Re: [Rum] RUE client credentials

Paul Kyzivat <pkyzivat@alum.mit.edu> Wed, 28 August 2019 16:13 UTC

Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: rum@ietfa.amsl.com
Delivered-To: rum@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54FE612023E for <rum@ietfa.amsl.com>; Wed, 28 Aug 2019 09:13:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dJ82KXimjVQY for <rum@ietfa.amsl.com>; Wed, 28 Aug 2019 09:13:07 -0700 (PDT)
Received: from outgoing-alum.mit.edu (outgoing-alum.mit.edu [18.7.68.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC554120232 for <rum@ietf.org>; Wed, 28 Aug 2019 09:13:07 -0700 (PDT)
Received: from Kokiri.localdomain (c-24-62-227-142.hsd1.ma.comcast.net [24.62.227.142]) (authenticated bits=0) (User authenticated as pkyzivat@ALUM.MIT.EDU) by outgoing-alum.mit.edu (8.14.7/8.12.4) with ESMTP id x7SGD4mb011719 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Wed, 28 Aug 2019 12:13:05 -0400
To: Brian Rosen <br@brianrosen.net>
Cc: rum@ietf.org
References: <8FB5F5A0-E3FE-40F8-A6D0-35D9002C6770@brianrosen.net> <85828597-D024-4E7E-8876-F1C4753E6B7D@edvina.net> <64B406DC-4171-41EB-9171-A2AF7B78B409@brianrosen.net> <054dde2a-7fa1-9941-986c-f3b3d8c0f76e@alum.mit.edu> <831AD5BE-0D8F-4968-ABC7-B8D52BB8D4B0@brianrosen.net> <30a05d55-3aee-3195-3e2e-9ac1d92b886d@alum.mit.edu> <797A336B-0D32-4D4F-AF16-C5D8A4648D22@brianrosen.net> <414e3fa5-ae0f-a632-af75-f34f2842d85c@alum.mit.edu> <26090EC8-51D7-4BBA-BA37-838328226DD6@brianrosen.net>
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
Message-ID: <2a81f060-cf20-3ab1-b2ee-582e94bf84f2@alum.mit.edu>
Date: Wed, 28 Aug 2019 12:13:04 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <26090EC8-51D7-4BBA-BA37-838328226DD6@brianrosen.net>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/rum/HLS1BWLSzO0Ts0dbx7c8l6K8kaI>
Subject: Re: [Rum] RUE client credentials
X-BeenThere: rum@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Relay User Machine <rum.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rum>, <mailto:rum-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rum/>
List-Post: <mailto:rum@ietf.org>
List-Help: <mailto:rum-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rum>, <mailto:rum-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2019 16:13:09 -0000

On 8/28/19 11:34 AM, Brian Rosen wrote:
> Good discussion to have.
> 
> A cert is public, so no real privacy issues other than what is in the identity (which a username gives you also).  How the private key associated with the cert is handled is of concern, but I imagine it’s the usual CSR thing which never reveals the key. 

> But we do need some kind of security on the provisioning information itself.  If there was a cert, then the provisioning could be signed by or for the rue.  I kind of like that.  It’s all new mechanism, but maybe worthwhile.  You run code on the device that creates the CSR, upload it, and download the cert.  Then the rue can sign the provisioning file (which really doesn’t need the cert, so it could do that any time).

It could be that the RUE creates a self signed cert and then uploads it 
to the provider during initial configuration of the RUE on the provider. 
But, is there something we can reference on how to do it?

Could the initial connection to the provisioning server include this 
cert as a client. The server won't know this cert and so will challenge 
for a password. Server would then save the cert for the user. In 
subsequent connections with the same client cert a password wouldn't be 
required.

IIRC, the providers wanted to be able separate credentials that a user 
used to log into his provider account from those used by the RUE when 
registering. (So that they could be changed independently.) What I 
sketched above might solve that.

> There are two contact maintenance mechanisms in the draft now - file upload/download and CardDAV.  CardDAV is okay security-wise. 

Again the question is whether this can be accessed with the same 
credentials as used for registering. If not, then how does the RUE get 
them, since it will probably want to sync automatically.

