The two Security Event Token (SET) delivery specifications have been updated to address working group feedback received, in preparation for discussions at IETF 104 in Prague. The Push Delivery spec went through working group last call (WGLC). It has been updated to incorporate the WGLC comments. Changes made are summarized in the spec change log, the contents of which were also posted to the working group mailing list. Thanks to Annabelle Backman for the edits to the Push Delivery spec.
It’s worth noting that the Push Delivery spec and the Security Event Token (SET) are now being used in early Risk and Incident Sharing and Coordination (RISC) deployments, including between Google and Adobe. See the article about these deployments by Mat Honan of BuzzFeed.
Changes to the Poll Delivery spec are also summarized in that spec’s change log, which contains:
- Removed vestigial language remaining from when the push and poll delivery methods were defined in a common specification.
- Replaced remaining uses of the terms Event Transmitter and Event Recipient with the correct terms SET Transmitter and SET Recipient.
- Removed uses of the unnecessary term “Event Stream”.
- Removed dependencies between the semantics of
maxEvents
andreturnImmediately
. - Said that PII in SETs is to be encrypted with TLS, JWE, or both.
- Corrected grammar and spelling errors.
The specifications are available at:
- https://tools.ietf.org/html/draft-ietf-secevent-http-push-05
- https://tools.ietf.org/html/draft-ietf-secevent-http-poll-02
HTML-formatted versions are also available at: