Secevent Status PagesSecurity Events (Active WG) |
Sec Area: Roman Danyliw, Benjamin Kaduk | 2016-Oct-28 —
Chairs: ![]() ![]() ![]() ![]() |
2020-01-10 charter
Security Events (secevent) -------------------------- Charter Current Status: Active Chairs: Dick Hardt <dick.hardt@gmail.com> Yaron Sheffer <yaronf.ietf@gmail.com> Security Area Directors: Roman Danyliw <rdd@cert.org> Benjamin Kaduk <kaduk@mit.edu> Security Area Advisor: Benjamin Kaduk <kaduk@mit.edu> Mailing Lists: General Discussion: id-event@ietf.org To Subscribe: https://www.ietf.org/mailman/listinfo/id-event Archive: https://mailarchive.ietf.org/arch/browse/id-event/ Description of Working Group: Many HTTP web services and APIs depend on a web security infrastructure that: * identifies security subjects and regulates their access to services * and provides profile and rights information to applications. Examples are systems that leverage user-agent session cookies (RFC6265), and OAuth2 (RFC6749). In order to prevent or mitigate security risks, or to provide out-of-band information as necessary, these systems need to share security event messages. For example, an OAuth authorization server, having received a token revocation request (RFC7009) may need to inform affected resource servers; a cloud provider may wish to inform another cloud provider of suspected fraudulent use of identity information; an identity provider may wish to signal a session logout to a relying party and does not wish to rely solely upon clearing a session cookie. It is expected that several identity and security working groups and organizations will use Identity Event Tokens to describe area-specific events such as: SCIM Provisioning Events, OpenID RISC Events, and OpenID Connect Backchannel Logout, among others. The Security Events working group will produce a standards-track Event Token specification that includes: - A JWT extension for expressing security events - A syntax that enables event-specific data to be conveyed This Event Token specification will be event transport independent. The working group will also develop a simple standards-track Event Delivery specification that includes: - A mechanism for delivering events using HTTP POST (push) - Metadata for describing event feeds - Methods for subscribing to and managing event feeds - Methods for validating event feed subscriptions Goals and Milestones: Nov 2017 - WG last call of event delivery draft Jan 2018 - Event delivery draft to IESG as a Proposed Standard Mar 2018 - Recharter or Conclude Done - Initial adoption of event token and event delivery drafts Done - WG last call of event token draft Done - Event token draft to IESG as a Proposed Standard
All charter page changes, including changes to draft-list, rfc-list and milestones: