Comments (5)
tulshi
commented on June 13, 2024
Where do we specify in the SSF spec that a subject is required?
from sharedsignals.
FragLegs
commented on June 13, 2024
Hmm, those links have drifted. Sorry.
- We require them in 11.1.2
- They are listed as optional for Stream Updated Events in 7.1.5
- They are unmentioned in the Verification Events in 7.1.4.2
from sharedsignals.
scvenema
commented on June 13, 2024
Building on Shayne's concerns, §11.1.8.1 of the current framework draft seems to imply there is some unfinished business in harmonizing this SSF framework spec with the Subject Identifiers for SETs - draft 17 spec? I'm referring to the phrase, "The Shared Signals Framework is asking for further restrictions"...
We seem to have three different subject-like fields in play here:
- "sub" as defined in RFC 7519 §4.1.2
- "sub_id" as defined in §4.1 of the Subject Identifiers for SETs spec (draft 17)
- "subject" as defined in our SSF Frameworks draft spec, which is part of an event JWT claim, and requires the exclusion of "sub" (and "sub_id") usages for SETs
Plus a new term defined in the framework spec: "Subject Principal", which seems to overlap with the term "subject" used in the secevent specs.
It all seems a bit muddy to an SSF noob like me. I understand that "sub_id" is needed because the "sub" claim's value has type StringOrURI, while "sub_id" claim's value is a JSON object instead. I expect that there is some history behind all of this that I'm not aware of. But, at a minimum, I think we could add some additional non-normative explanatory text somewhere in the framework spec that clarifies these distinctions. I'd be happy to draft some text, but I think it might be useful to first discuss this on an upcoming WG call.
I'm happy to open this as a separate issue if desired.
from sharedsignals.
independentid
commented on June 13, 2024
Just an FYI item. The sub claim is problematic in the context of SET tokens for 2 major reasons:1 . Sub in a JWT was always defined in connection with an issuer. However, in OpenId if a client issues an event its “iss” value is different. This is why the subject identifier draft came about and why there is a format for this. 2. There is a security worry (not sure how legit it is) that a set might be confused as authorization. This is why rfc8417 recommends against using the “sub” claim. I would recommend implementers NOT use “sub” per 8417. PhilOn Jun 24, 2023, at 3:44 PM, Steve Venema ***@***.***> wrote:
Building on Shayne's concerns, §11.1.8.1 of the current framework draft seems to imply there is some unfinished business in harmonizing this SSF framework spec with the Subject Identifiers for SETs - draft 17 spec? I'm referring to the phrase, "The Shared Signals Framework is asking for further restrictions"...
We seem to have three different subject-like fields in play here:
"sub" as defined in RFC 7519 §4.1.2
"sub_id" as defined in §4.1 of the Subject Identifiers for SETs spec (draft 17)
"subject" as defined in our SSF Frameworks draft spec, which is part of an event JWT claim, and requires the exclusion of "sub" (and "sub_id") usages for SETs
Plus a new term defined in the framework spec: "Subject Principal", which seems to overlap with the term "subject" used in the secevent specs.
It all seems a bit muddy to an SSF noob like me. I understand that "sub_id" is needed because the "sub" claim's value has type StringOrURI, while "sub_id" claim's value is a JSON object instead. I expect that there is some history behind all of this that I'm not aware of. But, at a minimum, I think we could add some additional non-normative explanatory text somewhere in the framework spec that clarifies these distinctions. I'd be happy to draft some text, but I think it might be useful to first discuss this on an upcoming WG call.
I'm happy to open this as a separate issue if desired.
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
from sharedsignals.
FragLegs
commented on June 13, 2024
Thank you @scvenema and @independentid . I am going to move these comments over to issue #52 where this concern is being discussed. The current issue was about an inconsistency in requirements that has been addressed in PR #70. I want to make sure your comments aren't lost when that PR merges and this issue closes.
from sharedsignals.
Related Issues (20)
- Allow Receiver to supply public key HOT 9
- Mark fields optional or required in StreamConfiguration
- Push based- Incorporate Server-Sent Events (SSE) HOT 4
- SSF: Example of Stream Creation Response
- SSF: Example of Update Stream Status Response
- Stream creation lanaguage imply that transmiter must suport the poll delivery method if delivery method is not specified HOT 1
- The examples for stream update requests should not include Transmitter-Supplied fields in the request HOT 3
- Get stream status API response should include stream_id for consistrency HOT 1
- Update IANA considerations and well-known reference
- Update CAEP & RISC Events and SSF Docs with txn claim HOT 2
- Explore machine reachable approach to event definitions HOT 4
- Attacker Stream Subject Insertion
- Stream Audience Mix-Up
- Issuer Mix-Up
- Specify expected default behavior of streams with no subjects HOT 4
- Scanning for RISC API transmitters
- Initial security audit feedback HOT 1
- Clarify that only one event is allowed per SET HOT 4
- Clarify expected response when "state" is incorrect for Verification event HOT 1
- Remove "cause-time" from RISC example in SSF spec
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sharedsignals.