Re: [MEDIACTRL] ISSUE 2 - IVR Package - URI authentication

Stéphane Bastien <stephane@broadsoft.com> Thu, 26 August 2010 12:09 UTC

Return-Path: <stephane@broadsoft.com>
X-Original-To: mediactrl@core3.amsl.com
Delivered-To: mediactrl@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1B7573A6838 for <mediactrl@core3.amsl.com>; Thu, 26 Aug 2010 05:09:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lfaUZ+9CODaZ for <mediactrl@core3.amsl.com>; Thu, 26 Aug 2010 05:09:20 -0700 (PDT)
Received: from smtp-out01.seaservers.net (smtp-out01.seaservers.net [72.37.232.66]) by core3.amsl.com (Postfix) with ESMTP id D9F403A67CC for <mediactrl@ietf.org>; Thu, 26 Aug 2010 05:09:20 -0700 (PDT)
Received: from EXMBXCLUS01.citservers.local ([fe80:0000:0000:0000:a488:d1ec:167.6.58.109]) by casumhub01.citservers.local ([172.16.98.57]) with mapi; Thu, 26 Aug 2010 05:09:53 -0700
From: =?Windows-1252?Q?St=E9phane_Bastien?= <stephane@broadsoft.com>
To: "mediactrl-chairs@tools.ietf.org" <mediactrl-chairs@tools.ietf.org>, "draft-ietf-mediactrl-ivr-control-package@tools.ietf.org" <draft-ietf-mediactrl-ivr-control-package@tools.ietf.org>, "mediactrl@ietf.org" <mediactrl@ietf.org>
Date: Thu, 26 Aug 2010 05:09:47 -0700
Thread-Topic: [MEDIACTRL] ISSUE 2 - IVR Package - URI authentication
Thread-Index: ActFF5bOv+/Is+xoT5+PkiZ9ForxpQ==
Message-ID: <B34256BE-925B-4E53-8156-E6EA044F7024@broadsoft.com>
References: <C899B865.880%Scott.McGlashan@hp.com> <20100826115208.f4e6abe1.lorenzo@meetecho.com>
In-Reply-To: <20100826115208.f4e6abe1.lorenzo@meetecho.com>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: fr-FR, en-US
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [MEDIACTRL] ISSUE 2 - IVR Package - URI authentication
X-BeenThere: mediactrl@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Media Control WG Discussion List <mediactrl.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mediactrl>, <mailto:mediactrl-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mediactrl>
List-Post: <mailto:mediactrl@ietf.org>
List-Help: <mailto:mediactrl-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mediactrl>, <mailto:mediactrl-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Aug 2010 12:09:22 -0000

Agreed. We already keep passwords out of XML messages for security reasons.

Le 2010-08-26 à 05:52, Lorenzo Miniero a écrit :

> It looks like a reasonable modification to me, considering it doesn't add any new attribute but clarifies how to use the existing one correctly.
> 
> L.
> 
> 
> On Tue, 24 Aug 2010 15:56:53 +0000
> "McGlashan, Scott" <scott.mcglashan@hp.com> wrote:
> 
>> Hi All,
>> 
>> As part of our IESG review of the IVR package the following issue has been identified:
>> 
>> 
>> 2) Use of authentication information in URIs in the "src" attribute (in multiple
>> sectons):
>> 
>> E.g. in Section 4.2.1:
>> 
>>   src:  specifies the location of an external dialog document to
>>      prepare.  A valid value is a URI (see Section 4.6.9) including
>>      authentication information if defined by the URI scheme (e.g.
>>      basic access authentication in HTTP).
>> 
>> Is this supposed to include the password as well?
>> If yes, how can this be represented in URIs?
>> If not, where is this information coming from?
>> 
>> We added the text about authentication information in URIs to support a mailing list request to allow the MS to authenticate itself to a resource server.  If I remember correctly, this was to allow URIs like
>> 
>> http://<user>:<password>@example.com/resourcepath<http://<user>:<password>@example.com/path>…
>> 
>> Re-reading the URI RFC 3986 – which the spec references normatively, the RFC says
>> 
>> authority   = [ userinfo "@" ] host [ ":" port ]
>> 
>> 
>> The userinfo subcomponent may consist of a user name and, optionally, scheme-specific information about how to gain authorization to access the resource. The user information, if present, is followed by a commercial at-sign ("@") that delimits it from the host.
>> 
>>      userinfo    = *( unreserved / pct-encoded / sub-delims / ":" )
>> 
>> 
>> Use of the format "user:password" in the userinfo field is deprecated. … The passing of authentication information in clear text has proven to be a security risk in almost every case where it has been used.
>> 
>> So specifying the user name is ok, including the password is not.
>> 
>> Our proposal is to clarify this wording  (across the spec) so that reference to authentication information is removed: I.e.
>> 
>>        A valid value is a URI (see Section 4.6.9).
>> 
>> This would still allow the user name and scheme-specific information to be specified as per RFC 3986. Note that if we accept that HTTP/HTTPS is mandatory (see email on IVR ISSUE 1), then there will also be text to clarify that the MS MUST support HTTP and HTTPS schemes and MAY support other schemes. The HTTPS schemes would allow for secure authentication of the MS towards a resource server.
>> 
>> Let us know if you have any comment on, or objections to, this proposed change.
>> 
>> thanks
>> 
>> Scott
>> _______________________________________________
>> MEDIACTRL mailing list
>> MEDIACTRL@ietf.org
>> https://www.ietf.org/mailman/listinfo/mediactrl
>> Supplemental Web Site:
>> http://www.standardstrack.com/ietf/mediactrl
>> 
> 
> 
> -- 
> Lorenzo Miniero <lorenzo@meetecho.com>
> _______________________________________________
> MEDIACTRL mailing list
> MEDIACTRL@ietf.org
> https://www.ietf.org/mailman/listinfo/mediactrl
> Supplemental Web Site:
> http://www.standardstrack.com/ietf/mediactrl