forked from independentid/Identity-Events
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdraft-ietf-secevent-http-push.xml
1044 lines (983 loc) · 54.4 KB
/
draft-ietf-secevent-http-push.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet type='text/xsl' href='http://xml2rfc.tools.ietf.org/authoring/rfc2629.xslt' ?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc tocompact="yes"?>
<?rfc tocdepth="3"?>
<?rfc tocindent="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<rfc category="std" docName="draft-ietf-secevent-http-push-14" ipr="trust200902">
<front>
<title abbrev="draft-ietf-secevent-http-push">Push-Based Security Event Token (SET) Delivery Using HTTP</title>
<author fullname="Annabelle Backman" initials="A." surname="Backman" role="editor">
<organization abbrev="Amazon">Amazon</organization>
<address>
<email>richanna@amazon.com</email>
</address>
</author>
<author fullname="Michael B. Jones" initials="M." surname="Jones" role="editor">
<organization abbrev="Microsoft">Microsoft</organization>
<address>
<email>mbj@microsoft.com</email>
<uri>https://self-issued.info/</uri>
</address>
</author>
<author fullname="Marius Scurtescu" initials="M.S." surname="Scurtescu">
<organization abbrev="Coinbase">Coinbase</organization>
<address>
<email>marius.scurtescu@coinbase.com</email>
</address>
</author>
<author fullname="Morteza Ansari" initials="M." surname="Ansari">
<organization abbrev="Cisco">Cisco</organization>
<address>
<email>morteza.ansari@cisco.com</email>
</address>
</author>
<author fullname="Anthony Nadalin" initials="A." surname="Nadalin">
<organization abbrev="Microsoft">Microsoft</organization>
<address>
<email>tonynad@microsoft.com</email>
</address>
</author>
<date year="2020" month="June" day="26" />
<area>Security</area>
<workgroup>Security Events Working Group</workgroup>
<keyword>Internet-Draft</keyword>
<abstract>
<t>
This specification defines how a Security Event Token (SET)
can be delivered to an intended recipient using HTTP POST over TLS.
The SET is transmitted in the body of an HTTP POST request to an
endpoint operated by the recipient, and the recipient indicates
successful or failed transmission via the HTTP response.
</t>
</abstract>
</front>
<middle>
<section anchor="intro" title="Introduction and Overview" toc="default">
<t>
This specification defines a mechanism by which a transmitter of a
<xref target="RFC8417">Security Event Token (SET)</xref> can deliver
the SET to an intended SET Recipient via <xref target="RFC7231">HTTP POST</xref>
over TLS.
This is an alternative SET delivery method to the one defined in
<xref target="I-D.ietf-secevent-http-poll"/>.
</t>
<t>
Push-based SET delivery over HTTP POST is intended for scenarios where all of
the following apply:
<list style="symbols">
<t>The transmitter of the SET is capable of making outbound HTTP requests.</t>
<t>
The recipient is capable of hosting a TLS-enabled HTTP endpoint that is accessible
to the transmitter.
</t>
<t>
The transmitter and recipient are willing to exchange data with one another.
</t>
</list>
In some scenarios, either push-based or poll-based delivery could be used,
and in others, only one of them would be applicable.
</t>
<t>
A mechanism for exchanging configuration metadata such as endpoint URLs,
cryptographic keys,
and possible implementation constraints such as buffer size limitations
between the transmitter and recipient is
out of scope for this specification. How SETs are defined and the process
by which security events are identified for SET Recipients are specified
in <xref target="RFC8417"/>.
</t>
<section anchor="notat" title="Notational Conventions" toc="default">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/>
when, and only when, they appear in all capitals, as shown here.
</t>
<t>
Throughout this document, all figures may contain spaces and extra
line wrapping for readability and due to space limitations.
</t>
</section>
<section anchor="defs" title="Definitions" toc="default">
<t>
This specification utilizes the following terms defined in <xref target="RFC8417"/>:
"Security Event Token (SET)", "SET Issuer", "SET Recipient", and "Event Payload",
as well as the term defined below:
</t>
<t>
<list style="hanging">
<t hangText="SET Transmitter">
An entity that delivers SETs in its possession to one or more SET
Recipients.
</t>
</list>
</t>
</section>
</section>
<section anchor="Delivery" title="SET Delivery">
<t>
To deliver a SET to a given SET Recipient, the SET Transmitter
makes a SET transmission request to the SET Recipient, with the SET
itself contained within the request. The SET Recipient replies to
this request with a response either acknowledging successful
transmission of the SET or indicating that an error occurred
while receiving, parsing, and/or validating the SET.
</t>
<t>
Upon receipt of a SET, the SET Recipient SHALL validate that all of
the following are true:
<list style="symbols">
<t>The SET Recipient can parse the SET.</t>
<t>
The SET is authentic (i.e., it was issued by the issuer
specified within the SET,
and if signed, was signed by a key belonging to the issuer).
</t>
<t>
The SET Recipient is identified as an intended audience of
the SET.
</t>
<t>
The SET Issuer is recognized as an issuer that the SET Recipient
is willing to receive SETs from (e.g., the issuer is listed as allowed
by the SET Recipient).
</t>
<t>
The SET Recipient is willing to accept this SET from this SET Transmitter
(e.g., the SET Transmitter is expected to send SETs
with the issuer and subject of the SET in question).
</t>
</list>
</t>
<t>
The mechanisms by which the SET Recipient performs this validation
are out of scope for this document. SET parsing, issuer identification,
and audience identification are defined in <xref target="RFC8417"/>.
The mechanism for validating the authenticity of a SET is deployment
specific, and may vary depending on the authentication mechanisms in
use, and whether the SET is signed and/or encrypted (See <xref target="aa"/>).
</t>
<t>
SET Transmitters MAY transmit SETs issued by another entity. The SET
Recipient may accept or reject (i.e., return an error response such as
<spanx style="verb">access_denied</spanx>) a SET at its own discretion.
</t>
<t>
The SET Recipient persists the SET in a way that
is sufficient to meet the SET Recipient's own reliability requirements.
The level and method of retention of SETs
by SET Recipients is out of scope of this specification.
Once the SET has been validated and persisted, the SET Recipient SHOULD
immediately return a response indicating that the SET was successfully
delivered. The SET Recipient SHOULD NOT perform further processing of the SET
beyond the required validation steps prior to sending this response.
Any additional steps SHOULD be executed asynchronously from delivery
to minimize the time the SET Transmitter is waiting for a response.
</t>
<t>
The SET Transmitter MAY transmit the same SET to the SET Recipient multiple
times, regardless of the response from the SET Recipient. The SET Recipient
MUST respond as it would if the SET had not been previously received by the
SET Recipient. The SET Recipient MUST NOT expect or depend on a SET Transmitter
to re-transmit a SET or otherwise make a SET available to the SET Recipient
once the SET Recipient acknowledges that it was received successfully.
</t>
<t>
The SET Transmitter should not re-transmit a SET unless the SET Transmitter
suspects that previous transmissions may have failed due to potentially
recoverable errors (such as network outage or temporary service interruption at
either the SET Transmitter or SET Recipient). In all other cases, the SET
Transmitter SHOULD NOT re-transmit a SET. The SET
Transmitter SHOULD delay retransmission for an appropriate amount of time
to avoid overwhelming the SET Recipient (see <xref target="reliability"/>).
</t>
<section anchor="httpPost" title="Transmitting a SET">
<t>
To transmit a SET to a SET Recipient, the SET Transmitter makes
an HTTP POST request to a TLS-enabled HTTP endpoint provided by the SET Recipient. The
<spanx style="verb">Content-Type</spanx> header field of this request MUST
be <spanx style="verb">application/secevent+jwt</spanx> as defined in
Sections 2.3 and 7.2 of <xref target="RFC8417"/>, and the
<spanx style="verb">Accept</spanx> header field MUST be <spanx style="verb">application/json</spanx>. The
request body MUST consist of the SET itself, represented as a
<xref target="RFC7519">JWT</xref>.
</t>
<t>
The SET Transmitter MAY include in the request an <spanx style="verb">Accept-Language</spanx>
header field to indicate to the SET Recipient the preferred language(s) in which to
receive error messages.
</t>
<t>
The mechanisms by which the SET Transmitter determines the HTTP endpoint to
use when transmitting a SET to a given SET Recipient are not defined by this
specification and are deployment specific.
</t>
<figure align="left" anchor="postSet" title="Example SET Transmission Request">
<preamble>
The following is a non-normative example of a SET transmission request:
</preamble>
<artwork><![CDATA[
POST /Events HTTP/1.1
Host: notify.rp.example.com
Accept: application/json
Accept-Language: en-US, en;q=0.5
Content-Type: application/secevent+jwt
eyJ0eXAiOiJzZWNldmVudCtqd3QiLCJhbGciOiJIUzI1NiJ9Cg
.
eyJpc3MiOiJodHRwczovL2lkcC5leGFtcGxlLmNvbS8iLCJqdGkiOiI3NTZFNjk
3MTc1NjUyMDY5NjQ2NTZFNzQ2OTY2Njk2NTcyIiwiaWF0IjoxNTA4MTg0ODQ1LC
JhdWQiOiI2MzZDNjk2NTZFNzQ1RjY5NjQiLCJldmVudHMiOnsiaHR0cHM6Ly9zY
2hlbWFzLm9wZW5pZC5uZXQvc2VjZXZlbnQvcmlzYy9ldmVudC10eXBlL2FjY291
bnQtZGlzYWJsZWQiOnsic3ViamVjdCI6eyJzdWJqZWN0X3R5cGUiOiJpc3Mtc3V
iIiwiaXNzIjoiaHR0cHM6Ly9pZHAuZXhhbXBsZS5jb20vIiwic3ViIjoiNzM3NT
YyNkE2NTYzNzQifSwicmVhc29uIjoiaGlqYWNraW5nIn19fQ
.
