Claim Description: Subject Identifier | ||||
| * Claim Description: Subject Identifier | Change Controller: IETF | |||
| Reference: Section 4.1 of RFC 9493 | ||||
| * Change Controller: IETF | ||||
| * Specification Document(s): Section 4.1 of this document. | ||||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| [BCP26] Cotton, M., Leiba, B., and T. Narten, "Guidelines for | [BCP26] Cotton, M., Leiba, B., and T. Narten, "Guidelines for | |||
| Writing an IANA Considerations Section in RFCs", BCP 26, | Writing an IANA Considerations Section in RFCs", BCP 26, | |||
| RFC 8126, DOI 10.17487/RFC8126, June 2017, | RFC 8126, June 2017. | |||
| <https://www.rfc-editor.org/info/rfc8126>. | ||||
| [DID] World Wide Web Consortium (W3C), "Decentralized | <https://www.rfc-editor.org/info/bcp26> | |||
| Identifiers (DIDs) v1.0", 2021, | ||||
| [DID] Sporny, M., Ed., Guy, A., Ed., Sabadello, M., Ed., Reed, | ||||
| D., Ed., Longley, D., Steele, O., and C. Allen, | ||||
| "Decentralized Identifiers (DIDs) v1.0", July 2022, | ||||
| <https://www.w3.org/TR/did-core/>. | <https://www.w3.org/TR/did-core/>. | |||
| [E164] International Telecommunication Union, "The international | [E164] ITU-T, "E.164: The international public telecommunication | |||
| public telecommunication numbering plan", 2010, | numbering plan", ITU-T Recommendation E.164, November | |||
| <https://www.itu.int/rec/T-REC-E.164-201011-I/en>. | 2010, <https://www.itu.int/rec/T-REC-E.164-201011-I/en>. | |||
| [IANA.JWT.Claims] | [IANA.JWT.Claims] | |||
| IANA, "JSON Web Token Claims", n.d., | IANA, "JSON Web Token Claims", | |||
| <https://www.iana.org/assignments/jwt>. | <https://www.iana.org/assignments/jwt>. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform | [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform | |||
| Resource Identifier (URI): Generic Syntax", STD 66, | Resource Identifier (URI): Generic Syntax", STD 66, | |||
| RFC 3986, DOI 10.17487/RFC3986, January 2005, | RFC 3986, DOI 10.17487/RFC3986, January 2005, | |||
| skipping to change at page 20, line 48 ¶ | skipping to change at line 863 ¶ | |||
| <https://www.rfc-editor.org/info/rfc5322>. | <https://www.rfc-editor.org/info/rfc5322>. | |||
| [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token | [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token | |||
| (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, | (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, | |||
| <https://www.rfc-editor.org/info/rfc7519>. | <https://www.rfc-editor.org/info/rfc7519>. | |||
| [RFC7565] Saint-Andre, P., "The 'acct' URI Scheme", RFC 7565, | [RFC7565] Saint-Andre, P., "The 'acct' URI Scheme", RFC 7565, | |||
| DOI 10.17487/RFC7565, May 2015, | DOI 10.17487/RFC7565, May 2015, | |||
| <https://www.rfc-editor.org/info/rfc7565>. | <https://www.rfc-editor.org/info/rfc7565>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | ||||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | ||||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | ||||
| [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data | [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data | |||
| Interchange Format", STD 90, RFC 8259, | Interchange Format", STD 90, RFC 8259, | |||
| DOI 10.17487/RFC8259, December 2017, | DOI 10.17487/RFC8259, December 2017, | |||
| <https://www.rfc-editor.org/info/rfc8259>. | <https://www.rfc-editor.org/info/rfc8259>. | |||
| [RFC8417] Hunt, P., Ed., Jones, M., Denniss, W., and M. Ansari, | [RFC8417] Hunt, P., Ed., Jones, M., Denniss, W., and M. Ansari, | |||
| "Security Event Token (SET)", RFC 8417, | "Security Event Token (SET)", RFC 8417, | |||
| DOI 10.17487/RFC8417, July 2018, | DOI 10.17487/RFC8417, July 2018, | |||
| <https://www.rfc-editor.org/info/rfc8417>. | <https://www.rfc-editor.org/info/rfc8417>. | |||
| 9.2. Informative References | 9.2. Informative References | |||
| [OpenID.Core] | [OpenID.Core] | |||
| Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and | Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and | |||
| C. Mortimore, "OpenID Connect Core 1.0", November 2014, | C. Mortimore, "OpenID Connect Core 1.0 incorporating | |||
| errata set 1", November 2014, | ||||
| <https://openid.net/specs/openid-connect-core-1_0.html>. | <https://openid.net/specs/openid-connect-core-1_0.html>. | |||
| [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", | [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", | |||
| STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, | STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, | |||
| <https://www.rfc-editor.org/info/rfc1034>. | <https://www.rfc-editor.org/info/rfc1034>. | |||
| [RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web | [RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web | |||
| Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May | Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May | |||
| 2015, <https://www.rfc-editor.org/info/rfc7515>. | 2015, <https://www.rfc-editor.org/info/rfc7515>. | |||
| [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
| Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | |||
| <https://www.rfc-editor.org/info/rfc8446>. | <https://www.rfc-editor.org/info/rfc8446>. | |||
| Acknowledgements | Acknowledgements | |||
| The authors would like to thank the members of the IETF Security | The authors would like to thank the members of the IETF Security | |||
| Events working group, as well as those of the OpenID Shared Signals | Events Working Group, as well as those of the OpenID Shared Signals | |||
