IETF Logo Mail Archive

Re: [dispatch] draft-lawrence-sip-3rd-party-authorization-00

fanyanping <fanyanping@huawei.com> Wed, 27 May 2009 05:37 UTC

Return-Path: <fanyanping@huawei.com>
X-Original-To: dispatch@core3.amsl.com
Delivered-To: dispatch@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DBC353A6DFD for <dispatch@core3.amsl.com>; Tue, 26 May 2009 22:37:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.387
X-Spam-Level: **
X-Spam-Status: No, score=2.387 tagged_above=-999 required=5 tests=[AWL=2.197, BAYES_00=-2.599, CN_BODY_35=0.339, MIME_CHARSET_FARAWAY=2.45]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DAX0FoLgzcmR for <dispatch@core3.amsl.com>; Tue, 26 May 2009 22:37:12 -0700 (PDT)
Received: from szxga04-in.huawei.com (szxga04-in.huawei.com [119.145.14.67]) by core3.amsl.com (Postfix) with ESMTP id F105A3A6B30 for <dispatch@ietf.org>; Tue, 26 May 2009 22:37:11 -0700 (PDT)
Received: from huawei.com (szxga04-in [172.24.2.12]) by szxga04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0KKA0031IFOS7J@szxga04-in.huawei.com> for dispatch@ietf.org; Wed, 27 May 2009 13:38:52 +0800 (CST)
Received: from huawei.com ([172.24.1.33]) by szxga04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0KKA0004VFOSIC@szxga04-in.huawei.com> for dispatch@ietf.org; Wed, 27 May 2009 13:38:52 +0800 (CST)
Received: from f00134301 ([10.85.29.39]) by szxml06-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTPA id <0KKA00MP4FOSKW@szxml06-in.huawei.com> for dispatch@ietf.org; Wed, 27 May 2009 13:38:52 +0800 (CST)
Date: Wed, 27 May 2009 13:38:52 +0800
From: fanyanping <fanyanping@huawei.com>
In-reply-to: <1243348976.3432.4114.camel@host.home.skrb.org>
To: 'Scott Lawrence' <scott.lawrence@nortel.com>
Message-id: <00cb01c9de8d$6b2b61d0$271d550a@china.huawei.com>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
X-Mailer: Microsoft Office Outlook 11
Content-type: text/plain; charset="gb2312"
Content-transfer-encoding: quoted-printable
Thread-index: AcneHbgM0qQTb1LDSc6uBSEDr9OZLQAY6FHg
Cc: dispatch@ietf.org
Subject: Re: [dispatch] draft-lawrence-sip-3rd-party-authorization-00
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dispatch>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2009 05:37:12 -0000

 

-----邮件原件-----
发件人: Scott Lawrence [mailto:scott.lawrence@nortel.com] 
发送时间: 2009年5月26日 22:43
收件人: fanyanping
抄送: dispatch@ietf.org
主题: Re: [dispatch] draft-lawrence-sip-3rd-party-authorization-00

> Clearly this point needs elaboration... I don't know if you saw my reply
last week to Alan on this same point [1] - the example I gave was:
        
       > Suppose I have a wiz-bang new feature.  I figure out how to
negotiate
       > sessions that use it in SIP, and implement it in some spiffy new
UAs.
       > Given a good SIP fabric, the feature works.  But this feature has
some
       > characteristics that mean that I want it to be subject to an
       > organizational security policy (using it has privacy implications,
or it
       > costs lots of money).  If I don't want to trust the endpoints to
       > evaluate the policy (for reasons described elsewhere), then I need
to
       > have something else do so.  But the next-hop device those spiffy
new UAs
       > are attached to is my old-reliable edge intermediate; it's hard to
get
       > changes made to that, and it doesn't know anything about my new
wiz-bang
       > feature, so there's no way to get it to do any security policy
       > evaluation for me on that feature.   If delivery implies
authorization,
       > then all an attacker needs to do is find a way to get the request
to the
       > next-hop old-reliable edge intermediate (probably not hard).
   
> Authorization-by-delivery is weakened by each hop (including the last
> one) by which the authorizing entity is separated from the protected
resource.  If the authorizing entity and the protected resource are
separated by only one > > hop, and if that hop is always TLS used so that
the protected resource can authenticate the authorizing entity, then there
is little opportunity for an attacker > to exploit the separation; but if
there is more than one hop, then TLS cannot be used to authenticate the
authorizing entity and the authorization-by-delivery > > model breaks down. 

it's very clear, thanks :) 

    > > In addition, i agree that the issues described in your draft are 
    > > really very important. But I don’t understand clearly how the 
    > > requirement of “Authorizing Third Party” can solve them. I can’t
get 
    > > the requirements you proposed from these problems.

> I guess I'd have to ask you what problem you think is not addressed.

the section 3  in your draft describe the problem that  authorizing entity
doesn't know the service which the request is being used to implement , so
it  can not  make the authorization decision  appropriately. is it right?
I don’t understand clearly how the requirement of “Authorizing Third
Party” can solve the problem.

 


[1] http://www.ietf.org/mail-archive/web/dispatch/current/msg00070.html

v2.23.0 | Report a Bug | By Email