[Rum] Benjamin Kaduk's Discuss on draft-ietf-rum-rue-09: (with DISCUSS and COMMENT)
Benjamin Kaduk via Datatracker <noreply@ietf.org> Wed, 15 December 2021 21:22 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: rum@ietf.org
Delivered-To: rum@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E3C53A1116; Wed, 15 Dec 2021 13:22:04 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-rum-rue@ietf.org, rum-chairs@ietf.org, rum@ietf.org, pkyzivat@alum.mit.edu, pkyzivat@alum.mit.edu
X-Test-IDTracker: no
X-IETF-IDTracker: 7.41.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <163960332431.21178.16224624731772159181@ietfa.amsl.com>
Date: Wed, 15 Dec 2021 13:22:04 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/rum/WMw03Y2DAzpeu5gwD0q4_pmGnLg>
Subject: [Rum] Benjamin Kaduk's Discuss on draft-ietf-rum-rue-09: (with DISCUSS and COMMENT)
X-BeenThere: rum@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Relay User Machine <rum.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rum>, <mailto:rum-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rum/>
List-Post: <mailto:rum@ietf.org>
List-Help: <mailto:rum-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rum>, <mailto:rum-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Dec 2021 21:22:12 -0000
Benjamin Kaduk has entered the following ballot position for draft-ietf-rum-rue-09: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/blog/handling-iesg-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-rum-rue/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Thanks for writing this document; it's an important topic and I look forward to seeing interoperability in this space. However, I don't think this document is quite ready for publication yet, as it has a number of internal inconsistencies (and at least one external inconsistency with IETF procedures) that would get in the way of interoperable implementation. (1) The procedure for substituting an entryPoint from the provider list into the OpenAPI interface description for obtaining configuration data appears to be incompatible with BCP 190. Though there's not quite enough detail for me to be able to tell exactly what behavior is intended, the procedure of "replace localhost in the template with the value from provider discovery" seems like it implies that the value from provider discovery is just a hostname, and that we are requiring the RUM services to be accessible via HTTP at path /rum/v1 on that machine. The URI path namespace is under control of the owner of the host, and we cannot assert that we will occupy that portion of the namespace. The current version of BCP 190, RFC 8820, does allow us to say (effectively) "delegate a subtree of the path namespace to the protocol" by letting the owner of the host pick what base path to use for the protocol (even that would not have been allowed by its predecessor, RFC 7320), but we do need to let that host-specific path prefix be indicated somehow, whether by URL template or allowing a base path to be indicated in the provider discovery process. (2) There are a lot of inconsistencies about the parameters and data format of the various API responses as specified in prose, OpenAPI description, and examples. In particular, we also fail to make a clear statement about whether the prose or the OpenAPI description is normative and takes precedence in case of disagreement. I'll list a bunch of things here; I made a fairly careful reading but am not willing to assert that this is a comprehensive listing. (A number of them also get comments in the section-by-section comments; sorry about that duplication.) Sections 9.2.1 and 9.2.2 list configuration data items in the "configuration data for new user sign up and dial around" and "configuration data for the RUE" configuration retrieval APIs, and per the note at the end of §9.2 they include the REQUIRED data items. However, there are a couple data items that are mentioned elsewhere in the document as if they are always going to be present, but are not present in these lists of required configuration parameters. In particular we talk about the "provider-domain" as coming from the configuration, and it appears in examples, but is not mentioned in the prose or OpenAPI format description. The prose (and some examples) refer to an "outbound-proxies" RUE configuration element, but §9.2.2 and the OpenAPI description list the singular "outbound-proxy" (and with the corresponding difference in format/structure). The prose mentions "credentials" from the configuration, but no parameter of that name appears (there is some mention of password under "carddav" but that seems insufficiently generic to match all instances; sip-password also exists). "display-name" appears in the example in Figure 5 but is not listed in §9.2.2 The prose for the provider configuration resource indicates that the dialAround property is mandatory (it is not marked as "(OPTIONAL)"), but the OpenAPI specification does not list this property as required. The prose for the provider configuration's "signup" property says that it is an array of JSON objects, but the OpenAPI description says that it is just a single object (not an array). Likewise for "dialAround" and "helpDesk". The prose for "phone-number" specifies E.164 format, but the OpenAPI description does not. "carddav" is triply inconsistent: the prose says username, password, and domain name are separated by "@" (presumably, in a single string), but the example only shows username and domain name in user@domain form, and the OpenAPI description says it should be an object with separate properties for username/password/domain, as well as an additional "sendLocationWithRegistration" property that is probably not supposed to be a child of "carddav". (repeating from the previous), the "sendLocationWithRegistration" property is listed as belonging to the "carddav" object in the OpenAPI description, though the prose and example indicate it should be a property of the toplevel configuration object. The prose and OpenAPI description indicate that "ice-servers" is an array of strings, but the example has an array of objects that use the dictionary key to indicate whether each URI is a TURN or STUN server. