{"id":1961,"date":"2019-03-12T15:09:46","date_gmt":"2019-03-12T22:09:46","guid":{"rendered":"https:\/\/self-issued.info\/?p=1961"},"modified":"2019-03-12T15:09:46","modified_gmt":"2019-03-12T22:09:46","slug":"security-event-token-set-delivery-specifications-updated-in-preparation-for-ietf-104","status":"publish","type":"post","link":"https:\/\/self-issued.info\/?p=1961","title":{"rendered":"Security Event Token (SET) delivery specifications updated in preparation for IETF 104"},"content":{"rendered":"<p><span class=\"plain\"><img decoding=\"async\" align=\"right\" alt=\"IETF logo\" src=\"https:\/\/self-issued.info\/images\/ietf-logo.png\"><\/span>The two Security Event Token (SET) delivery specifications have been updated to address working group feedback received, in preparation for discussions at <a href=\"https:\/\/www.ietf.org\/how\/meetings\/104\/\">IETF 104 in Prague<\/a>.  The Push Delivery spec went through working group last call (WGLC).  It has been updated to incorporate the WGLC comments.  Changes made are summarized in the spec change log, the contents of which were also <a href=\"https:\/\/mailarchive.ietf.org\/arch\/msg\/id-event\/dHrUPIexqCYswXftEYxFELNvWaw\">posted<\/a> to the working group mailing list.  Thanks to Annabelle Backman for the edits to the Push Delivery spec.<\/p>\n<p>It&#8217;s worth noting that the Push Delivery spec and the <a href=\"https:\/\/tools.ietf.org\/html\/rfc8417\">Security Event Token (SET)<\/a> are now being used in early <a href=\"https:\/\/openid.net\/wg\/risc\/\">Risk and Incident Sharing and Coordination (RISC)<\/a> deployments, including between <a href=\"https:\/\/www.blog.google\/technology\/safety-security\/google-password-checkup-cross-account-protection\/\">Google<\/a> and <a href=\"https:\/\/blogs.adobe.com\/security\/2019\/02\/adobe-supports-openid-risc-integration-with-google-social-authentication.html\">Adobe<\/a>.  See the <a href=\"https:\/\/www.buzzfeednews.com\/article\/mathonan\/google-new-security-feature-will-stop-hacks-from-spreading\">article about these deployments<\/a> by Mat Honan of BuzzFeed.<\/p>\n<p>Changes to the Poll Delivery spec are also summarized in that spec&#8217;s change log, which contains:<\/p>\n<ul>\n<li>Removed vestigial language remaining from when the push and poll delivery methods were defined in a common specification.<\/li>\n<li>Replaced remaining uses of the terms Event Transmitter and Event Recipient with the correct terms SET Transmitter and SET Recipient.<\/li>\n<li>Removed uses of the unnecessary term &#8220;Event Stream&#8221;.<\/li>\n<li>Removed dependencies between the semantics of <code>maxEvents<\/code> and <code>returnImmediately<\/code>.<\/li>\n<li>Said that PII in SETs is to be encrypted with TLS, JWE, or both.<\/li>\n<li>Corrected grammar and spelling errors.<\/li>\n<\/ul>\n<p>The specifications are available at:<\/p>\n<ul>\n<li><a href=\"https:\/\/tools.ietf.org\/html\/draft-ietf-secevent-http-push-05\">https:\/\/tools.ietf.org\/html\/draft-ietf-secevent-http-push-05<\/a><\/li>\n<li><a href=\"https:\/\/tools.ietf.org\/html\/draft-ietf-secevent-http-poll-02\">https:\/\/tools.ietf.org\/html\/draft-ietf-secevent-http-poll-02<\/a><\/li>\n<\/ul>\n<p>HTML-formatted versions are also available at:<\/p>\n<ul>\n<li><a href=\"https:\/\/self-issued.info\/docs\/draft-ietf-secevent-http-push-05.html\">https:\/\/self-issued.info\/docs\/draft-ietf-secevent-http-push-05.html<\/a><\/li>\n<li><a href=\"https:\/\/self-issued.info\/docs\/draft-ietf-secevent-http-poll-02.html\">https:\/\/self-issued.info\/docs\/draft-ietf-secevent-http-poll-02.html<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>The two Security Event Token (SET) delivery specifications have been updated to address working group feedback received, in preparation for discussions at IETF 104 in Prague. The Push Delivery spec went through working group last call (WGLC). It has been updated to incorporate the WGLC comments. Changes made are summarized in the spec change log, [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32,14,23,25],"tags":[],"class_list":["post-1961","post","type-post","status-publish","format-standard","hentry","category-ietf","category-openid","category-security","category-specifications"],"_links":{"self":[{"href":"https:\/\/self-issued.info\/index.php?rest_route=\/wp\/v2\/posts\/1961","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/self-issued.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/self-issued.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/self-issued.info\/index.php?rest_route=\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/self-issued.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1961"}],"version-history":[{"count":1,"href":"https:\/\/self-issued.info\/index.php?rest_route=\/wp\/v2\/posts\/1961\/revisions"}],"predecessor-version":[{"id":1962,"href":"https:\/\/self-issued.info\/index.php?rest_route=\/wp\/v2\/posts\/1961\/revisions\/1962"}],"wp:attachment":[{"href":"https:\/\/self-issued.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1961"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/self-issued.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1961"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/self-issued.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1961"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}