Y4rXxMD406P2edv00cr9Wf3_XwNtLjB9n-jTqN1_lLc
]]></artwork>
</figure>
</section>
<section anchor="successResponse" title="Success Response">
<t>If the SET is determined to be valid, the SET Recipient SHALL
acknowledge successful transmission by responding with HTTP
Response Status Code 202 (Accepted) (see Section 6.3.3 of <xref target="RFC7231"/>).
The body of the response MUST be empty.
</t>
<figure anchor="goodPostResponse" title="Example Successful Delivery Response">
<preamble>The following is a non-normative example of a successful
receipt of a SET.</preamble>
<artwork><![CDATA[
HTTP/1.1 202 Accepted
]]></artwork>
</figure>
</section>
<section anchor="failureResponse" title="Failure Response">
<t>In the event of a general HTTP error condition, the SET Recipient
responds with the applicable HTTP Status Code, as defined in
Section 6 of <xref target="RFC7231"/>.</t>
<t>
When the SET Recipient detects an error parsing, validating, or authenticating
a SET transmitted in a SET Transmission Request, the SET Recipient SHALL respond
with an HTTP Response Status Code of 400 (Bad Request). The
<spanx style="verb">Content-Type</spanx> header field of this response MUST be
"application/json", and the body MUST be a UTF-8 encoded <xref target="RFC8259">JSON</xref>
object containing the following name/value pairs:
<list style="hanging">
<t hangText="err">
A Security Event Token Error Code (see <xref target="error_codes"/>).
</t>
<t hangText="description">
A UTF-8 string containing a human-readable description of the error
that may provide additional diagnostic information. The exact content
of this field is implementation specific.
</t>
</list>
</t>
<t>
The response MUST include a <spanx style="verb">Content-Language</spanx> header field, whose
value indicates the language of the error descriptions included in the response body. If
the SET Recipient can provide error descriptions in multiple languages, they SHOULD choose
the language to use according to the value of the <spanx style="verb">Accept-Language</spanx>
header field sent by the SET Transmitter in the transmission request, as described in Section 5.3.5
of <xref target="RFC7231"/>. If the SET Transmitter did not send an
<spanx style="verb">Accept-Language</spanx> header field, or if the SET Recipient does not support any
of the languages included in the header field, the SET Recipient MUST respond with messages that are
understandable by an English-speaking person, as described in Section 4.5 of <xref target="RFC2277"/>.
</t>
<figure anchor="errorResponseInvalidKey" title="Example Error Response (invalid_key)">
<preamble>The following is a non-normative example error response indicating
that the key used to encrypt the SET has been revoked.</preamble>
<artwork><![CDATA[
HTTP/1.1 400 Bad Request
Content-Language: en-US
Content-Type: application/json
{
"err": "invalid_key",
"description": "Key ID 12345 has been revoked."
}
]]></artwork>
</figure>
<figure anchor="errorResponseExpiredToken" title="Example Error Response (authentication_failed)">
<preamble>The following is a non-normative example error response indicating
that the access token included in the request is expired.</preamble>
<artwork><![CDATA[
HTTP/1.1 400 Bad Request
Content-Language: en-US
Content-Type: application/json
{
"err": "authentication_failed",
"description": "Access token has expired."
}
]]></artwork>
</figure>
<figure anchor="errorResponseBadIssuer" title="Example Error Response (access_denied)">
<preamble>The following is a non-normative example error response indicating
that the SET Receiver is not willing to accept SETs issued by the specified
issuer from this particular SET Transmitter.</preamble>
<artwork><![CDATA[
HTTP/1.1 400 Bad Request
Content-Language: en-US
Content-Type: application/json
{
"err": "invalid_issuer",
"description": "Not authorized for issuer https://iss.example.com/."
}
]]></artwork>
</figure>
</section>
<section anchor="error_codes" title="Security Event Token Delivery Error Codes">
<t>Security Event Token Delivery Error Codes are strings that identify a
specific category of error that may occur when parsing or validating a SET.
Every Security Event Token Delivery Error Code MUST have a unique name
registered in the IANA "Security Event Token Delivery Error Codes"
registry established by <xref target="iana_set_errors"/>.</t>
<t>The following table presents the initial set of Error Codes that are registered
in the IANA "Security Event Token Delivery Error Codes" registry:</t>
<texttable anchor="reqErrors" title="SET Delivery Error Codes">
<ttcol>Error Code</ttcol><ttcol>Description</ttcol>
<c>invalid_request</c><c>The request body cannot be parsed as a SET, or the
Event Payload within the SET does not conform to the event's definition.</c>
<c>invalid_key</c><c>One or more keys used to encrypt or sign the SET is
invalid or otherwise unacceptable to the SET Recipient (expired,
revoked, failed certificate validation, etc.).</c>
<c>invalid_issuer</c><c>The SET issuer is invalid for the SET Recipient.</c>
<c>invalid_audience</c><c>The SET audience does not correspond to the SET Recipient.</c>
<c>authentication_failed</c><c>The SET Recipient could not authenticate the
SET Transmitter.</c>
<c>access_denied</c><c>The SET Transmitter is not authorized to transmit the
SET to the SET Recipient.</c>
</texttable>
<t>
Other Error Codes may also be received,
as the set of Error Codes is extensible
via the IANA "Security Event Token Delivery Error Codes" registry
established in <xref target="iana_set_errors"/>.
