Re: [Rum] RUE client credentials

Brian Rosen <br@brianrosen.net> Wed, 28 August 2019 14:41 UTC

Return-Path: <br@brianrosen.net>
X-Original-To: rum@ietfa.amsl.com
Delivered-To: rum@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B277120043 for <rum@ietfa.amsl.com>; Wed, 28 Aug 2019 07:41:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=brianrosen-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GCj3YHRXHCTG for <rum@ietfa.amsl.com>; Wed, 28 Aug 2019 07:41:11 -0700 (PDT)
Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59A0412001E for <rum@ietf.org>; Wed, 28 Aug 2019 07:41:11 -0700 (PDT)
Received: by mail-qt1-x82a.google.com with SMTP id u34so3277280qte.2 for <rum@ietf.org>; Wed, 28 Aug 2019 07:41:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brianrosen-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=vu6fEkgJmu2xJenq0CC1JB9Ui8V9fClaMhPlCNCOnUc=; b=LMptgLCGSf4kJZOCiGsPNuucEi8mUQgIn5Xdw9rCKKxXPs5mFbFsNGLpnvxesBaUAU okTNxaaN49Js641eCasoe2QkwR83UHR6EJ1IbW8H2azfQ6NiED9V9J6M83Wjg3EWD6Ed iGpeP11YZUB7ORbEwyGZsERwaR0DoAa5Z+kTxA0W96JSpXYhoOH4NB8ng01JAVa/1fxU //jDqdTo9KlDT1Jx/XnzdWhE0vXxm3EFWH2kplx6uY6MdbES3fFY+BP4Vlz5go56O3Zy UvnIIA5cmSL1FBW+VwFT6Gqayc2USHxlQoLn2OHk28KVsyHXkfv45Wm26+DNUaHGYrel xZoA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=vu6fEkgJmu2xJenq0CC1JB9Ui8V9fClaMhPlCNCOnUc=; b=fZC5rPgfSH8l976W6C7l7wP8SyckSRGQBLC2l/xgQGctOmWVYdZglEmUA6CJzgxapC HdNs1PArASiFuCgP2Wbt4vgQ7+uvkC1UT+VJ58k/T9NaBwe0BK4IxAxFe4RxkmtxB0OJ UrW5kYULsTspGux8fExnxQ2+HhyEne4qMnSvPEY1HhW7+vLTnboIW3IYYbiNUKMuv6Z5 Q5PYHFTvH3tXiD/uSFwmDkM5G27KYdKmOuyTksW/h4UOJpcD6a++CE9meCEtkAOuCxUL 9bzynhs5RuR6qT5S7ppcKmMD3bgMu2vsUnNBFF7xR74+126g0m9VHEox//LUNaTf46xn xV+A==
X-Gm-Message-State: APjAAAXigwKAnq2A6WRIT+r45g09D+8c4t43nvG71jyN/eonzURa3Slb jsyrOWBB/+OOA22sVrI57653veJnHbA=
X-Google-Smtp-Source: APXvYqzWr5VItMiiwrZg/nYUlaSoRaIkupaisTiAzO9Seg9cqtU+1KkiQz0+y4SlW1MnSBZShvsd7g==
X-Received: by 2002:aed:31c2:: with SMTP id 60mr4198032qth.331.1567003270274; Wed, 28 Aug 2019 07:41:10 -0700 (PDT)
Received: from brians-mbp-2369.lan ([24.154.122.195]) by smtp.gmail.com with ESMTPSA id o43sm1524606qto.63.2019.08.28.07.41.09 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 28 Aug 2019 07:41:09 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Brian Rosen <br@brianrosen.net>
In-Reply-To: <30a05d55-3aee-3195-3e2e-9ac1d92b886d@alum.mit.edu>
Date: Wed, 28 Aug 2019 10:41:08 -0400
Cc: rum@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <797A336B-0D32-4D4F-AF16-C5D8A4648D22@brianrosen.net>
References: <8FB5F5A0-E3FE-40F8-A6D0-35D9002C6770@brianrosen.net> <85828597-D024-4E7E-8876-F1C4753E6B7D@edvina.net> <64B406DC-4171-41EB-9171-A2AF7B78B409@brianrosen.net> <054dde2a-7fa1-9941-986c-f3b3d8c0f76e@alum.mit.edu> <831AD5BE-0D8F-4968-ABC7-B8D52BB8D4B0@brianrosen.net> <30a05d55-3aee-3195-3e2e-9ac1d92b886d@alum.mit.edu>
To: Paul Kyzivat <pkyzivat@alum.mit.edu>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rum/zYz2Ztzwh3139b40SpOLXbZqv2Y>
Subject: Re: [Rum] RUE client credentials
X-BeenThere: rum@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Relay User Machine <rum.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rum>, <mailto:rum-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rum/>
List-Post: <mailto:rum@ietf.org>
List-Help: <mailto:rum-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rum>, <mailto:rum-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2019 14:41:13 -0000

Ever since I’ve been working on this doc, the cert was for mutual auth of the user, instead of username and password.  

We get to use the IETF’s best practice here.  Do we require a RUM device to support mutual auth, or not?  We’re always going to support username and password for authentication.
We get to decide what else.

Brian

> On Aug 28, 2019, at 9:47 AM, Paul Kyzivat <pkyzivat@alum.mit.edu> wrote:
> 
> On 8/27/19 3:32 PM, Brian Rosen wrote:
>> Getting back to this, sorry for the delay.
>>> On Aug 12, 2019, at 3:40 PM, Paul Kyzivat <pkyzivat@alum.mit.edu> wrote:
>>> 
>>> On 8/7/19 5:14 PM, Brian Rosen wrote:
>>>> Working on these comments.  I submitted a new version (-01)
>>>> I edited the doc to say the client cert is provisioned.  Given that it’s provisioned by the entity that the provides the server, do I need to say anything else about validating the cert?
>>> 
>>> I think we need to examine what the goal is here, and whether it is being achieved. I don't think enough is said to decide.
>>> 
>>> This client cert mechanism was first added way back when (2015 I think). IIRC, the motivation was because the providers wanted to restrict access to RUE *implementations* that have passed interoperability testing, in order to reduce the problems of dealing with buggy implementations or attackers.
>> I think you are confusing validating an implementation from authenticating a user.  The notion of mutual auth with a per-device cert is completely separate from some notion of “signing” an implementations code.
> 
> No. You can argue that the client cert mechanism in not an appropriate mechanism for this, but it was the intent when the mechanism was proposed.
> 
> I can see how this might be confused if you weren't there at the time. And perhaps the thinking about it has evolved since it was first included. I wasn't party to what happened during 2016-18.
> 
> IIUC the providers still want this - a way to screen out RUE *implementations* that have not passed their testing. However, I don't know how to achieve that goal. And I'm inclined to think that it is an unreasonable expectation. It is akin to web site operators asking for a way to screen out any browser implementations that they haven't already tested against.
> 
>> We can decide we don’t want the option of having mutual auth.
> 
> Clearly there is need for some mechanism to securely associate a RUE with an account at the provider and a phone number. And this needs to work with devices that are persistently connected. If a RUE suffers a power or network outage that is restored in the middle of the night then it should be able to reconnect without a user login so that it can be available for incoming calls.
> 
> That was intended to be covered by passwords. But care must be taken to secure those.
> 
> 	Thanks,
> 	Paul