Security Events

The information below is for an old version of the document
Document Proposed charter Security Events WG (secevent) Snapshot
Title Security Events
Last updated 2016-10-27
State External Review (Message to Community, Selected by Secretariat) Rechartering
WG State Active
IESG Responsible AD Benjamin Kaduk
Charter Edit AD Kathleen Moriarty
Send notices to (None)


Many HTTP web services and APIs depend on a web security infrastructure that:
  * identifies security subjects and regulates their access to services
  * and provides profile and rights information to applications.

Examples are systems that leverage user-agent session cookies
(RFC6265), and OAuth2 (RFC6749). In order to prevent or mitigate
security risks, or to provide out-of-band information as 
necessary, these systems need to share security event messages. 
For example, an OAuth authorization server, having received a 
token revocation request (RFC7009) may need to inform affected
resource servers; a cloud provider may wish to inform another 
cloud provider of suspected fraudulent use of identity 
information; an identity provider may wish to signal a session 
logout to a relying party and does not wish to rely solely upon 
clearing a session cookie.

It is expected that several identity and security working groups and
organizations will use Identity Event Tokens to describe area-specific
events such as: SCIM Provisioning Events, OpenID RISC Events, and
OpenID Connect Backchannel Logout, among others.

The Security Events working group will produce a standards-track Event 
Token specification that includes:
 - A JWT extension for expressing security events
 - A syntax that enables event-specific data to be conveyed
This Event Token specification will be event transport independent.

The working group will also develop a simple standards-track Event 
Delivery specification that includes:
 - A mechanism for delivering events using HTTP POST (push)
 - Metadata for describing event feeds
 - Methods for subscribing to and managing event feeds
 - Methods for validating event feed subscriptions