Push-Based SET Token Delivery Using HTTPAmazonrichanna@amazon.comMicrosoftmbj@microsoft.comhttp://self-issued.info/Googlemscurtescu@google.comCiscomorteza.ansari@cisco.comMicrosofttonynad@microsoft.com
Security
Security Events Working GroupInternet-Draft
This specification defines how a series of security event tokens
(SETs) may be delivered to a previously registered receiver
using HTTP POST over TLS initiated as a push to the receiver.
This specification defines how SETs (see )
can be transmitted to a previously registered
SET Receiver using HTTP
over TLS. The specification defines a method to push SETs via
HTTP POST.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14
when, and only when, they appear in all capitals, as shown here.
Throughout this documents all figures may contain spaces and
extra
line-wrapping for readability and space limitations.
This specification assumes terminology defined in the Security
Event Token specification, as well as the terms defined below:
A service provider that delivers SETs to other providers known
as SET Receivers.
A service provider that registers to receive SETs from
a SET Transmitter and provides an endpoint to receive
SETs via HTTP POST.
In Push-Based SET Delivery Using HTTP, SETs are delivered
one at a time using HTTP POST requests by a SET Transmitter
to a SET Receiver, as described below in .
Upon receipt, the
SET Receiver acknowledges receipt or indicates an error via the HTTP
response, as described below in .
After successful (acknowledged) SET delivery, SET
Transmitters SHOULD NOT be required to maintain or record SETs for
recovery. Once a SET is acknowledged, the SET Receiver SHALL be
responsible for retention and recovery.Transmitted SETs SHOULD be self-validating (e.g. signed)
if there is a requirement to verify they were issued by the SET
Transmitter at a later date when de-coupled from the original
delivery where authenticity could be checked via the HTTP or
TLS mutual authentication.
Upon receiving a SET, the SET Receiver reads the SET and validates
it. The SET Receiver MUST acknowledge receipt to the SET Transmitter, using the
defined acknowledgement or error method.The SET Receiver SHALL NOT use the Event acknowledgement mechanism
to report Event errors other than relating to the parsing and validation
of the SET.This method allows a SET Transmitter to use HTTP POST
(Section 4.3.3) to deliver
SETs to a previously registered web callback URI supplied by the
SET Receiver as part of a configuration process
(not defined by this document).The SET to be delivered MAY be signed
and/or encrypted as defined in .The HTTP Content-Type (see
Section 3.1.1.5) for the HTTP POST is
application/secevent+jwt and the request body SHALL consist of
a single SET (see ).
As per Section 5.3.2, the
value of the Accept header is
application/json.
The following is a non-normative example of a SET transmission HTTP POST request:
POST /Events HTTP/1.1
Host: notify.examplerp.com
Accept: application/json
Content-Type: application/secevent+jwt
eyJhbGciOiJub25lIn0
.
eyJwdWJsaXNoZXJVcmkiOiJodHRwczovL3NjaW0uZXhhbXBsZS5jb20iLCJmZWV
kVXJpcyI6WyJodHRwczovL2podWIuZXhhbXBsZS5jb20vRmVlZHMvOThkNTI0Nj
FmYTViYmM4Nzk1OTNiNzc1NCIsImh0dHBzOi8vamh1Yi5leGFtcGxlLmNvbS9GZ
WVkcy81ZDc2MDQ1MTZiMWQwODY0MWQ3Njc2ZWU3Il0sInJlc291cmNlVXJpcyI6
WyJodHRwczovL3NjaW0uZXhhbXBsZS5jb20vVXNlcnMvNDRmNjE0MmRmOTZiZDZ
hYjYxZTc1MjFkOSJdLCJldmVudFR5cGVzIjpbIkNSRUFURSJdLCJhdHRyaWJ1dG
VzIjpbImlkIiwibmFtZSIsInVzZXJOYW1lIiwicGFzc3dvcmQiLCJlbWFpbHMiX
SwidmFsdWVzIjp7ImVtYWlscyI6W3sidHlwZSI6IndvcmsiLCJ2YWx1ZSI6Impk
b2VAZXhhbXBsZS5jb20ifV0sInBhc3N3b3JkIjoibm90NHUybm8iLCJ1c2VyTmF
tZSI6Impkb2UiLCJpZCI6IjQ0ZjYxNDJkZjk2YmQ2YWI2MWU3NTIxZDkiLCJuYW
1lIjp7ImdpdmVuTmFtZSI6IkpvaG4iLCJmYW1pbHlOYW1lIjoiRG9lIn19fQ
.Upon receipt of the request, the SET Receiver SHALL
validate the JWT structure of the SET as defined in
Section 7.2. The SET Receiver
SHALL also validate the SET information as described
in Section 2.If the SET is determined to be valid, the SET Receiver SHALL
"acknowledge" successful submission by responding with HTTP Status
202 as Accepted
(see Section 6.3.3).In order
to maintain compatibility with other methods of transmission, the
SET Receiver SHOULD NOT include an HTTP response body representation
of the submitted SET or what the SET's pending status is when
acknowledging success. In the case of an error (e.g. HTTP Status 400),
the purpose of the HTTP response body is to indicate any SET parsing,
validation, or cryptographic errors.The following is a non-normative example of a successful
receipt of a SET.HTTP/1.1 202 AcceptedNote that the purpose of the "acknowledgement" response is to let the
SET Transmitter know that a SET has been delivered and the
information no longer needs to be retained by the SET Transmitter.
