Difference between revisions of "Subject ID"

From MgmtWiki
Jump to: navigation, search
(Solutions)
 
(14 intermediate revisions by the same user not shown)
Line 3: Line 3:
  
 
==Context==
 
==Context==
* Many web sites require users to have a persistent user name which is unique on their site to identify the user.
+
* This is a subset of the larger topic [[Subject Identifier]] which looks at the Identifier in all of the locations where it might be discovered and defines types of Identifier.
* As a general rule [[Web Site]]s, and as a practical rule [[Identifier or Attribute Provider]]s require that the pseudonym be unique within their domain; thus the pseudonym@domain.tld will be a valid [[URI]].
+
* Some providers will reuse [[Subject ID]]s once a connection to a real user has been broken for some specified period of time. Email addresses, in particular, typically have this characteristic. An implementation that was compliant with [[OpenID Connect]] would not reuse [[Subject ID]]s.
* Some providers will reuse [[Subject ID]]s once a connection to a real user has been broken for some specified period of time. Email addresses, in particular, typically have this characteristic. A fully compliant implementation would not reuse [[Subject ID]]s.
+
* There is a draft RFC on [[Subject ID]]s for use in [[Security Event Token]]s [https://tools.ietf.org/html/draft-ietf-secevent-subject-identifiers Subject Identifiers for Security Event Tokens].
  
 
==Problems==
 
==Problems==
*
+
* While the [[Subject ID]] (sub) is often taken to be a persistent [[Identifier]] for a real-world entity, there are several examples of its use as and [[Ephemeral]] ID.
  
 
==Solutions==
 
==Solutions==
* Users are often asked to use their email address or cell phone number as a local user name since the email address and phone number with country code (+1 in North America) are known to be a [[URI]] and hence unique in that context. Reuse of email and phone numbers could be an issue.
+
* Users are often asked to use their email address or cell phone number as a local user name since the email address and phone number with country code (+1 in North America) are known to be a [[URI]] and hence unique in that context. Reuse of email and phone numbers could be an issue. Note that these [[Identifier]]s are also subject to change at the [[user]]'s discretion and can be diverted by a determined attacker.
 +
* This wiki uses [[Subject ID]] primarily as identifying the subject of a claim about a real-world entity. It is subject to revocation by the user or the claim issuer at any time.
 +
 
 +
===Other Definitions===
 +
 
 +
*From JWT<ref>M. Jones J. Bradley N. Sakimura, ''JSON Web Token (JWT).'' (2016-02) IETF https://tools.ietf.org/html/rfc7519</ref> <blockquote>The "sub" (subject) claim identifies the principal that is the subject of the JWT.  The Claims in a JWT are normally statements about the subject.  The subject value MUST either be scoped to be locally unique in the context of the issuer or be globally unique. The processing of this claim is generally application specific.  The "sub" value is a case-sensitive string containing a StringOrURI value.  Use of this claim is OPTIONAL.</blockquote>
 +
*From [[Security Event Token]]  <blockquote> A Subject Identifier Type is a light-weight schema that describes a  set of claims that identifies a subject.  Every Subject Identifier  Type MUST have a unique name registered in the IANA "Security Event  Subject Identifier Types" registry established by Section 6.1 of [[Security Event Token]].  A  Subject Identifier Type MAY describe more claims than are strictly necessary to identify a subject, and MAY describe conditions under which those claims are required, optional, or prohibited.</blockquote>
  
 
==References==
 
==References==
# Synonyms for a [[Subject ID]] include [[User Name]], display name, gamertag, nom de guerre, [[Pseudonym]] or (on Facebook) Fake Name subject to arbitrary termination.
+
# Synonyms for a [[Subject ID]] include [[User Name]], display name, gamertag, nom de guerre, [[Pseudonym]], [[URI]] or (on Facebook) Name subject to arbitrary termination.
 
# Anonym is not used in the context of identity as it does not provide one. It may be used as the condition (Anonymous) of a user prior to accepting (1) a cookie, (2) a fixed IP address, (3) an HTTPS connection or (4) a request for an [[Identifier]].
 
# Anonym is not used in the context of identity as it does not provide one. It may be used as the condition (Anonymous) of a user prior to accepting (1) a cookie, (2) a fixed IP address, (3) an HTTPS connection or (4) a request for an [[Identifier]].
  

Latest revision as of 17:11, 16 November 2020

Full Title or Meme

A Subject ID is a digital Identifier associated with some real-world Entity that has established an interchange on the internet by means of a User Agent.

Context

  • This is a subset of the larger topic Subject Identifier which looks at the Identifier in all of the locations where it might be discovered and defines types of Identifier.
  • Some providers will reuse Subject IDs once a connection to a real user has been broken for some specified period of time. Email addresses, in particular, typically have this characteristic. An implementation that was compliant with OpenID Connect would not reuse Subject IDs.
  • There is a draft RFC on Subject IDs for use in Security Event Tokens Subject Identifiers for Security Event Tokens.

Problems

  • While the Subject ID (sub) is often taken to be a persistent Identifier for a real-world entity, there are several examples of its use as and Ephemeral ID.

Solutions

  • Users are often asked to use their email address or cell phone number as a local user name since the email address and phone number with country code (+1 in North America) are known to be a URI and hence unique in that context. Reuse of email and phone numbers could be an issue. Note that these Identifiers are also subject to change at the user's discretion and can be diverted by a determined attacker.
  • This wiki uses Subject ID primarily as identifying the subject of a claim about a real-world entity. It is subject to revocation by the user or the claim issuer at any time.

Other Definitions

  • From JWT[1]
    The "sub" (subject) claim identifies the principal that is the subject of the JWT. The Claims in a JWT are normally statements about the subject. The subject value MUST either be scoped to be locally unique in the context of the issuer or be globally unique. The processing of this claim is generally application specific. The "sub" value is a case-sensitive string containing a StringOrURI value. Use of this claim is OPTIONAL.
  • From Security Event Token
    A Subject Identifier Type is a light-weight schema that describes a set of claims that identifies a subject. Every Subject Identifier Type MUST have a unique name registered in the IANA "Security Event Subject Identifier Types" registry established by Section 6.1 of Security Event Token. A Subject Identifier Type MAY describe more claims than are strictly necessary to identify a subject, and MAY describe conditions under which those claims are required, optional, or prohibited.

References

  1. Synonyms for a Subject ID include User Name, display name, gamertag, nom de guerre, Pseudonym, URI or (on Facebook) Name subject to arbitrary termination.
  2. Anonym is not used in the context of identity as it does not provide one. It may be used as the condition (Anonymous) of a user prior to accepting (1) a cookie, (2) a fixed IP address, (3) an HTTPS connection or (4) a request for an Identifier.
    1. M. Jones J. Bradley N. Sakimura, JSON Web Token (JWT). (2016-02) IETF https://tools.ietf.org/html/rfc7519