> File upload and download is from a provider, so we could have providers sign the file with the cert so only that user could verify it.

I think there is a question here of how this is intended to be used. I 
have the impression that there is an expectation that the result can be 
used "manually", and so should be in clear text in a human readable format.

But I think we also had an expectation that a RUE could use this 
automatically to update its own address book if CardDAV wasn't 
available. Clearly this is a degraded mechanism compared to CardDAV.

For automated use by the RUE we need to again deal with what credentials 
are required to retrieve these.

Unlike registering the device to receive calls, updating the address 
book is only needed when a person is present. So this could potentially 
require prompting the user for a password.

	Thanks,
	Paul

> Brian
> 
>> On Aug 28, 2019, at 11:14 AM, Paul Kyzivat <pkyzivat@alum.mit.edu> wrote:
>>
>> On 8/28/19 10:41 AM, Brian Rosen wrote:
>>> Ever since I’ve been working on this doc, the cert was for mutual auth of the user, instead of username and password.
>>
>> OK. As long as we are clear that is what it is about.
>>
>>> We get to use the IETF’s best practice here.  Do we require a RUM device to support mutual auth, or not?  We’re always going to support username and password for authentication.
>>> We get to decide what else.
>>
>> We've already been dinged about passing passwords around in configuration. Is it better if we use a password to fetch an initial device configuration that includes certs?
>>
>> I think we need to have a new discussion of the overall security setup, including access to address book and video mail. Are they all under a single credential, or separate. Also how passwords expire and are refreshed/updated, etc. IIRC there were concerns about all of these.
>>
>> 	Thanks,
>> 	Paul
>>
>>> Brian
>>>> On Aug 28, 2019, at 9:47 AM, Paul Kyzivat <pkyzivat@alum.mit.edu> wrote:
>>>>
>>>> On 8/27/19 3:32 PM, Brian Rosen wrote:
>>>>> Getting back to this, sorry for the delay.
>>>>>> On Aug 12, 2019, at 3:40 PM, Paul Kyzivat <pkyzivat@alum.mit.edu> wrote:
>>>>>>
>>>>>> On 8/7/19 5:14 PM, Brian Rosen wrote:
>>>>>>> Working on these comments.  I submitted a new version (-01)
>>>>>>> I edited the doc to say the client cert is provisioned.  Given that it’s provisioned by the entity that the provides the server, do I need to say anything else about validating the cert?
>>>>>>
>>>>>> I think we need to examine what the goal is here, and whether it is being achieved. I don't think enough is said to decide.
>>>>>>
>>>>>> This client cert mechanism was first added way back when (2015 I think). IIRC, the motivation was because the providers wanted to restrict access to RUE *implementations* that have passed interoperability testing, in order to reduce the problems of dealing with buggy implementations or attackers.
>>>>> I think you are confusing validating an implementation from authenticating a user.  The notion of mutual auth with a per-device cert is completely separate from some notion of “signing” an implementations code.
>>>>
>>>> No. You can argue that the client cert mechanism in not an appropriate mechanism for this, but it was the intent when the mechanism was proposed.
>>>>
>>>> I can see how this might be confused if you weren't there at the time. And perhaps the thinking about it has evolved since it was first included. I wasn't party to what happened during 2016-18.
>>>>
>>>> IIUC the providers still want this - a way to screen out RUE *implementations* that have not passed their testing. However, I don't know how to achieve that goal. And I'm inclined to think that it is an unreasonable expectation. It is akin to web site operators asking for a way to screen out any browser implementations that they haven't already tested against.
>>>>
>>>>> We can decide we don’t want the option of having mutual auth.
>>>>
>>>> Clearly there is need for some mechanism to securely associate a RUE with an account at the provider and a phone number. And this needs to work with devices that are persistently connected. If a RUE suffers a power or network outage that is restored in the middle of the night then it should be able to reconnect without a user login so that it can be available for incoming calls.
>>>>
>>>> That was intended to be covered by passwords. But care must be taken to secure those.
>>>>
>>>> 	Thanks,
>>>> 	Paul
>>
> 
>