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- There are a number of references to "the configuration" in the body text prior to §9.2 where the configuration service is discussed. E.g., the first paragraph of §5.1 gives a hard requirement for registration and then makes a conditional reference to "the configuration" without any prose discussing how configuration retrieval interacts with registration. it may be useful to have a brief introductory mention of the data flow involving registration and configuration retrieval and how the two initialization processes (don't) interact. I have a high-level comment or two about password usage in this document. I recognize that we're constrained in practice by the current state of SIP specification and the deployed ecosystem, but while username/password may currently be the lowest common denominator for authentication, it's far from best current practice. In a scenario like the one here, where the RUE is a dedicated (often hardware) product talking over a fixed protocol to a nearly fixed small set of providers, there's plenty of scope for using strong cryptography to authenticate the RUE, including public-key cryptography where the verifier does not need to store any per-user secret information. At present, Digest seems to be the strongest mechanism in the registry for usage with SIP, but I would advise assuming that that will change in the future and writing the spec and implementation in a way that is compatible with stronger authentication schemes. Furthermore, this document in several places (I note a few in the per-secton comments) recommends or even requires the reuse of a username/password pair across multiple services. Best practices are to use any given password at exactly one service. In this regard one can roughly model the password as analogous to a pre-shared key -- it is useful for authenticating a peer in the sense that if the value is known only to two entities, and the party you're communicating with proves that they know the value, they must be the only other party that knows the secret value. But once you reuse the password at multiple services, that logic falls apart, as the party you're communicating with could be the user, or it could be another service that shares the secret. Granted, when used with digest the password itself is not sent to the server for every authentication, but the server typically has access to it at some point, and even possession of the password hash in a verification database allows for offline brute-force attack, which has become comparatively cheap in recent years and even the availability of dedicated hardware for password cracking. In particular, SHA-512 is not considered to be a best-practice hash function for password hashing, since it is highly parallelizable and not "memory-hard". RFC 9106 specifies Argon2 (via the IRTF CFRG), the winner of the password hashing competition; it is the state of the art for password hashing, and even prior to that publication we had scrypt available in RFC 7914 that is a significant improvement on the SHA-2 family of functions. That said, it's not currently listed in the IANA registry for hash algorithms for HTTP (and SIP) digest authentication, so I am not sure that we can usefully advocate for its usage at the present time. Section 4 Thanks for mandating RFC 7525 compliance. I note that draft-ietf-uta-rfc7525bis is in progress in the UTA WG. Though it will probably be published after this document, it may be a useful informative reference with forward-looking guidance on how to best secure TLS. All text data payloads not otherwise constrained by a specification in another standards document MUST be encoded as Unicode UTF-8. I think we'd typically reference RFC 8259 here. Section 5.1 The registrar MAY authenticate using SIP digest authentication. The credentials to be used (username and password) MUST be supplied within the credentials section of the configuration and identified by the realm the registrar uses in a digest challenge. This username/ Which entity is authenticating to which other entity here? The phrasing "<X> MAY authenticate" implies that it is X that is authenticating to some other entity, but that does not seem to correspond to my model of the flow here, where the RUE is authenticating to the registrar. If the flow is to be the other way, we would say "the registrar MAY authenticate the RUE using SIP digest authentication". Also, I note that (HTTP) SCRAM authentication has superior security properties to Digest, but unfortunately I don't see any evidence that its use for SIP is defined yet. Section 5.2.1 The SIP URIs in the To field and the Request-URI MUST be formatted as specified in subsection Section 5.4 using the destination phone number, or as SIP URIs, as provided in the configuration (Section 9.2). [...] I'm not sure that I'm unpacking this properly. (The construction "the SIP URIs MUST be formatted as [...], or as SIP URIs", makes me wonder if there are somehow non-SIP URIs involved even though we start off with "the SIP URIs".) Is the idea that I either take the URI directly from the configuration ("as-is") or I format it as per §5.4 but not anything else? Section 5.2.2 party telephone number. In two-stage dial-around, the To URI is the front door URI (see Section 9.2) of the dial-around provider and the domain of the URI is the provider domain from the configuration. The Is "the URI" in "the domain of the URI" referring to "the To URI", or some other URI (the Request-URI, perhaps)? The prose lists the call originator as (VRS user) +1-555-222-0001, but the URIs in Figure 1 that are not the call recipient appear as +18135551212; are those numbers supposed to be different like that? Section 5.2.3 owner". The URI MAY be an HTTPS URI or Content-Indirect URL. The latter is defined by [RFC2392] to locate message body parts. This RFC 2392 seems to define a "Content-ID" URI (with "cid" scheme) but not a "Content-Indirect" URL. Section 5.2.5 Implementations MUST implement Additional Data, [RFC7852]. RUE devices MUST implement Data