</t>
</section>
</section>
<section anchor="aa" title="Authentication and Authorization" toc="default">
<t>The SET delivery method described in this specification is
based upon HTTP over TLS <xref target="RFC2818"/> and standard
HTTP authentication and authorization schemes, as per
<xref target="RFC7235" />.
The TLS server certificate MUST be validated using DNS-ID <xref target="RFC6125"/>
and/or DANE <xref target="RFC6698"/>.
</t>
<t>
Authorization for the eligibility to provide actionable SETs can be determined by
using the identity of the SET Issuer,
the identity of the SET Transmitter, perhaps using mutual TLS,
or via other employed authentication methods.
Because SETs are
not commands, SET Recipients are free to ignore SETs that
are not of interest.
</t>
</section>
<section anchor="reliability" title="Delivery Reliability" toc="default">
<t>
Delivery reliability requirements may vary depending upon the use cases.
This specification defines the response from the SET
Recipient in such a way as to provide the SET Transmitter with the
information necessary to determine what further action is required,
if any, in order to meet their requirements. SET Transmitters with
high reliability requirements may be tempted to always retry failed
transmissions. However, it should be noted that for many types of SET
delivery errors, a retry is extremely unlikely to be successful. For
example, <spanx style="verb">invalid_request</spanx> indicates a structural
error in the content of the request body that is likely to remain when
re-transmitting the same SET. Others such as <spanx style="verb">access_denied</spanx>
may be transient, for example if the SET Transmitter refreshes expired
credentials prior to re-transmission.
</t>
<t>
The SET Transmitter may be unaware of whether or not a SET has been delivered
to a SET Recipient. For example, a network interruption could prevent the
SET Transmitter from receiving the success response, or a service outage could
prevent the SET Transmitter from recording the fact that the SET was delivered.
It is left to the implementer to decide how to handle such cases, based on
their requirements. For example, it may be appropriate for the SET Transmitter to
transmit the SET to the SET Recipient, erring on the side of guaranteeing delivery,
or it may be appropriate to assume delivery was successful, erring on the side of
not spending resources re-transmitting previously delivered SETs. Other options,
such as sending the SET to a "dead letter queue" for manual examination may also
be appropriate.
</t>
<t>
Implementers SHOULD evaluate the reliability requirements of their use cases and the
impact of various retry mechanisms and re-transmission policies on the performance
of their systems to determine an appropriate strategy for handling various error
conditions.
</t>
</section>
<section anchor="Security" title="Security Considerations" toc="default">
<section anchor="payloadAuthentication" title="Authentication Using Signed SETs">
<t>
JWS signed SETs can be
used (see <xref target="RFC7515"/> and Section 5 of <xref target="RFC8417"/>)
to enable the SET Recipient
to validate that the SET Issuer is authorized to provide actionable SETs.
</t>
</section>
<section anchor="HTTP" title="HTTP Considerations">
<t>SET delivery depends on the use of Hypertext Transfer Protocol and is thus
subject to the security considerations of HTTP Section 9 of <xref
target="RFC7230"/> and its related specifications.</t>
</section>
<section anchor="Confidentiality" title="Confidentiality of SETs">
<t>
SETs may contain sensitive information, including Personally Identifiable Information (PII),
or be distributed through third parties.
In such cases, SET Transmitters and
SET Recipients MUST protect the confidentiality of the SET contents.
TLS MUST be used to secure the transmitted SETs.
In some use cases,
encrypting the SET as described in <xref target="RFC7516">JWE</xref> will also be required.
The Event delivery endpoint MUST support at least TLS
version 1.2 <xref target="RFC5246"/> and SHOULD support the newest version
of TLS that meets its security requirements,
which as of the time of this publication is TLS 1.3 <xref target="RFC8446"/>.
The client MUST
perform a TLS/SSL server certificate check using DNS-ID <xref target="RFC6125"/>
and/or DANE <xref target="RFC6698"/>.
How a SET Transmitter determines the expected service identity to match the SET
Recipient's server certificate against is out of scope for this document.
The implementation security considerations for TLS in
"Recommendations for Secure Use of TLS and DTLS" <xref target="RFC7525"/>
MUST be followed.
</t>
</section>
<section anchor="DoS" title="Denial of Service">
<t>
The SET Recipient may be vulnerable to a denial-of-service attack where a
malicious party makes a high volume of requests containing invalid SETs,
causing the endpoint to expend significant resources on cryptographic
operations that are bound to fail. This may be mitigated by authenticating
SET Transmitters with a mechanism such as mutual TLS.
Rate-limiting problematic transmitters is also a possible means of mitigation.
