OPS-DIR review of draft-ietf-tram-turn-third-party-authz-08
Tom Taylor <tom.taylor.stds@gmail.com> Tue, 03 February 2015 22:09 UTC
Return-Path: <tom.taylor.stds@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3D7B1A1A88; Tue, 3 Feb 2015 14:09:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VYhXPT7a6_bs; Tue, 3 Feb 2015 14:09:25 -0800 (PST)
Received: from mail-ie0-x231.google.com (mail-ie0-x231.google.com [IPv6:2607:f8b0:4001:c03::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26F8C1A036B; Tue, 3 Feb 2015 14:09:25 -0800 (PST)
Received: by mail-ie0-f177.google.com with SMTP id vy18so28774367iec.8; Tue, 03 Feb 2015 14:09:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :content-type:content-transfer-encoding; bh=TY+QxWFwk24cgxBEfwQ6uHR0vv1YmPVKHJjxWJpqsXY=; b=H0V6YDtptkaeu8Cjb3pta3l84SR8utqLLclK5PyWLrJHAEaIqG+1XzmMmV3i0o2gLu TNREJDOxAJYbzbagrzEppIi/MWyjz8a++xdg1EaWTh3g0+ZhBpqCcDX6/I6kiGh6s+7e cTBZDLqFK70hfHJ/rI3ESv2PIaCr7LAVEmVbG/Q3PKg4aNImLMqBuZ3zZGCzJRt80+je SIkAVte0Z1zqBgy67+qiYnUa65wH/ShcJGh/kqO4bsBazZPYquyl4ViafJv3ec/+X7xR d/RmCQnrGFbGC22rD1audlHLRpda1yQ+ruN8T4eF4czLrDgklYn8DEVrLftLARa/kvFR HIVg==
X-Received: by 10.50.66.198 with SMTP id h6mr20957181igt.22.1423001364292; Tue, 03 Feb 2015 14:09:24 -0800 (PST)
Received: from [192.168.0.101] (dsl-173-206-73-98.tor.primus.ca. [173.206.73.98]) by mx.google.com with ESMTPSA id mi3sm8588159igb.13.2015.02.03.14.09.23 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 03 Feb 2015 14:09:23 -0800 (PST)
Message-ID: <54D14709.2040204@gmail.com>
Date: Tue, 03 Feb 2015 17:09:13 -0500
From: Tom Taylor <tom.taylor.stds@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: "ops-dir@ietf.org" <ops-dir@ietf.org>, Tirumaleswar Reddy <tireddy@cisco.com>, Prashanth Patil <praspati@cisco.com>, Ram Mohan Ravindranath <rmohanr@cisco.com>, Justin Uberti <justin@uberti.com>, Gonzalo Camarillo <Gonzalo.Camarillo@ericsson.com>, Spencer Dawkins <spencerdawkins.ietf@gmail.com>, The IETF <ietf@ietf.org>, tram@ietf.org
Subject: OPS-DIR review of draft-ietf-tram-turn-third-party-authz-08
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/yu9kM_m7VWofRPrS67DiKEHS0TE>
X-Mailman-Approved-At: Wed, 04 Feb 2015 08:58:30 -0800
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Feb 2015 22:09:30 -0000
I reviewed draft-ietf-tram-turn-third-party-authz-08 as part of the Operational directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the operational area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Summary: This document has inconsistencies that need to be fixed before it can be published. Operational issues: To make this feature work, the following pre-configuration is required: a. In each authorization server, the list of STUN and TURN servers for which it will grant tokens, and the long-term secret shared with each b. Similarly, in each STUN or TURN server, the list of authorization servers from which the clients of that STUN or TURN server may request tokens, and the associated long-term secret. c. If manual configuration (Section 4.1.3) is used to establish symmetric keys, the necessary information has to be configured on each authorization server and STUN or TURN server. The client presumably obtains the session key and algorithm from the authorization server in company with the token. It would be good to have an Operational Considerations section summarizing this information and anything else I've missed. In terms of deployment, incremental deployment is possible, since default action is specified in the document if either the client or STUN or TURN server fails to understand the attributes defined in this document. However, the implication in "Other Issue" 3 below is that the "should" should be a "MUST". Other issues: 1. The procedures by which the client obtains the OAuth token are declared out of scope (middle of first paragraph of Section 3), yet a fair amount of text in the document deals with this topic. Either the declaration of scope should be changed or the examples of interaction between the client and the authorization server and related detailed procedural statements should be moved to an informative appendix. Fundamentally this document is not about WebRTC (even though that is the primary application the authors have in mind) and so WebRTC has no place in the body of the document. The rewriting would be a fair amount of work, but I will volunteer to help rework the text if need be. 2. The paragraph below Figure 2 in Section 3 talks of a future capability, algorithm agility. Part of the description mentions that the client sends the intersection of the algorithms common to it and the STUN server to the authorization server. The reason to do this depends specifically on the statement that the authorization server generates the session key between the client and resource server in draft-ietf-oauth-pop-key-distribution (which BTW is expired). I can see the point of this paragraph in providing a warning to implementors, but it is probably too speculative unless the depended-upon I-Ds (stunbis and oauth-pop-key) are very close to completion. At the least, the sentence relating to the interaction between the client and authorization server could be removed or made less detailed. (Relates to the first point above.) 