| and Events Working Group, whose work provided the original basis for | and Events Working Group, whose work provided the original basis for | |||
| this document. We would also like to acknowledge Aaron Parecki, | this document. We would also like to acknowledge Aaron Parecki, | |||
| Denis Pinkas, Justin Richer, Mike Jones and other members of the | Denis Pinkas, Justin Richer, Mike Jones, and other members of the | |||
| working group for reviewing this document. | working group for reviewing this document. | |||
| Change Log | ||||
| (This section to be removed by the RFC Editor before publication as | ||||
| an RFC.) | ||||
| Draft 00 - AB - First draft | ||||
| Draft 01 - AB: | ||||
| * Added reference to RFC 5322 for format of email claim. | ||||
| * Renamed iss_sub type to iss-sub. | ||||
| * Renamed id_token_claims type to id-token-claims. | ||||
| * Added text specifying the nature of the subjects described by each | ||||
| type. | ||||
| Draft 02 - AB: | ||||
| * Corrected format of phone numbers in examples. | ||||
| * Updated author info. | ||||
| Draft 03 - AB: | ||||
| * Added account type for acct URIs. | ||||
| * Replaced id-token-claims type with aliases type. | ||||
| * Added email canonicalization guidance. | ||||
| * Updated semantics for email, phone, and iss-sub types. | ||||
| Draft 04 - AB: | ||||
| * Added sub_id JWT Claim definition, guidance, examples. | ||||
| * Added text prohibiting aliases nesting. | ||||
| * Added privacy considerations for identifier correlation. | ||||
| Draft 05 - AB: | ||||
| * Renamed the phone type to phone-number and its phone claim to | ||||
| phone_number. | ||||
| Draft 06 - AB: | ||||
| * Replaced usage of the word "claim" to describe members of a | ||||
| Subject Identifier with the word "member", in accordance with | ||||
| terminology in RFC8259. | ||||
| * Renamed the phone-number type to phone_number and iss-sub to | ||||
| iss_sub. | ||||
| * Added normative requirements limiting the use of both sub and | ||||
| sub_id claims together when processing a JWT. | ||||
| * Clarified that identifier correlation may be acceptable when it is | ||||
| a core part of the use case. | ||||
| * Replaced references to OIDF with IETF in IANA Considerations. | ||||
| * Recommended the appointment of multiple Designated Experts, and a | ||||
| location for the Subject Identifier Types registry. | ||||
| * Added "_" to list of allowed characters in the Type Name for | ||||
| Subject Identifier Types. | ||||
| * Clarified that Subject Identifiers don't provide confidentiality | ||||
| or integrity protection. | ||||
| * Added references to SET, JWT privacy and security considerations. | ||||
| * Added section describing the difference between subject identifier | ||||
| type and principal type that hopefully clarifies things and | ||||
| doesn't just muddy the water further. | ||||
| Draft 07 - AB: | ||||
| * Emphasized that the spec is about identifiers, not the things they | ||||
| identify: | ||||
| - Renamed "Subject Identifier Type" to "Identifier Format". | ||||
| - Renamed subject_type to format. | ||||
| - Renamed "Security Event Subject Identifier Type Registry" to | ||||
| "Security Event Identifier Format Registry". | ||||
| - Added new section with guidance for specs defining Identifier | ||||
| Formats, with normative prohibition on formats that describe | ||||
| the subject itself, rather than the identifier. | ||||
| * Clarified the meaning of "subject": | ||||
| - Defined "subject" as applying generically and "JWT Subject" as | ||||
| applying specifically to the subject of a JWT. | ||||
| - Replaced most instances of the word "principal" with "subject". | ||||
| * Added opaque Identifier Format | ||||
| Draft 08 - JR, AB: | ||||
| * Added did Identifier Format | ||||
| * Alphabetized identifier format definitions | ||||
| * Replaced "type" with "format" in places that had been missed in | ||||
| the -07 change. (mostly IANA Considerations) | ||||
| * Miscellaneous editorial fixes | ||||
| Draft 09 - AB: | ||||
| * Miscellaneous editorial fixes | ||||
| Draft 10 - PJ: | ||||
| * Added author | ||||
| * Editorial nits | ||||
| Draft 11 - PJ: | ||||
| * Miscellaneous editorial fixes | ||||
| * Moved aliases to the last in identifier format definitions | ||||
| * Acknowledged individual reviewers | ||||
| Draft 12 - PJ: | ||||
| * Restore the DID format that was removed in -11 | ||||
| * Added a generic "URI" format | ||||
| * Normative advice on choosing the format | ||||
| Draft 13 - PJ: | ||||
| * Editorial nits found during AD review | ||||
| Draft 14 - PJ: | ||||
| * Fix IANA issues found during AD review | ||||
| Draft 15 - PJ: | ||||
| * Fix issues found during review | ||||
| Draft 16 - PJ: | ||||
| * Change controller updated to IETF | ||||
| Draft 17 -PJ: | ||||
| * Fixed nits identified during IESG reviews | ||||
| Draft 18 -PJ: | ||||
| * Fixed issues identified during IESG reviews | ||||
| Authors' Addresses | Authors' Addresses | |||
| Annabelle Backman (editor) | Annabelle Backman (editor) | |||
| Amazon | Amazon | |||
| Email: richanna@amazon.com | Email: richanna@amazon.com | |||
| Marius Scurtescu | Marius Scurtescu | |||
| Coinbase | Coinbase | |||
| Email: marius.scurtescu@coinbase.com | Email: marius.scurtescu@coinbase.com | |||
| End of changes. 117 change blocks. | ||||
| 494 lines changed or deleted | 301 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||