Provider, Device Implementation and Owner/Subscriber Information blocks. The string "Device Implementation" does not seem to appear in RFC 7852, though "Device Information" does. Section 7.1 of an email address. If the request triggers a challenge for digest authentication credentials, the RUE MUST continue using matching "credentials" from the configuration. If no matching credentials are configured, the RUE MUST use the SIP credentials from the configuration. [...] Do we really want a MUST-level requirement to reuse the SIP credentials? Best practices for credentials are to have a 1:1 relationship between credentials and where they are used and this sort of reuse is basically the polar opposite. Section 9.1 non-mandatory-to use functions and SHALL NOT delete any objects, members of objects or functions. This means an implementation of a specific major version and minor version is backwards compatible with all minor versions of the major version. [...] (This might all be covered by Rob's discuss point; I will read the replies on that thread and you don't need to duplicate content here for my benefit.) This statement doesn't seem to contain enough information to be useful. I think that a statement about backwards (or forwards) compatibility should be specific about whether it applies to the implementation of the client or the web service, and that backwards compatibility would require that the implementation in question interoperate with a peer at any same or previous minor version. Just saying "compatible with all minor versions of the major version" would also make a statement about forward compatibility, which I think is allowable under these rules for what is allowed to change in minor versions, and it would be useful to make a statement about forward compatibility. Section 9.2 The interface to obtain configuration data is described by an OpenAPI [OpenAPI] interface description. In that interface description, the "servers" component is specified as "localhost". The entry point obtained from the provider list (Section 9.1) is substituted for "localhost" to obtain the server prefix of the interface. [...] I note that the OpenAPI description for /Versions has an override for "servers", and the value listed there does not include the string "localhost". Some clarity that it is also expected to be affected by this kind of substitution seems in order. In both the queries, an optional parameter may be provided to the interface which is an API Key. The implementation MAY have an API Key obtained from the provider and specific to the implementation. The method the API Key is obtained is not specified in this document. The provider MAY refuse to provide service to an implementation presenting an API Key it does not recognize. I note that the IETF does have a standard for conveying authorization information on the web -- OAuth 2.0. It may not be a direct "drop-in" fit here, due to the need for a preexisting relationship with an authorization server, but perhaps it is worth mentioning as an option in addition to this provider-specific "API key" protocol? Also in both queries, the RUE device provides a required parameter which contains an instance identifier. This parameter MUST be the same value each time this instance (same implementation on same device) queries the interface. This MAY be used by the provider, for example, to associate a location with the instance for emergency calls. Is there any cryptography to provide assurance that the instance identifier is indeed always used only by the one single instance? The description here sounds roughly like a bearer token, which is far from best practice for this sort of thing. Indeed, in other contexts a given instance is often identified solely by its public key, and must authenticate with the corresponding private key in order to act as the identified instance. The configuration API also provides the same version mechanism as specified above in Section 9.1. The version of the configuration service MAY be different than the version of the provider list service. Not only that, but the services are expected to be versioned independently, so there is no particular relationship between version X.Y of the one and version X.Y of the other...right? Actually, having gone and looked further, the OpenAPI document seems to indicate that there's a single /Versions resource common across the /Providers, /ProviderConfig, and /RueConfig APIs, which makes me confused as to how the versions of the two services might actually be different (let alone versioned independently). Section 9.2.1 - uri: a URI to the website for creating a new account in the supported language. The new user signup URI may only initiate creation of a new account. Various vetting, approval and other processes may be needed, which could take time, before the account is established. The result of creating a new account would be a username and password, which would be manually I strongly suggest using a more generic phrasing (e.g., "would be account credentials (e.g., username and password)") to allow for seamless transition to stronger authentication technologies without specification change. Section 9.2.2 * lifetime: (optional) Specifies how long (in seconds) the RUE MAY cache the configuration values. Values may not be valid when lifetime expires. If the RUE caches configuration values, it MUST cryptographically protect them. [...] In other contexts, "cryptographically protect" would mean to encrypt, cryptographically sign, or compute a keyed MAC over the data. If the intent here is just to record a cryptographic checksum of the data, that's probably better stated in terms of a checksum. In particular, this current text gives no indication of what threat the cryptography is supposed to protect against, so implementations are unlikely actually provide uniform protection against the intended threat. * sip-password: (optional) a password used for SIP, STUN and TURN authentication. The RUE device retains this data, which must be stored securely. [...] Akin to the above, this doesn't indicate what threat "stored securely" is intended to protect against. While