Re: [MEDIACTRL] ISSUE 2 - IVR Package - URI authentication

Lorenzo Miniero <lorenzo@meetecho.com> Thu, 26 August 2010 09:58 UTC

Return-Path: <lorenzo@meetecho.com>
X-Original-To: mediactrl@core3.amsl.com
Delivered-To: mediactrl@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1B2633A680B for <mediactrl@core3.amsl.com>; Thu, 26 Aug 2010 02:58:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.772
X-Spam-Level:
X-Spam-Status: No, score=-2.772 tagged_above=-999 required=5 tests=[AWL=-2.053, BAYES_00=-2.599, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6flcg26u98V3 for <mediactrl@core3.amsl.com>; Thu, 26 Aug 2010 02:58:39 -0700 (PDT)
Received: from smtplq01.aruba.it (smtplq-out9.aruba.it [62.149.158.29]) by core3.amsl.com (Postfix) with SMTP id AA3933A6359 for <mediactrl@ietf.org>; Thu, 26 Aug 2010 02:58:38 -0700 (PDT)
Received: (qmail 3725 invoked by uid 89); 26 Aug 2010 09:59:08 -0000
Received: from unknown (HELO smtp2.aruba.it) (62.149.128.201) by smtplq01.aruba.it with SMTP; 26 Aug 2010 09:59:08 -0000
Received: (qmail 3162 invoked by uid 89); 26 Aug 2010 09:59:08 -0000
Received: from unknown (HELO rainpc) (lorenzo@meetecho.com@79.53.62.50) by smtp2.ad.aruba.it with SMTP; 26 Aug 2010 09:59:08 -0000
Date: Thu, 26 Aug 2010 11:52:08 +0200
From: Lorenzo Miniero <lorenzo@meetecho.com>
To: "McGlashan, Scott" <scott.mcglashan@hp.com>
Message-Id: <20100826115208.f4e6abe1.lorenzo@meetecho.com>
In-Reply-To: <C899B865.880%Scott.McGlashan@hp.com>
References: <C899B865.880%Scott.McGlashan@hp.com>
Organization: Meetecho
X-Mailer: Sylpheed 2.7.1 (GTK+ 2.18.9; x86_64-redhat-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Rating: smtp2.ad.aruba.it 1.6.2 0/1000/N
X-Spam-Rating: smtplq01.aruba.it 1.6.2 0/1000/N
Cc: Melnikov <alexey.melnikov@isode.com>, Alexey@core3.amsl.com, "mediactrl-chairs@tools.ietf.org" <mediactrl-chairs@tools.ietf.org>, "draft-ietf-mediactrl-ivr-control-package@tools.ietf.org" <draft-ietf-mediactrl-ivr-control-package@tools.ietf.org>, "mediactrl@ietf.org" <mediactrl@ietf.org>
Subject: Re: [MEDIACTRL] ISSUE 2 - IVR Package - URI authentication
X-BeenThere: mediactrl@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Media Control WG Discussion List <mediactrl.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mediactrl>, <mailto:mediactrl-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mediactrl>
List-Post: <mailto:mediactrl@ietf.org>
List-Help: <mailto:mediactrl-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mediactrl>, <mailto:mediactrl-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Aug 2010 09:58:40 -0000

It looks like a reasonable modification to me, considering it doesn't add any new attribute but clarifies how to use the existing one correctly.

L.


On Tue, 24 Aug 2010 15:56:53 +0000
"McGlashan, Scott" <scott.mcglashan@hp.com> wrote:

> Hi All,
> 
> As part of our IESG review of the IVR package the following issue has been identified:
> 
> 
> 2) Use of authentication information in URIs in the "src" attribute (in multiple
> sectons):
> 
> E.g. in Section 4.2.1:
> 
>    src:  specifies the location of an external dialog document to
>       prepare.  A valid value is a URI (see Section 4.6.9) including
>       authentication information if defined by the URI scheme (e.g.
>       basic access authentication in HTTP).
> 
> Is this supposed to include the password as well?
> If yes, how can this be represented in URIs?
> If not, where is this information coming from?
> 
> We added the text about authentication information in URIs to support a mailing list request to allow the MS to authenticate itself to a resource server.  If I remember correctly, this was to allow URIs like
> 
> http://<user>:<password>@example.com/resourcepath<http://<user>:<password>@example.com/path>…
> 
> Re-reading the URI RFC 3986 – which the spec references normatively, the RFC says
> 
> authority   = [ userinfo "@" ] host [ ":" port ]
> 
> 
> The userinfo subcomponent may consist of a user name and, optionally, scheme-specific information about how to gain authorization to access the resource. The user information, if present, is followed by a commercial at-sign ("@") that delimits it from the host.
> 
>       userinfo    = *( unreserved / pct-encoded / sub-delims / ":" )
> 
> 
> Use of the format "user:password" in the userinfo field is deprecated. … The passing of authentication information in clear text has proven to be a security risk in almost every case where it has been used.
> 
> So specifying the user name is ok, including the password is not.
> 
> Our proposal is to clarify this wording  (across the spec) so that reference to authentication information is removed: I.e.
> 
>         A valid value is a URI (see Section 4.6.9).
> 
> This would still allow the user name and scheme-specific information to be specified as per RFC 3986. Note that if we accept that HTTP/HTTPS is mandatory (see email on IVR ISSUE 1), then there will also be text to clarify that the MS MUST support HTTP and HTTPS schemes and MAY support other schemes. The HTTPS schemes would allow for secure authentication of the MS towards a resource server.
> 
> Let us know if you have any comment on, or objections to, this proposed change.
> 
> thanks
> 
> Scott
> _______________________________________________
> MEDIACTRL mailing list
> MEDIACTRL@ietf.org
> https://www.ietf.org/mailman/listinfo/mediactrl
> Supplemental Web Site:
> http://www.standardstrack.com/ietf/mediactrl
> 


-- 
Lorenzo Miniero <lorenzo@meetecho.com>