Re: [dispatch] draft-lawrence-sip-3rd-party-authorization-00
"Scott Lawrence" <scott.lawrence@nortel.com> Tue, 26 May 2009 14:43 UTC
Return-Path: <scott.lawrence@nortel.com>
X-Original-To: dispatch@core3.amsl.com
Delivered-To: dispatch@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9327828C31A for <dispatch@core3.amsl.com>; Tue, 26 May 2009 07:43:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.064
X-Spam-Level:
X-Spam-Status: No, score=-6.064 tagged_above=-999 required=5 tests=[AWL=0.535, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vEFIBlfbBXsg for <dispatch@core3.amsl.com>; Tue, 26 May 2009 07:43:07 -0700 (PDT)
Received: from zrtps0kp.nortel.com (zrtps0kp.nortel.com [47.140.192.56]) by core3.amsl.com (Postfix) with ESMTP id 24C943A710B for <dispatch@ietf.org>; Tue, 26 May 2009 07:41:35 -0700 (PDT)
Received: from zrtphxs1.corp.nortel.com (casmtp.ca.nortel.com [47.140.202.46]) by zrtps0kp.nortel.com (Switch-2.2.6/Switch-2.2.0) with ESMTP id n4QEgwa12676; Tue, 26 May 2009 14:42:59 GMT
Received: from [127.0.0.1] ([47.17.25.99]) by zrtphxs1.corp.nortel.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 26 May 2009 10:42:57 -0400
From: Scott Lawrence <scott.lawrence@nortel.com>
To: fanyanping <fanyanping@huawei.com>
In-Reply-To: <003c01c9dd99$6de66400$271d550a@china.huawei.com>
References: <003c01c9dd99$6de66400$271d550a@china.huawei.com>
Content-Type: text/plain; charset="UTF-8"
Organization: Nortel Networks
Date: Tue, 26 May 2009 14:42:56 +0000
Message-Id: <1243348976.3432.4114.camel@host.home.skrb.org>
Mime-Version: 1.0
X-Mailer: Evolution 2.24.5 (2.24.5-1.fc10)
Content-Transfer-Encoding: quoted-printable
X-OriginalArrivalTime: 26 May 2009 14:42:57.0770 (UTC) FILETIME=[42C32CA0:01C9DE10]
Cc: dispatch@ietf.org
Subject: Re: [dispatch] draft-lawrence-sip-3rd-party-authorization-00
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dispatch>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2009 14:43:08 -0000
On Tue, 2009-05-26 at 08:32 +0800, fanyanping wrote: > Hi Scott, > > I spend some time reading your draft,there is one place i don’t > understand clearly, could you please explain more detail, thanks. > > “The requirement for adjacency interferes with a property of SIP that > is otherwise one of its great strengths: that a proxy (or other > well-behaved Intermediate) need not understand every aspect of the > requests and responses it forwards. 。。。。。。。。“ > > I’m understanding that you imply a new feature needs the Intermediate > entites which make the authorization decision to be upgraded. > However,Is there something associated with adjacency? > Clearly this point needs elaboration... I don't know if you saw my reply last week to Alan on this same point [1] - the example I gave was: Suppose I have a wiz-bang new feature. I figure out how to negotiate sessions that use it in SIP, and implement it in some spiffy new UAs. Given a good SIP fabric, the feature works. But this feature has some characteristics that mean that I want it to be subject to an organizational security policy (using it has privacy implications, or it costs lots of money). If I don't want to trust the endpoints to evaluate the policy (for reasons described elsewhere), then I need to have something else do so. But the next-hop device those spiffy new UAs are attached to is my old-reliable edge intermediate; it's hard to get changes made to that, and it doesn't know anything about my new wiz-bang feature, so there's no way to get it to do any security policy evaluation for me on that feature. If delivery implies authorization, then all an attacker needs to do is find a way to get the request to the next-hop old-reliable edge intermediate (probably not hard). Authorization-by-delivery is weakened by each hop (including the last one) by which the authorizing entity is separated from the protected resource. If the authorizing entity and the protected resource are separated by only one hop, and if that hop is always TLS used so that the protected resource can authenticate the authorizing entity, then there is little opportunity for an attacker to exploit the separation; but if there is more than one hop, then TLS cannot be used to authenticate the authorizing entity and the authorization-by-delivery model breaks down. > In addition, i agree that the issues described in your draft are > really very important. But I don’t understand clearly how the > requirement of “Authorizing Third Party” can solve them. I can’t get > the requirements you proposed from these problems. I guess I'd have to ask you what problem you think is not addressed. > PS: > > there is one suggestion about the section 2.2, I think the following > paragraphs could be in the section 2.2.1 and have a new title “User > Agent Based Authorization”. Because all of them are describing the > problems of “User Agent Based Authorization”. That's a thought... [1] http://www.ietf.org/mail-archive/web/dispatch/current/msg00070.html
- [dispatch] draft-lawrence-sip-3rd-party-authoriza… Scott Lawrence
- Re: [dispatch] draft-lawrence-sip-3rd-party-autho… Dutkiewicz, Marek
- Re: [dispatch] draft-lawrence-sip-3rd-party-autho… fanyanping
- Re: [dispatch] draft-lawrence-sip-3rd-party-autho… Scott Lawrence
- Re: [dispatch] draft-lawrence-sip-3rd-party-autho… fanyanping
- Re: [dispatch] draft-lawrence-sip-3rd-party-autho… Scott Lawrence
- Re: [dispatch] draft-lawrence-sip-3rd-party-autho… Mary Barnes
- Re: [dispatch] draft-lawrence-sip-3rd-party-autho… Dale Worley
- Re: [dispatch] draft-lawrence-sip-3rd-party-autho… Mary Barnes