Re: [dispatch] draft-lawrence-sip-3rd-party-authorization-00
fanyanping <fanyanping@huawei.com> Wed, 27 May 2009 05:37 UTC
Return-Path: <fanyanping@huawei.com>
X-Original-To: dispatch@core3.amsl.com
Delivered-To: dispatch@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DBC353A6DFD for <dispatch@core3.amsl.com>; Tue, 26 May 2009 22:37:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.387
X-Spam-Level: **
X-Spam-Status: No, score=2.387 tagged_above=-999 required=5 tests=[AWL=2.197, BAYES_00=-2.599, CN_BODY_35=0.339, MIME_CHARSET_FARAWAY=2.45]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DAX0FoLgzcmR for <dispatch@core3.amsl.com>; Tue, 26 May 2009 22:37:12 -0700 (PDT)
Received: from szxga04-in.huawei.com (szxga04-in.huawei.com [119.145.14.67]) by core3.amsl.com (Postfix) with ESMTP id F105A3A6B30 for <dispatch@ietf.org>; Tue, 26 May 2009 22:37:11 -0700 (PDT)
Received: from huawei.com (szxga04-in [172.24.2.12]) by szxga04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0KKA0031IFOS7J@szxga04-in.huawei.com> for dispatch@ietf.org; Wed, 27 May 2009 13:38:52 +0800 (CST)
Received: from huawei.com ([172.24.1.33]) by szxga04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0KKA0004VFOSIC@szxga04-in.huawei.com> for dispatch@ietf.org; Wed, 27 May 2009 13:38:52 +0800 (CST)
Received: from f00134301 ([10.85.29.39]) by szxml06-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTPA id <0KKA00MP4FOSKW@szxml06-in.huawei.com> for dispatch@ietf.org; Wed, 27 May 2009 13:38:52 +0800 (CST)
Date: Wed, 27 May 2009 13:38:52 +0800
From: fanyanping <fanyanping@huawei.com>
In-reply-to: <1243348976.3432.4114.camel@host.home.skrb.org>
To: 'Scott Lawrence' <scott.lawrence@nortel.com>
Message-id: <00cb01c9de8d$6b2b61d0$271d550a@china.huawei.com>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
X-Mailer: Microsoft Office Outlook 11
Content-type: text/plain; charset="gb2312"
Content-transfer-encoding: quoted-printable
Thread-index: AcneHbgM0qQTb1LDSc6uBSEDr9OZLQAY6FHg
Cc: dispatch@ietf.org
Subject: Re: [dispatch] draft-lawrence-sip-3rd-party-authorization-00
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dispatch>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2009 05:37:12 -0000
-----邮件原件----- 发件人: Scott Lawrence [mailto:scott.lawrence@nortel.com] 发送时间: 2009年5月26日 22:43 收件人: fanyanping 抄送: dispatch@ietf.org 主题: Re: [dispatch] draft-lawrence-sip-3rd-party-authorization-00 > Clearly this point needs elaboration... I don't know if you saw my reply last week to Alan on this same point [1] - the example I gave was: > Suppose I have a wiz-bang new feature. I figure out how to negotiate > sessions that use it in SIP, and implement it in some spiffy new UAs. > Given a good SIP fabric, the feature works. But this feature has some > characteristics that mean that I want it to be subject to an > organizational security policy (using it has privacy implications, or it > costs lots of money). If I don't want to trust the endpoints to > evaluate the policy (for reasons described elsewhere), then I need to > have something else do so. But the next-hop device those spiffy new UAs > are attached to is my old-reliable edge intermediate; it's hard to get > changes made to that, and it doesn't know anything about my new wiz-bang > feature, so there's no way to get it to do any security policy > evaluation for me on that feature. If delivery implies authorization, > then all an attacker needs to do is find a way to get the request to the > next-hop old-reliable edge intermediate (probably not hard). > Authorization-by-delivery is weakened by each hop (including the last > one) by which the authorizing entity is separated from the protected resource. If the authorizing entity and the protected resource are separated by only one > > hop, and if that hop is always TLS used so that the protected resource can authenticate the authorizing entity, then there is little opportunity for an attacker > to exploit the separation; but if there is more than one hop, then TLS cannot be used to authenticate the authorizing entity and the authorization-by-delivery > > model breaks down. it's very clear, thanks :) > > In addition, i agree that the issues described in your draft are > > really very important. But I don’t understand clearly how the > > requirement of “Authorizing Third Party” can solve them. I can’t get > > the requirements you proposed from these problems. > I guess I'd have to ask you what problem you think is not addressed. the section 3 in your draft describe the problem that authorizing entity doesn't know the service which the request is being used to implement , so it can not make the authorization decision appropriately. is it right? I don’t understand clearly how the requirement of “Authorizing Third Party” can solve the problem. [1] http://www.ietf.org/mail-archive/web/dispatch/current/msg00070.html
- [dispatch] draft-lawrence-sip-3rd-party-authoriza… Scott Lawrence
- Re: [dispatch] draft-lawrence-sip-3rd-party-autho… Dutkiewicz, Marek
- Re: [dispatch] draft-lawrence-sip-3rd-party-autho… fanyanping
- Re: [dispatch] draft-lawrence-sip-3rd-party-autho… Scott Lawrence
- Re: [dispatch] draft-lawrence-sip-3rd-party-autho… fanyanping
- Re: [dispatch] draft-lawrence-sip-3rd-party-autho… Scott Lawrence
- Re: [dispatch] draft-lawrence-sip-3rd-party-autho… Mary Barnes
- Re: [dispatch] draft-lawrence-sip-3rd-party-autho… Dale Worley
- Re: [dispatch] draft-lawrence-sip-3rd-party-autho… Mary Barnes