I would *hope* that "protect passwords" is instinctive to developers, I wouldn't want to rely on it. password MUST be used. If it was never supplied, the password used to authenticate to the configuration service is used for SIP, STUN and TURN. In the general case, this directive is a gaping security hole (exposing the RUE's SIP credentials to arbitrary external STUN/TURN servers, for example). I think we must qualify that the reuse of credentials is only for the servers listed in the "ice-servers" configuration directive. (And ideally we would not encourage reuse of credentials at all.) * carddav: (optional) A username, password and domain name (separated by ""@"") identifying a "CardDAV" server and account that can be used to synchronize the RUE's contact list with the contact list managed by the provider. If username or password are not supplied, the main account credentials are used. There are three data items but only one separator listed. Is this really to be "username@password@domain"? It would be great if we could make ourselves more generic than username+password as credentials, and (as mentioned previously) avoid reuse of credentials. * ice-servers: (optional) An array of URLs identifying STUN and TURN servers available for use by the RUE for establishing media streams in calls via the provider. Is any given entry required to offer both STUN and TURN services, or can a server provide just one or the other? Both this text and my understanding of the OpenAPI description seem to indicate that this is a flat list intermingling STUN and TURN servers, but the example in Figure 5 seems to show each element of the array being a JSON object that contains one or more of the keys "stun" and "turn". The structure in that example would obviate any confusion about which services are offered, and is probably preferred. Section 9.2.3 "contacts": "https://red.example.net:443/contacts/1dess45awd", I suggest putting a bit more entropy in the URL, in the vein of https://www.w3.org/2001/tag/doc/capability-urls/ (even if this resource is likely to require the username+password authentication discussed earlier). "carddav": "bob@red.example.com" , The prose indicates this should contain a password as well as the username and domain name that are present. How is the password specified? Section 9.3 Given the "are formally specified" language, I expect that the intent is for the OpenAPI description to be normative and take precedence in case of conflict with the prose/examples. It's probably worth stating that explicitly. - in: query name: instanceId schema: type: string required: true description: Unique string for this implementation on this device Is this self-assigned by the client or assigned by some external authority? The allocation procedure is important for ensuring that the instance IDs are actually globally unique (with high probability). (Note that this parameter is used in both /ProviderConfig and /RueConfig.) Section 10.2 The rest of the document does not appear to contain any text covering the usage of the "rue-owner" purpose value. Should we say something about when it's used and what semantics it conveys? Section 11 I think we should make some statement that incorporates by reference the security considerations of the protocols being profiled. There are perhaps too many to list individually, so something like "this document requires implementation and use of a number of other specifications in order to fulfil the RUE profile; the security considerations described in those documents apply accordingly to the RUE interactions" would probably work. It is perhaps obvious, but when a CA participates in a conversation they have access to the content of the conversation even though it is nominally a conversation between the two endpoints. I think we should still state this explicitly, and perhaps note that there is an expectation that the CA will keep the communication contents in confidence, often backed by contractual or legal requirements. There's probably also something useful to say to compare the privacy properties of one-stage vs two-stage dial-around, in terms of which entities have access to information about the communicating endpoints. I am not entirely sure if the referenced documents already cover this, but having the provider maintain the user's contacts database means that there is increased risk surface for unauthorized disclosure of that information (compared to it being maintained locally). Since different providers (within a given country) may have different policies, we might want to caution RUE implementations to have a user interaction step before proceeding to actually register with any given provider. NITS No need to reply to any of these; if you disagree, that's fine. Section 5.2.1 Negotiated media MUST follow the guidelines specified in Section 6 of this document. If they MUST be followed, are they really guidelines, or requirements? Section 5.2.3 To identify the owner of a RUE, the initial INVITE for a call from a RUE, or the 200 OK accepting a call by a RUE, identifies the owner by I think s/the 200 OK accepting a call by a RUE/the 200 OK a RUE uses to accept a call/ would avoid ambiguity about whether this binds as (accepting a (call by a RUE)) vs ((accepting [of] a call) by a RUE). Section 9.1 provider names for a country code suitable for display, with a corresponding a entry point to obtain information about that provider. s/corresponding a/corresponding/ Section 9.2 HTTPs web service. There are two entry points. One is used without user credentials or parameters, the response includes configuration data for new user sign up and dial around. The other uses the Comma splice. Section 9.2.2 * videomail: (optional) An SIP or HTTPS URI that can be called to retrieve video mail messages. Can an HTTPS URI really "be called"? (This text also appears in §9.3.)
- [Rum] Benjamin Kaduk's Discuss on draft-ietf-rum-… Benjamin Kaduk via Datatracker
- Re: [Rum] Benjamin Kaduk's Discuss on draft-ietf-… Brian Rosen
- Re: [Rum] Benjamin Kaduk's Discuss on draft-ietf-… Benjamin Kaduk
- Re: [Rum] Benjamin Kaduk's Discuss on draft-ietf-… Brian Rosen