Before acknowledgement, SET Receivers SHOULD ensure they have
validated received SETs and retained them in a manner appropriate
to information retention requirements appropriate to the SET
event types signaled. The level and method of retention of SETs
by SET Receivers is out-of-scope of this specification.In the Event of a general HTTP error condition, the SET Receiver
MAY respond with an appropriate HTTP Status code as defined in
Section 6.When the SET Receiver detects an error parsing or
validating a received SET (as defined by ),
the SET Receiver SHALL indicate an HTTP Status 400 error with an
error response as described in .
The following is an example non-normative error
response.HTTP/1.1 400 Bad Request
Content-Type: application/json
{
"err":"dup",
"description":"SET already received. Ignored."
}Security Event Token Delivery Error Codes are strings that identify a
specific type of error that may occur when parsing or validating a SET.
Every Security Event Token Delivery Error Code MUST have a unique name
registered in the IANA "Security Event Token Delivery Error Codes"
registry established by .The following table presents the initial set of Error Codes that are registered
in the IANA "Security Event Token Delivery Error Codes" registry:Error CodeDescriptionjsonInvalid JSON object.jwtParseInvalid or unparsable JWT or JSON structure.jwtHdrIn invalid JWT header was detected.jwtCryptoUnable to parse due to unsupported algorithm.jwsSignature was not validated.jweUnable to decrypt JWE encoded data.jwtAudInvalid audience value.jwtIssIssuer not recognized.setTypeAn unexpected Event type was received.setParseInvalid structure was encountered such as an
inability to parse or an incomplete set of Event claims.setDataSET event claims incomplete or invalid.dupA duplicate SET was received and has been ignored.An error response SHALL include a JSON
object which provides details about the error. The JSON object
includes the JSON attributes: A value which is a keyword that
describes the error (see ).A human-readable text that provides
additional diagnostic information.
When included as part of an HTTP Status 400 response, the above
JSON is the HTTP response body (see ).The SET delivery method described in this specification is
based upon HTTP and depends on the use of TLS and/or standard
HTTP authentication and authorization schemes as per
.
Because SET Delivery describes a simple function, authorization
for the ability to pick-up or deliver SETs can be derived by
considering the identity of the SET issuer, or via other employed
authentication methods. Because SETs are
not commands (see ), SET Receivers are free to ignore SETs that
are not of interest.In scenarios where HTTP authorization or TLS mutual authentication
are not used or are considered weak, JWS signed SETs SHOULD be
used (see and
Security Considerations). This enables the SET Receiver
to validate that the SET issuer is authorized to deliver SETs.
SETs contain sensitive information that is considered PII
(e.g. subject claims). Therefore, SET Transmitters and
SET Receivers MUST require the use of a transport-layer
security mechanism. Event delivery endpoints MUST support TLS
1.2 and MAY support additional
transport-layer mechanisms meeting its security requirements.
When using TLS, the client MUST perform a TLS/SSL server
certificate check, per . Implementation
security considerations for TLS can be found in "Recommendations for
Secure Use of TLS and DTLS" .
The SET Receiver may be vulnerable to a denial-of-service attack where a
malicious party makes a high volume of requests containing invalid SETs,
causing the endpoint to expend significant resources on cryptographic
operations that are bound to fail. This may be mitigated by authenticating
SET Transmitters with a mechanism with low runtime overhead, such as mutual
TLS or statically assigned bearer tokens.
If a SET needs to be retained for audit purposes, JWS MAY
be used to provide verification of its authenticity.When sharing personally identifiable information or information
that is otherwise considered confidential to affected users, SET
Transmitters and Receivers MUST have the appropriate legal agreements
and user consent or terms of service in place.The propagation of subject identifiers can be perceived as personally
identifiable information. Where possible, SET Transmitters and Receivers
SHOULD devise approaches that prevent propagation -- for example, the
passing of a hash value that requires the subscriber to already know
the subject.
This document defines Security Event Token Delivery Error Codes, for which IANA
is asked to create and maintain a new registry titled "Security Event Token
Delivery Error Codes". Initial values for the Security Event Token Delivery
Error Codes registry are given in . Future assignments
are to be made through the Expert Review registration policy ()
and shall follow the template presented in .
The name of the Security Event Token Delivery Error Code, as described
in . The name MUST be a case-sensitive ASCII
string consisting only of upper-case letters ("A" - "Z"), lower-case
letters ("a" - "z"), and digits ("0" - "9").
A brief human-readable description of the Security Event Token Delivery
Error Code.
For error codes registered by the IETF or its working groups, list "IETF
Secevent Working Group". For all other error codes, list the name of the
party responsible for the registration. Contact information such as
mailing address, email address, or phone number may also be provided.