</t>
</section>
<section anchor="Persisted" title="Authenticating Persisted SETs">
<t>
At the time of receipt, the SET Recipient can rely upon TLS
mechanisms, HTTP authentication methods, and/or other context from the
transmission request to authenticate the SET Transmitter and validate the
authenticity of the SET. However, this context is typically unavailable to
systems to which the SET Recipient forwards the SET, or to systems that
retrieve the SET from storage. If the SET Recipient requires the ability to
validate SET authenticity outside of the context of the transmission request,
then the SET Recipient SHOULD ensure that such SETs have been signed in
accordance with <xref target="RFC7515"/>.
Needed context could also be stored with the SET and retrieved with it.
</t>
</section>
</section>
<section anchor="Privacy" title="Privacy Considerations">
<t>
SET Transmitters should attempt to deliver SETs that are targeted to the specific
business and protocol needs of subscribers.
</t>
<t>When sharing personally identifiable information or information
that is otherwise considered confidential to affected users, SET
Transmitters and Recipients MUST have the appropriate legal agreements
and user consent or terms of service in place.
Furthermore, data that needs confidentiality protection MUST be encrypted,
at least with TLS
and sometimes also using JSON Web Encryption (JWE) <xref target="RFC7516"/>.
</t>
<t>
In some cases, subject identifiers themselves may be considered sensitive
information, such that their inclusion within a SET may be considered a violation
of privacy. SET Issuers and SET Transmitters should consider the ramifications of sharing a
particular subject identifier with a SET Recipient (e.g., whether doing so could
enable correlation and/or de-anonymization of data) and choose appropriate
subject identifiers for their use cases.
</t>
</section>
<section anchor="IANA" title="IANA Considerations">
<section anchor="iana_set_errors" title="Security Event Token Delivery Error Codes">
<t>
This document defines Security Event Token Delivery Error Codes, for which IANA
is asked to create and maintain a new registry titled "Security Event Token
Delivery Error Codes". Initial values for the Security Event Token Delivery
Error Codes registry are defined in <xref target="reqErrors"/> and registered below. Future assignments
are to be made through the Specification Required registration policy (<xref target="RFC8126"/>)
and shall follow the template below.
</t>
<t>
Error Codes are intended to be interpreted by automated systems, and therefore SHOULD
identify classes of errors to which an automated system could respond in a meaningfully
distinct way (e.g., by refreshing authentication credentials and retrying the request).
</t>
<t>
Error Code names are case sensitive.
Names may not match other registered names in a case-insensitive manner
unless the Designated Experts state that there is a compelling reason
to allow an exception.
</t>
<t>
Criteria that should be applied by the Designated Experts includes
determining whether the proposed registration duplicates existing functionality,
whether it is likely to be of general applicability
or whether it is useful only for a single application,
and whether the registration description is clear.
</t>
<t>
It is suggested that multiple Designated Experts be appointed who are able to
represent the perspectives of different applications using this specification,
in order to enable broadly informed review of registration decisions.
In cases where a registration decision could be perceived as
creating a conflict of interest for a particular Expert,
that Expert should defer to the judgment of the other Experts.
</t>
<section anchor="iana_set_errors_template" title="Registration Template">
<t>
<list style="hanging">
<t hangText="Error Code">
<vspace/>
The name of the Security Event Token Delivery Error Code, as described
in <xref target="error_codes"/>. The name MUST be a case-sensitive ASCII
string consisting only of letters, digits, and underscore; these are the
characters whose codes fall within the inclusive ranges 0x30-39, 0x41-5A,
0x5F and 0x61-7A.
</t>
<t hangText="Description">
<vspace/>
A brief human-readable description of the Security Event Token Delivery
Error Code.
</t>
<t hangText="Change Controller">
<vspace/>
For error codes registered by the IETF or its working groups, list "IETF".
For all other error codes, list the name of the
party responsible for the registration. Contact information such as
mailing address, email address, or phone number may also be provided.
</t>
<t hangText="Defining Document(s)">
<vspace/>
A reference to the document or documents that define the Security Event
Token Delivery Error Code. The definition MUST specify the name and
description of the error code and explain under what circumstances the
error code may be used. URIs that can be used to retrieve copies of each
document at no cost SHOULD be included.
