[MEDIACTRL] ISSUE 2 - IVR Package - URI authentication

"McGlashan, Scott" <scott.mcglashan@hp.com> Tue, 24 August 2010 15:58 UTC

Return-Path: <scott.mcglashan@hp.com>
X-Original-To: mediactrl@core3.amsl.com
Delivered-To: mediactrl@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 678603A6894 for <mediactrl@core3.amsl.com>; Tue, 24 Aug 2010 08:58:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.599
X-Spam-Status: No, score=-104.599 tagged_above=-999 required=5 tests=[AWL=2.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id yTPAiyGuTdKX for <mediactrl@core3.amsl.com>; Tue, 24 Aug 2010 08:58:12 -0700 (PDT)
Received: from g4t0016.houston.hp.com (g4t0016.houston.hp.com []) by core3.amsl.com (Postfix) with ESMTP id 52A9B3A6887 for <mediactrl@ietf.org>; Tue, 24 Aug 2010 08:58:12 -0700 (PDT)
Received: from G3W0630.americas.hpqcorp.net (g3w0630.americas.hpqcorp.net []) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by g4t0016.houston.hp.com (Postfix) with ESMTPS id F1BAB14569; Tue, 24 Aug 2010 15:58:42 +0000 (UTC)
Received: from G6W0644.americas.hpqcorp.net ( by G3W0630.americas.hpqcorp.net ( with Microsoft SMTP Server (TLS) id; Tue, 24 Aug 2010 15:56:56 +0000
Received: from GVW1124EXC.americas.hpqcorp.net ([]) by G6W0644.americas.hpqcorp.net ([]) with mapi; Tue, 24 Aug 2010 15:56:55 +0000
From: "McGlashan, Scott" <scott.mcglashan@hp.com>
To: "mediactrl@ietf.org" <mediactrl@ietf.org>
Date: Tue, 24 Aug 2010 15:56:53 +0000
Thread-Topic: ISSUE 2 - IVR Package - URI authentication
Thread-Index: ActDpPohxS+Q1DRcSQS6JT5AVden+Q==
Message-ID: <C899B865.880%Scott.McGlashan@hp.com>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
acceptlanguage: en-US
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Alexey, Melnikov <alexey.melnikov@isode.com>, "mediactrl-chairs@tools.ietf.org" <mediactrl-chairs@tools.ietf.org>, "draft-ietf-mediactrl-ivr-control-package@tools.ietf.org" <draft-ietf-mediactrl-ivr-control-package@tools.ietf.org>
Subject: [MEDIACTRL] ISSUE 2 - IVR Package - URI authentication
X-BeenThere: mediactrl@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Media Control WG Discussion List <mediactrl.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mediactrl>, <mailto:mediactrl-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mediactrl>
List-Post: <mailto:mediactrl@ietf.org>
List-Help: <mailto:mediactrl-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mediactrl>, <mailto:mediactrl-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Aug 2010 15:58:13 -0000

Hi All,

As part of our IESG review of the IVR package the following issue has been identified:

2) Use of authentication information in URIs in the "src" attribute (in multiple

E.g. in Section 4.2.1:

   src:  specifies the location of an external dialog document to
      prepare.  A valid value is a URI (see Section 4.6.9) including
      authentication information if defined by the URI scheme (e.g.
      basic access authentication in HTTP).

Is this supposed to include the password as well?
If yes, how can this be represented in URIs?
If not, where is this information coming from?

We added the text about authentication information in URIs to support a mailing list request to allow the MS to authenticate itself to a resource server.  If I remember correctly, this was to allow URIs like


Re-reading the URI RFC 3986 – which the spec references normatively, the RFC says

authority   = [ userinfo "@" ] host [ ":" port ]

The userinfo subcomponent may consist of a user name and, optionally, scheme-specific information about how to gain authorization to access the resource. The user information, if present, is followed by a commercial at-sign ("@") that delimits it from the host.

      userinfo    = *( unreserved / pct-encoded / sub-delims / ":" )

Use of the format "user:password" in the userinfo field is deprecated. … The passing of authentication information in clear text has proven to be a security risk in almost every case where it has been used.

So specifying the user name is ok, including the password is not.

Our proposal is to clarify this wording  (across the spec) so that reference to authentication information is removed: I.e.

        A valid value is a URI (see Section 4.6.9).

This would still allow the user name and scheme-specific information to be specified as per RFC 3986. Note that if we accept that HTTP/HTTPS is mandatory (see email on IVR ISSUE 1), then there will also be text to clarify that the MS MUST support HTTP and HTTPS schemes and MAY support other schemes. The HTTPS schemes would allow for secure authentication of the MS towards a resource server.

Let us know if you have any comment on, or objections to, this proposed change.