A reference to the document or documents that define the Security Event
Token Delivery Error Code. The definition MUST specify the name and
description of the error code, and explain under what circumstances the
error code may be used. URIs that can be used to retrieve copies of each
document at no cost SHOULD be included.
jsonInvalid JSON object.IETF Secevent Working Group of this document.
jwtParseInvalid or unparsable JWT or JSON structure.IETF Secevent Working Group of this document.
jwtHdrAn invalid JWT header was detected.IETF Secevent Working Group of this document.
jwtCryptoUnable to parse due to unsupported algorithm.IETF Secevent Working Group of this document.
jwsSignature was not validated.IETF Secevent Working Group of this document.
jweUnable to decrypt JWE encoded data.IETF Secevent Working Group of this document.
jwtAudInvalid audience value.IETF Secevent Working Group of this document.
jwtIssIssuer not recognized. of this document.
setTypeAn unexpected Event type was received.IETF Secevent Working Group of this document.
setParse
Invalid structure was encountered such as an inability to parse or an
incomplete set of Event claims.
IETF Secevent Working Group of this document.
setDataSET event claims incomplete or invalid.IETF Secevent Working Group of this document.
dup A duplicate SET was received and has been ignored.
IETF Secevent Working Group of this document.
OpenID Connect Core 1.0NRIAssertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0Internet2[[EDITORS NOTE: This section to be removed prior to publication]]The following pub/sub, queuing, streaming systems were reviewed
as possible solutions or as input to the current draft:XMPP EventsThe WG considered the XMPP events ands its ability to provide a single
messaging solution without the need for both polling and push modes.
The feeling was the size and methodology of XMPP was to far apart from
the current capabilities of the SECEVENTs community which focuses in
on HTTP based service delivery and authorization.Amazon Simple Notification ServiceSimple Notification Service, is a pub/sub messaging product from
AWS. SNS supports a variety of subscriber types: HTTP/HTTPS endpoints,
AWS Lambda functions, email addresses (as JSON or plain text), phone
numbers (via SMS), and AWS SQS standard queues. It doesn’t directly
support pull, but subscribers can get the pull model by creating an
SQS queue and subscribing it to the topic. Note that this puts the
cost of pull support back onto the subscriber, just as it is in the
push model. It is not clear that one way is strictly better than the
other; larger, sophisticated developers may be happy to own message
persistence so they can have their own internal delivery guarantees.
The long tail of OIDC clients may not care about that, or may fail
to get it right. Regardless, I think we can learn something from the
Delivery Policies supported by SNS, as well as the delivery controls
that SQS offers (e.g. Visibility Timeout, Dead-Letter Queues). I’m
not suggesting that we need all of these things in the spec, but
they give an idea of what features people have found useful.Other information:API Reference: http://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/Welcome.htmlVisibility Timeouts: http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-visibility-timeout.htmlApache KafkaApache Kafka is an Apache open source project based upon TCP for
distributed streaming. It prescribes some interesting general
purpose features that seem to extend far beyond the simpler
streaming model SECEVENTs is after. A comment from MS has been that
Kafka does an acknowledge with poll combination event which seems
to be a performance advantage. See: https://kafka.apache.org/introGoogle Pub/SubGoogle Pub Sub system favours a model whereby polling and acknowledgement
of events is done as separate endpoints as separate functions.Information:Cloud Overview - https://cloud.google.com/pubsub/Subscriber Overview - https://cloud.google.com/pubsub/docs/subscriberSubscriber Pull(poll) - https://cloud.google.com/pubsub/docs/pullThe editors would like to thanks the members of the SCIM WG which
began discussions of provisioning events starting with: draft-hunt-scim-notify-00 in 2015.The editors would like to thank Phil Hunt and the other authors of draft-ietf-secevent-delivery-02,
on which this draft is based.The editor would like to thank the participants in the the SECEVENTS
working group for their support of this specification.Draft 00 - AB - Based on draft-ietf-secevent-delivery-02 with the
following changes:Renamed to "Push-Based SET Token Delivery Using HTTP"Removed references to the HTTP Polling delivery method.Removed informative reference to RFC6202.
Draft 01 - AB:
Fixed area and workgroup to match secevent.Removed unused definitions and definitions already covered by SET.Renamed Event Transmitter and Event Receiver to SET Transmitter and SET Receiver, respectively.Added IANA registry for SET Delivery Error Codes.Removed enumeration of HTTP authentication methods.Removed generally applicable guidance for HTTP, authorization tokens, and bearer tokens.Moved guidance for using authentication methods as DoS protection to Security Considerations.Removed redundant instruction to use WWW-Authenticate header.Removed further generally applicable guidance for authorization tokens.Removed bearer token from example delivery request, and text referencing it.Broke delivery method description into separate request/response sections.Added missing empty line between headers and body in example request.Removed unapplicable notes about example formatting.Removed text about SET creation and handling.Removed duplication in protocol description.Added "non-normative example" text to example transmission request.Fixed inconsistencies in use of Error Code term.