Re: OPS-DIR review of draft-ietf-tram-turn-third-party-authz-08
Tom Taylor <tom.taylor.stds@gmail.com> Wed, 04 February 2015 19:02 UTC
Return-Path: <tom.taylor.stds@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DEFD1A1B59; Wed, 4 Feb 2015 11:02:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wU8ycC-xhF87; Wed, 4 Feb 2015 11:02:11 -0800 (PST)
Received: from mail-ig0-x232.google.com (mail-ig0-x232.google.com [IPv6:2607:f8b0:4001:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17F791A0155; Wed, 4 Feb 2015 11:02:11 -0800 (PST)
Received: by mail-ig0-f178.google.com with SMTP id hl2so6247414igb.5; Wed, 04 Feb 2015 11:02:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=DglMuaUR++PQxMrHFc46t7USzuwOGs6H4jZCoX79/ms=; b=z73xoEbPQon3cn2czLnBkqvkCuEMicmueriX8vfzcqDsxndNXnzg+q59ZRiOoKxdhC suBIrEWo4MTkDeHRL+yyIbaiOTbfCp8GA5E9PP44gKyKD8jDAtRo4tentPZJ9SB13sF9 ehOrfiArOIyzZ/1QXzDULTdMXuBjKmmUrenEKcRISHW4dMu8x+TwZF4o5xH13ZrZfovI F6BtGQ5UBwetLWtcbn68mpB5DGSyKbD+9o2Cm4n00AFaX5KfTgUjOUgAYKzroBJwZSLg +eAPOeCnkMWGaSaX8Uqj5+lXp8I6G4AbIsy7a8206lD/BJRAdLcrLYtyTMM764DZo9iA cEhg==
X-Received: by 10.42.190.207 with SMTP id dj15mr3158795icb.73.1423076530269; Wed, 04 Feb 2015 11:02:10 -0800 (PST)
Received: from [192.168.0.101] (dsl-173-206-73-98.tor.primus.ca. [173.206.73.98]) by mx.google.com with ESMTPSA id a204sm1289941ioe.2.2015.02.04.11.02.09 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 04 Feb 2015 11:02:09 -0800 (PST)
Message-ID: <54D26CA7.6090909@gmail.com>
Date: Wed, 04 Feb 2015 14:01:59 -0500
From: Tom Taylor <tom.taylor.stds@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>, "ops-dir@ietf.org" <ops-dir@ietf.org>, "Prashanth Patil (praspati)" <praspati@cisco.com>, "Ram Mohan R (rmohanr)" <rmohanr@cisco.com>, Justin Uberti <justin@uberti.com>, Gonzalo Camarillo <Gonzalo.Camarillo@ericsson.com>, Spencer Dawkins <spencerdawkins.ietf@gmail.com>, The IETF <ietf@ietf.org>
Subject: Re: OPS-DIR review of draft-ietf-tram-turn-third-party-authz-08
References: <913383AAA69FF945B8F946018B75898A35538FB4@xmb-rcd-x10.cisco.com>
In-Reply-To: <913383AAA69FF945B8F946018B75898A35538FB4@xmb-rcd-x10.cisco.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/Q5dJ8sHOwH7s52Wg-ZfxN1dM7KU>
X-Mailman-Approved-At: Wed, 04 Feb 2015 12:15:45 -0800
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Feb 2015 19:02:13 -0000
Removed the WG from the distribution list, since the original E-mail made the points I figured they needed to see. Responses with [PTT] below. Tom Taylor On 04/02/2015 12:22 PM, Tirumaleswar Reddy (tireddy) wrote: > Thanks Tom for the review. Please see inline > >> -----Original Message----- >> From: Tom Taylor [mailto:tom.taylor.stds@gmail.com] >> Sent: Wednesday, February 04, 2015 3:39 AM >> To: ops-dir@ietf.org; Tirumaleswar Reddy (tireddy); Prashanth Patil >> (praspati); Ram Mohan R (rmohanr); Justin Uberti; Gonzalo Camarillo; >> Spencer Dawkins; The IETF; tram@ietf.org >> Cc: Christer Holmberg >> Subject: OPS-DIR review of draft-ietf-tram-turn-third-party-authz-08 >> ... > > I will add Operational Considerations section to the draft. > [PTT] ACK >> >> Other issues: >> >> 1. The procedures by which the client obtains the OAuth token are declared >> out of scope (middle of first paragraph of Section 3), yet a fair amount of text >> in the document deals with this topic. Either the declaration of scope should >> be changed or the examples of interaction between the client and the >> authorization server and related detailed procedural statements should be >> moved to an informative appendix. > > If we remove the below line, would that address your comment ? > > "The exact mechanism used by a client to obtain a token from the OAuth authorization server is outside the scope of this document." > [PTT] Yes, but I think I would have to re-review to ensure that the mechanism is well specified. I am worried about the status of the OAuth work (the PoP mechanism) that you depend on. Does it become a normative reference as a result of bringing the OAuth interchange into scope? > >> Fundamentally this document is not about WebRTC (even though that is the >> primary application the authors