Security Events
charter-ietf-secevent-00-00
| Document | Proposed charter | Security Events WG (secevent) Snapshot | |
|---|---|---|---|
| Title | Security Events | ||
| Last updated | 2016-10-13 | ||
| State | Start Chartering/Rechartering (Internal Steering Group/IAB Review) | ||
| WG | State | Proposed | |
| IESG | Responsible AD | Roman Danyliw | |
| Charter edit AD | Kathleen Moriarty | ||
| Send notices to | (None) |
Many identity related protocols require a mechanism to convey messages between
systems in order to prevent or mitigate security risks, or to provide
out-of-band information as necessary. For example, an OAuth authorization
server, having received a token revocation request (RFC7009) may need to
inform affected resource servers; a cloud provider may wish to inform another
cloud provider of suspected fraudulent use of identity information; an
identity provider may wish to signal a session logout to a relying party.
It is expected that several identity and security working groups and
organizations will use Identity Event Tokens to describe area-specific
events such as: SCIM Provisioning Events, OpenID RISC Events, and
OpenID Connect Backchannel Logout, among others.
The Security Events working group will produce a standards-track Event Token
specification that includes:
- A JWT extension for expressing security events
- A syntax that enables event-specific data to be conveyed
This Event Token specification will be event transport independent.
The working group will also develop a simple standards-track Event Delivery
specification that includes:
- A method for delivering events using HTTP POST (push)
- Metadata for describing event feeds
- Methods for subscribing to and managing event feeds
- Methods for validating event feed subscriptions