IETF97: Minutes of the secevent session ======================================= The SecEvent working group met for the first time. The chair recapped history of the working group formation and current WG status. Only a handful of people read the WG drafts prior to the meeting. Presentations: RISC: Marius Scurtescu presented about Risk and Incident Sharing and Coordination More info at http://openid.net/wg/risc/ There were no comments from the audience. OIDC Back-Channel Logout use case for SET: Mike Jones presented. More info at http://openid.net/specs/openid-connect-backchannel-1_0.html No substantive comments Security Event Drafts: Phil Hunt presented Justin Richer: Placement of Issuer and Subject in the tokens. Makes sense here (IdP is generating the logout message itself), but needs to be generalised for cases where third party sends events. Complex topic, needs offline discussion. Slides: Background: SCIM events - good for single-master events, but not multi-master work going on on multi-master synchronisation SCIM shut down - so need a new place to continue work set of events was similar to what RISC presentation had Idea: there are multiple approaches to the same problem - can this be reconciled into a core protocol? SET Distribution HTTP POST, which needs to be parsed and checked before returning OK Kathleen Moriarty: in early stage, so let's consider broad set of options: what about XMPP Grid? Has pub/sub support, more than ten vendors doing it. XMPP Grid works bidirectionally, and supports multitude of data formats. Nancy Cam-Winget: Confirmed XMPP details. Needs secevents to clarify what their requirements re bilateralness are, but should be a good match. Kathleen Moriarty: On STIX/TAXII. STIX is huge effort, might end up using sth like this. TAXII some kind of transport, maybe too complex/bloated; keep hearing that it doesn't work. STIX and this work can co-exist; no need to merge into STIX. Ben ... : "verify" operation: what is the scope? Scope is limited to verify that parsing of the events works, and map to an account; not about verifying the account itself (i.e. not checking existence of an email address property etc.) Remote Comment: Empty HTTP 202 response means "OK"? Shouldn't there be a JSON object inside? John Bradley: Subject to WG discussion. Personally in favour of an empty message. Conclusion: Will be put into draft; can be changed during WG process at any time. John Bradley: Should claims be in the object? Does subject have to be in the object? Subject at top-level, mostly for legacy reasons. Issue can be discussed on the list. Conclusions from Chair: no humming, as too few people have read drafts. Please read drafts. Discussions should please happen on-list. There was some criticism on existence of the WG, but only one offering such criticism is here, so... Bob: Great place for /Identity/ security events. It is difficult to follow discussions as an outsider. Data models for the work here would be very useful to assess applicability in other areas (e.g. IoT). Kathleen Moriarty: Probably just a naming problem: wg "security events" may suggest larger scope. WG names not very important in the long run. Yaron Sheffer: How about a use case document? Could shed light on the lingering privacy issues. Kathleen Moriarty: Request for more/new working group chairs. Justin Richer: Driving force and main use case: transaction approval (not only re identity, also "release medical record" type). William Denniss: JWT is a IETF specification, so this use of it also inside process.