have in mind) and so WebRTC has no place >> in the body of the document. The rewriting would be a fair amount of work, >> but I will volunteer to help rework the text if need be. > > WebRTC is only used an example in this document to demonstrate its usage. STUN (rfc5389) also references SIP in various places. > Please clarify why this is a concern ? > [PTT] WebRTC brings in an unnecessary additional complication that obscures what you are trying to standardize: the interactions between a STUN/TURN client, a STUN/TURN server, and an OAuth authorization server. It would be perfectly appropriate to mention in the introduction that the OAuth authorization server could be collocated with a WebRTC server, but otherwise WebRTC is irrelevant to what you are standardizing. It just clutters up your text and distracts the reader. >> >> 2. The paragraph below Figure 2 in Section 3 talks of a future capability, >> algorithm agility. Part of the description mentions that the client sends the >> intersection of the algorithms common to it and the STUN server to the >> authorization server. The reason to do this depends specifically on the >> statement that the authorization server generates the session key between >> the client and resource server in draft-ietf-oauth-pop-key-distribution (which >> BTW is expired). I can see the point of this paragraph in providing a warning >> to implementors, but it is probably too speculative unless the depended- >> upon I-Ds (stunbis and oauth-pop-key) are very close to completion. At the >> least, the sentence relating to the interaction between the client and >> authorization server could be removed or made less detailed. (Relates to the >> first point above.) > > It is agreed in the WG that stunbis will be support hash agility and use the technique mentioned in the draft. > The paragraph below Figure 2 in Section 3 is outcome of the discussion. > [PTT] ACK >> >> 3. The first sentence of Section 4 has a lower-case "should". Should this be >> "SHOULD" or perhaps "MUST"? > > Changed to "MUST" > >> It would also be good to add that this >> knowledge of the STUN server's authentication capability may be available >> prior to the initial request, or else it is acquired from the >> 401 Unauthorized response to the initial STUN request as described below. >> Maybe the implementation note under Figure 1 belongs down here, at the >> more detailed level, rather than in the overview section. > > Okay, moved the note to Section 4. > >> >> 4. The detailed choice of how symmetric key establishment is done is left >> open in Section 4.1. Should there be a mandatory-to-implement choice ? > > The consensus in the WG is to keep symmetric key establishment procedure outside scope and not to mandate any symmetric key establishment procedure. Please note that the draft will be updated in the next revision to use ECC to address the comment from Yaron Sheffer as part of SecDir review > NEW: > Elliptic curve cryptography (ECC) with Elliptic Curve Digital Signature Algorithm (ECDSA) or symmetric-key algorithm with Hash based Message Authentication Codes (HMACs) MUST be chosen to ensure that the size of encrypted token is not large because usage of RSA will result in large encrypted tokens which may not fit into a single STUN message. > [PTT] ACK >> >> 5. Perhaps in Section 7 there should be a note that if a STUN server receives >> an ACCESS-TOKEN attribute unexpectedly (because it had not previously sent >> out a THIRD-PARTY-AUTHORIZATION), it will respond with an error code of >> 420 (Unknown Attribute) as specified in Section 7.3.1 of RFC 5389. > > Since ACCESS-TOKEN is an comprehension-optional attribute it can be ignored by the server and no need return error. > [PTT] Section 6.2 of the document says that ACCESS-TOKEN is a comprehension-required attribute. >> [PTT] ACK to all remaining items.
- OPS-DIR review of draft-ietf-tram-turn-third-part… Tom Taylor
- RE: OPS-DIR review of draft-ietf-tram-turn-third-… Tirumaleswar Reddy (tireddy)
- RE: OPS-DIR review of draft-ietf-tram-turn-third-… Tirumaleswar Reddy (tireddy)
- Re: OPS-DIR review of draft-ietf-tram-turn-third-… Tom Taylor