</t>
</list>
</t>
</section>
<section anchor="InitialContents" title="Initial Registry Contents">
<t>
<?rfc subcompact="yes"?>
<list style="hanging">
<t>Error Code: invalid_request</t>
<t>Description: The request body cannot be parsed as a SET or the event
payload within the SET does not conform to the event's definition.</t>
<t>Change Controller: IETF</t>
<t>Defining Document(s):
<xref target="error_codes"/> of [[ this specification ]]
</t>
</list>
</t>
<t>
<list style="hanging">
<t>Error Code: invalid_key</t>
<t>Description: One or more keys used to encrypt or sign the SET is invalid
or otherwise unacceptable to the SET Recipient (expired, revoked,
failed certificate validation, etc.).</t>
<t>Change Controller: IETF</t>
<t>Defining Document(s):
<xref target="error_codes"/> of [[ this specification ]]
</t>
</list>
</t>
<t>
<list style="hanging">
<t>Error Code: invalid_issuer</t>
<t>Description: The SET issuer is invalid for the SET Recipient.</t>
<t>Change Controller: IETF</t>
<t>Defining Document(s):
<xref target="error_codes"/> of [[ this specification ]]
</t>
</list>
</t>
<t>
<list style="hanging">
<t>Error Code: invalid_audience</t>
<t>Description: The SET audience does not correspond to the SET Recipient.</t>
<t>Change Controller: IETF</t>
<t>Defining Document(s):
<xref target="error_codes"/> of [[ this specification ]]
</t>
</list>
</t>
<t>
<list style="hanging">
<t>Error Code: authentication_failed</t>
<t>Description: The SET Recipient could not authenticate the SET Transmitter.</t>
<t>Change Controller: IETF</t>
<t>Defining Document(s):
<xref target="error_codes"/> of [[ this specification ]]
</t>
</list>
</t>
<t>
<list style="hanging">
<t>Error Code: access_denied</t>
<t>Description: The SET Transmitter is not authorized to transmit the
SET to the SET Recipient.</t>
<t>Change Controller: IETF</t>
<t>Defining Document(s):
<xref target="error_codes"/> of [[ this specification ]]
</t>
</list>
</t>
</section>
<?rfc subcompact="no"?>
</section>
</section>
</middle>
<back>
<references title="Normative References">
<?rfc include='http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml' ?>
<?rfc include='http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2277.xml'?><!-- IETF Language Policy -->
<?rfc include='http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2818.xml' ?><!-- HTTP over TLS -->
<?rfc include='http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5246.xml' ?><!-- TLS 1.2 -->
<?rfc include='http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6125.xml' ?><!-- TLS Certs -->
<?rfc include='http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6698.xml' ?><!-- DANE -->
<?rfc include='http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7230.xml' ?><!-- HTTP Msg -->
<?rfc include='http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7231.xml' ?><!-- HTTP Semantics -->
<?rfc include='http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7515.xml' ?><!-- JWS -->
<?rfc include='http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7516.xml' ?><!-- JWE -->
<?rfc include='http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7519.xml' ?><!-- JWT -->
<?rfc include='http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7525.xml' ?><!-- TLS Recos -->
<?rfc include='http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8126.xml' ?>
<?rfc include='http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml' ?>
<?rfc include='http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8259.xml' ?><!-- JSON -->
<?rfc include='http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8417.xml'?><!-- SET -->
<?rfc include='http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml' ?><!-- TLS 1.3 -->
</references>
<references title="Informative References">
<?rfc include="http://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.draft-ietf-secevent-http-poll-11.xml" ?>
<?rfc include='http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7235.xml' ?><!-- HTTP Auth -->
</references>
<section anchor="Unencrypted" title="Unencrypted Transport Considerations">
<t>
Earlier versions of this specification made the use of TLS optional
and described security and privacy considerations resulting from use
of unencrypted HTTP as the underlying transport.
When the working group decided to mandate usage HTTP over TLS,
it also decided to preserve the description of these considerations
in this non-normative appendix.
</t>
<t>
SETs may contain sensitive information that is considered
Personally Identifiable Information (PII).
In such cases, SET Transmitters and
SET Recipients MUST protect the confidentiality of the SET contents.
When TLS is not used, this means that the SET MUST be encrypted
as described in <xref target="RFC7516">JWE</xref>.
</t>
<t>
If SETs were allowed to be transmitted over unencrypted channels, some privacy-sensitive
information about them might leak, even though the SETs themselves are encrypted.
For instance, an attacker may be able to determine whether or not a SET was accepted and the reason for its rejection
or may be able to derive information from being able to observe the size of the encrypted SET.
(Note that even when TLS is utilized, some information leakage is still possible;
message padding algorithms to prevent side channels remain an open research topic.)
</t>
</section>
<section anchor="Others" title="Other Streaming Specifications">
<t>[[ NOTE TO THE RFC EDITOR: This section to be removed prior to publication ]]</t>
<t>The following pub/sub, queuing, and streaming systems were reviewed
as possible solutions or as input to the current draft:</t>
<t>Poll-Based Security Event Token (SET) Delivery Using HTTP</t>
<t>In addition to this specification, the WG is defining a polling-based
SET delivery protocol. That protocol <xref target="I-D.ietf-secevent-http-poll"/>
describes it as:</t>
<figure><artwork>This specification defines how a series of Security Event Tokens
(SETs) can be delivered to an intended recipient using HTTP POST over
TLS initiated as a poll by the recipient. The specification also
defines how delivery can be assured, subject to the SET Recipient's
need for assurance.</artwork>
</figure>
<t>XMPP Events</t>
<t>The WG considered XMPP Events and their ability to provide a single
messaging solution without the need for both polling and push modes.