3. The first sentence of Section 4 has a lower-case "should". Should this be "SHOULD" or perhaps "MUST"? It would also be good to add that this knowledge of the STUN server's authentication capability may be available prior to the initial request, or else it is acquired from the 401 Unauthorized response to the initial STUN request as described below. Maybe the implementation note under Figure 1 belongs down here, at the more detailed level, rather than in the overview section. 4. The detailed choice of how symmetric key establishment is done is left open in Section 4.1. Should there be a mandatory-to-implement choice? 5. Perhaps in Section 7 there should be a note that if a STUN server receives an ACCESS-TOKEN attribute unexpectedly (because it had not previously sent out a THIRD-PARTY-AUTHORIZATION), it will respond with an error code of 420 (Unknown Attribute) as specified in Section 7.3.1 of RFC 5389. 6. In Section 9, second bullet, a parameter Delta is shown but no suggested value is given. Would this be 5 seconds as in Section 7? Tom Taylor Nits/editorial suggestions ========================== General: missing "the"s and occasional "a"s or "an"s throughout the document. I indicated a number of places but got tired of doing so eventually. If absolutely necessary I could mark up a copy of the document with the additions. 1) Abstract: OLD The usage of ephemeral tokens ensure NEW The use of ephemeral tokens ensures 2) Section 3, first paragraph: It might be good to add a paragraph before the present one, saying that the client knows that it can use OAuth with the target STUN server either through configuration or when it receives the new STUN attribute THIRD-PARTY-AUTHORIZATION in the 401 Unauthorized response to its initial STUN request. OLD to avail STUN services NEW to avail itself of STUN services OLD The client is oblivious to the content of the token. The token is embedded within a STUN request sent to the STUN server. NEW The content of the token is opaque to the client. The client embeds the token within a STUN request sent to the STUN server. Second-last line: s/it's/its/ 3) Section 3, paragraph below Figure 2: Missing "The" in front of "Authorization server" at the beginning of a sentence, missing "the" in front of "client" (twice). Fourth line from the bottom: s/client had provided/the client provided/ 4) Last line of Section 3: OLD MUST be 'stun' string. NEW MUST be the string 'stun'. 5) Section 4, first paragraph: OLD using OAuth access token. NEW using an OAuth access token. OLD The STUN servers NEW The STUN server OLD additional STUN attribute NEW the additional STUN attribute 6) Section 4, paragraph between the two figures 4 and 5: s/i.e/i.e.,/ 7) Section 4.1, first sentence: s/resource server/STUN server/ Middle of paragraph: OLD The AS-RS, AUTH keys NEW The AS-RS and AUTH keys Missing "The" in front of "AS-RS key" in the next sentence. Missing "the" in front of "message integrity" later in that sentence. Second-last sentence: OLD The establishment of symmetric key is outside the scope NEW The procedure for establishment of the symmetric key is outside the scope 8) Sections 4.1.2 and 4.1.3 have missing instances of "the". 9) Section 4.1.3 first paragraph: OLD Mandatory to support authenticated encryption algorithm MUST be AES_256_CBC_HMAC_SHA_512. NEW If manual provisioning is supported, support MUST also be provided for AES_256_CBC_HMAC_SHA_512 as the authenticated encryption algorithm. 10) Section 5, second-last line: s/doesn't/do not/ 11) Section 6.1 third line: s/tie-up/tie-ups/ 12) Section 6.2, first paragraph: OLD of [RFC5389]), access token length NEW of [RFC5389]). The access token length OLD is opaque to the client and it NEW is opaque to the client and the client 13) Section 6.2, 'lifetime' bullet: OLD but the client assumes that NEW but the client would assume that 14) Section 6.2, 'encrypted_block' bullet: s/resource server/STUN server/ 15) Section 9, first bullet: OLD Since the access token is only valid for a specific period of time, NEW Since the access token is valid for a specific period of time, 16) Section 10, first paragraph: OLD detect that the transaction ID as used NEW detect that the transaction ID was used 17) Reference draft-ietf-tram-auth-problems has been published as RFC 7376 and should be updated. Informative references I-D.ietf-oauth-pop-architecture and I-D.ietf-oauth-pop-key-distribution have expired, but I guess there is nothing you can change for the moment.
- OPS-DIR review of draft-ietf-tram-turn-third-part… Tom Taylor
- RE: OPS-DIR review of draft-ietf-tram-turn-third-… Tirumaleswar Reddy (tireddy)
- RE: OPS-DIR review of draft-ietf-tram-turn-third-… Tirumaleswar Reddy (tireddy)
- Re: OPS-DIR review of draft-ietf-tram-turn-third-… Tom Taylor