The feeling was the size and methodology of XMPP was too far apart from
the current capabilities of the SECEVENTs community, which focuses in
on HTTP based service delivery and authorization.</t>
<t>Amazon Simple Notification Service</t>
<t>Simple Notification Service is a pub/sub messaging product from
AWS. SNS supports a variety of subscriber types: HTTP/HTTPS endpoints,
AWS Lambda functions, email addresses (as JSON or plain text), phone
numbers (via SMS), and AWS SQS standard queues. It does not directly
support pull, but subscribers can get the pull model by creating an
SQS queue and subscribing it to the topic. Note that this puts the
cost of pull support back onto the subscriber, just as it is in the
push model. It is not clear that one way is strictly better than the
other; larger, sophisticated developers may be happy to own message
persistence so they can have their own internal delivery guarantees.
The long tail of OIDC clients may not care about that or may fail
to get it right. Regardless, I think we can learn something from the
Delivery Policies supported by SNS, as well as the delivery controls
that SQS offers (e.g., Visibility Timeout, Dead-Letter Queues). I am
not suggesting that we need all of these things in the spec, but
they give an idea of what features people have found useful.</t>
<t>Other information:<list style="symbols">
<t>API Reference: http://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/Welcome.html</t>
<t>Visibility Timeouts: http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-visibility-timeout.html</t>
</list></t>
<t>Apache Kafka</t>
<t>Apache Kafka is an Apache open source project based upon TCP for
distributed streaming. It prescribes some interesting general-purpose
features that seem to extend far beyond the simpler
streaming model that SECEVENTs is after. A comment from MS has been that
Kafka does an acknowledge with poll combination event which seems
to be a performance advantage. See: https://kafka.apache.org/intro</t>
<t>Google Pub/Sub</t>
<t>The Google Pub Sub system favors a model whereby polling and acknowledgement
of events is done with separate endpoints and as separate functions.</t>
<t>Information:<list style="symbols">
<t>Cloud Overview - https://cloud.google.com/pubsub/</t>
<t>Subscriber Overview - https://cloud.google.com/pubsub/docs/subscriber</t>
<t>Subscriber Pull(poll) - https://cloud.google.com/pubsub/docs/pull</t>
</list></t>
</section>
<section anchor="Acknowledgments" title="Acknowledgments">
<t>
The editors would like to thank the members of the SCIM working group, which
began discussions of provisioning events starting with draft-hunt-scim-notify-00 in 2015.
We would like to thank Phil Hunt and the other authors of draft-ietf-secevent-delivery-02,
upon which this specification is based.
We would like to thank the participants in the SecEvents
working group for their contributions to this specification.
</t>
<t>
Additionally, we would like to thank the following individuals for their reviews of the specification:
Joe Clarke,
Roman Danyliw,
Vijay Gurbani,
Benjamin Kaduk,
Erik Kline,
Murray Kucherawy,
Barry Leiba,
Yaron Sheffer,
Robert Sparks,
Valery Smyslov,
Éric Vyncke,
and
Robert Wilton.
</t>
</section>
<section anchor="History" title="Change Log">
<t>[[ NOTE TO THE RFC EDITOR: This section to be removed prior to publication ]]</t>
<t>Draft 00 - AB - Based on draft-ietf-secevent-delivery-02 with the
following changes:<list style="symbols">
<t>Renamed to "Push-Based SET Token Delivery Using HTTP"</t>
<t>Removed references to the HTTP Polling delivery method.</t>
<t>Removed informative reference to RFC6202.</t>
</list></t>
<t>
Draft 01 - AB:
<list style="symbols">
<t>Fixed area and workgroup to match secevent.</t>
<t>Removed unused definitions and definitions already covered by SET.</t>
<t>Renamed Event Transmitter and Event Receiver to SET Transmitter and SET Receiver, respectively.</t>
<t>Added IANA registry for SET Delivery Error Codes.</t>
<t>Removed enumeration of HTTP authentication methods.</t>
<t>Removed generally applicable guidance for HTTP, authorization tokens, and bearer tokens.</t>
<t>Moved guidance for using authentication methods as DoS protection to Security Considerations.</t>
<t>Removed redundant instruction to use WWW-Authenticate header.</t>
<t>Removed further generally applicable guidance for authorization tokens.</t>
<t>Removed bearer token from example delivery request, and text referencing it.</t>
<t>Broke delivery method description into separate request/response sections.</t>
<t>Added missing empty line between headers and body in example request.</t>
<t>Removed inapplicable notes about example formatting.</t>
<t>Removed text about SET creation and handling.</t>
<t>Removed duplication in protocol description.</t>
<t>Added "non-normative example" text to example transmission request.</t>
<t>Fixed inconsistencies in use of Error Code term.</t>
</list>
</t>
<t>
Draft 02 - AB:
<list style="symbols">
<t>Rewrote abstract and introduction.</t>
<t>Rewrote definitions for SET Transmitter, SET Receiver.</t>
<t>Renamed Event Delivery section to SET Delivery.</t>
<t>Readability edits to Success Response and Failure Response sections.</t>
<t>Consolidated definition of error response under Failure Response section.</t>
<t>Removed Event Delivery Process section and moved its content to parent section.</t>
<t>Readability edits to SET Delivery section and its subsections.</t>
<t>Added callout that SET Receiver HTTP endpoint configuration is out-of-scope.</t>
<t>Added callout that SET verification mechanisms are out-of-scope.</t>
<t>Added retry guidance, notes regarding delivery reliability requirements.</t>
<t>Added guidance around using JWS and/or JWE to authenticate persisted SETs.</t>
</list>
</t>
<t>
Draft 03 - mbj:
<list style="symbols">
<t>
Addressed problems identified in my 18-Jul-18 review message titled
"Issues for both the Push and Poll Specs".
</t>
<t>
Changes to align terminology with RFC 8417, for instance,
by using the already defined term SET Recipient rather than SET Receiver.
</t>
<t>
Applied editorial and minor normative corrections.
</t>
<t>
Updated Marius' contact information.
</t>
</list>
</t>
<t>
Draft 04 - AB:
<list style="symbols">
<t>Replaced Error Codes with smaller set of meaningfully differentiated codes.</t>
<t>Added more error response examples.</t>
<t>Removed un-referenced normative references.</t>
<t>Added normative reference to JSON in error response definition.</t>
<t>
Added text clarifying that the value of the <spanx style="verb">description</spanx>
attribute in error responses is implementation specific.
</t>
<t>Added requirement that error descriptions and responses are UTF-8 encoded.</t>
<t>
Added error description language preferences and specification via <spanx style="verb">Accept-Language</spanx>
and <spanx style="verb">Content-Language</spanx> headers.
</t>
<t>Added "recognized issuer" validation requirement in section 2.</t>
<t>Added timeouts as an acceptable reason to resend a SET in section 2.</t>
<t>Edited text in section 1 to clarify that configuration is out of scope.</t>
<t>Made minor editorial corrections.</t>
</list>
</t>
<t>
Draft 05 - AB:
<list style="symbols">
<t>Made minor editorial corrections.</t>
<t>Updated example request with a correct SET header and signature.</t>
<t>Revised TLS guidance to allow implementers to provide confidentiality protection via JWE.</t>
<t>Revised TLS guidance to require *at least* TLS 1.2.</t>
<t>Revised TLS guidance to recommend supporting the newest version of TLS that meets security requirements.</t>
<t>Revised SET Delivery Error Code format to allow the same set of characters as is allowed in error codes in RFC6749.</t>
<t>Added mention of HTTP Poll spec to list of other streaming specs in appendix.</t>
<t>Added validation step requiring SET Recipient to verify that the SET is one which the SET Transmitter is expected to send to the SET Recipient.</t>
<t>Changed responding to errors with an appropriate HTTP status code from optional to recommended.</t>
<t>Changed Error Codes registry change policy from Expert Review to First Come First Served; added guidance that error codes are meant to be consumed by automated systems.</t>
<t>Added text making clear that it is up to SET Recipients whether or not they will accept SETs where the SET Issuer is different from the SET Transmitter.</t>
<t>Reworded guidance around signing and/or encrypting SETs for integrity protection.</t>
<t>Renamed TLS "Support Considerations" section to "Confidentiality of SETs".</t>
<t>Reworded guidance around subject identifier selection and privacy concerns.</t>
</list>
</t>
<t>
Draft 06 - mbj, MS:
<list style="symbols">
<t>Made minor editorial corrections.</t>
<t>Updated to indicate that failure response should be returned if errors occur in authenticating the SET.</t>
<t>Updated reference for JSON from RFC 7159 to RFC 8259.</t>
<t>Fixed Authentication Using Signed SETs to indicate the SET Transmitter must be authorized to deliver the SET, not the SET Issuer.</t>
<t>Fixed Authenticating Persisted SETs to put the responsibility for ensuring the SET is signed on the SET Recipient.</t>
<t>Fixed error code format definition to match error codes defined in doc.</t>
</list>
</t>
<t>
Draft 07 - AB:
<list style="symbols">
<t>Made minor editorial corrections.</t>
<t>Removed "SET Recipient" definition and added explicit list of terms used from RFC8417.</t>
</list>
</t>
<t>
Draft 08 - mbj
<list style="symbols">
<t>
Addressed area director review comments by Benjamin Kaduk.
</t>
</list>
</t>
<t>
Draft 09 - mbj + AB
<list style="symbols">
<t>
Corrected editorial nits.
</t>
</list>
</t>
<t>
Draft 10 - AB
<list style="symbols">
<t>
Addressed area director review comments by Benjamin Kaduk:
<list style="symbols">
<t>Added reference to 8417 as definition document for SETs.</t>
<t>
Added text clarifying that determining the SET Recipient's service identity
is out of scope.
</t>
<t>
Added normative recommendation for transmitters to target SETs to specific
business needs of subscribers.
</t>
<t>Minor editorial corrections.</t>
</list>
</t>
</list>
</t>
<t>
Draft 11 - mbj
<list style="symbols">