IETF Logo Mail Archive

Re: [Sip] Event Lists: Back-End Credentials

David R Oran <oran@cisco.com> Wed, 27 October 2004 12:51 UTC

Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA00736 for <sip-web-archive@ietf.org>; Wed, 27 Oct 2004 08:51:37 -0400 (EDT)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CMnV1-0004Zr-8Z for sip-web-archive@ietf.org; Wed, 27 Oct 2004 09:05:59 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CMnFI-0001Gy-Jr; Wed, 27 Oct 2004 08:49:44 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CMnET-00017y-VP for sip@megatron.ietf.org; Wed, 27 Oct 2004 08:48:54 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA00473 for <sip@ietf.org>; Wed, 27 Oct 2004 08:48:52 -0400 (EDT)
Received: from sj-iport-4.cisco.com ([171.68.10.86]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CMnSL-0004VZ-Fk for sip@ietf.org; Wed, 27 Oct 2004 09:03:14 -0400
Received: from sj-core-3.cisco.com (171.68.223.137) by sj-iport-4.cisco.com with ESMTP; 27 Oct 2004 05:50:03 -0700
X-BrightmailFiltered: true
Received: from imail.cisco.com (imail.cisco.com [128.107.200.91]) by sj-core-3.cisco.com (8.12.10/8.12.6) with ESMTP id i9RCmJ9b013547; Wed, 27 Oct 2004 05:48:20 -0700 (PDT)
Received: from [10.32.245.154] (stealth-10-32-245-154.cisco.com [10.32.245.154]) by imail.cisco.com (8.12.11/8.12.10) with SMTP id i9RCnoD1030670; Wed, 27 Oct 2004 05:49:53 -0700
In-Reply-To: <417DE95C.8040805@nostrum.com>
References: <417DE95C.8040805@nostrum.com>
Mime-Version: 1.0 (Apple Message framework v619)
Message-Id: <7342A8D3-2816-11D9-BDDE-000A95C73842@cisco.com>
From: David R Oran <oran@cisco.com>
Subject: Re: [Sip] Event Lists: Back-End Credentials
Date: Wed, 27 Oct 2004 08:48:07 -0400
To: Adam Roach <adam@nostrum.com>
X-Pgp-Agent: GPGMail 1.0.2
X-Mailer: Apple Mail (2.619)
IIM-SIG: v:"1"; h:"imail.cisco.com"; d:"cisco.com"; z:"home"; m:"krs"; t:"1098881396.177059"; x:"432200"; a:"rsa-sha1"; b:"nofws:4951"; e:"Iw=="; n:"sQYarK2E51MdcTiUqeif3F7cWdxIfoCiXhdfb9vD5ee/j0jXL15gbFxF2pXIw" "eAblu0N6XAgK7k+wrbr7bQDJaCDqOmzqpRUBjIRQAXQ7NzadpmR3pUL6wxaRU" "tW+c43sl9jC50Qg1sXHpPjt8Y+Y16ioyQAQAdSunM4YhevURc="; s:"dSo4phGQoQ4nKLclMXE3kVf4wOQYBlVSbb/fif8TatiV2PYLb/AMrn1pTxD59" "hLeyJqgt0sIi5Xy/r9dOfg9oUVhndZv5U2s+8+LgVMDO/KyyXWiemTcseG5PZ" "S65axYgdHpYTuQU2ypL6D243DhsL9BQ+Qce5zmnUFaz9ivbVI="; c:"From: David R Oran <oran@cisco.com>"; c:"Subject: Re: [Sip] Event Lists: Back-End Credentials"; c:"Date: Wed, 27 Oct 2004 08:48:07 -0400"
IIM-VERIFY: s:"y"; v:"y"; r:"60"; h:"imail.cisco.com"; c:"message from imail.cisco.com verified; "
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 67c1ea29f88502ef6a32ccec927970f0
Cc: sip@ietf.org, Jonathan Rosenberg <jdrosen@dynamicsoft.com>
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0942101743=="
Sender: sip-bounces@ietf.org
Errors-To: sip-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 932cba6e0228cc603da43d861a7e09d8

On Oct 26, 2004, at 2:06 AM, Adam Roach wrote:

> After a discussion with Dean about some of the issues surrounding the 
> back-end credential issue that I raised earlier on the list, I struck 
> upon a solution that might get us past this logjam.
>
> The lynch pin to this solution is that the RLS does not ever pretend 
> to be the user. Instead, it always subscribes as its own identity. It 
> can present credentials as necessary to authenticate itself, but only 
> as itself, not as its subscribers.
>
This factors the security issues, but introduces an inconvenience in 
that any authorization policies have to know about the RLS in addition 
to the user on behalf of whom the RLS is doing the list management. 
Whether this constitutes a major or minor inconvenience is worth 
pondering.

> A consequence of this is that, lacking any other mechanism, the 
> resources in a resource list for which the RLS is not authoritative 
> will contain only the information that their notifier is willing to 
> reveal to the RLS -- which is generally the same information they 
> would render to unauthenticated users. In some cases, this might 
> result in no useful information being transferred.
>
This strikes me as closer to "major" than "minor" if an important use 
case is buddy lists - which I suppose it is. If the RLS is in fact some 
kind of "shared resource" and doesn't have an identity controllable by 
the user it is acting on behalf of there would be little motivation for 
anyone to trust it and hence policy devolves to the anonymous 
subscription case in most instances. That would seem to do substantial 
damage to the utility for buddy lists.

> Of course, the resource would still be present in the RLMI document; 
> this gives the subscriber the *option* to directly subscribe to any 
> resources for which the RLS is not authoritative. To facilitate the 
> client's ability to perform such subscriptions, the RLMI documents 
> would be enhanced with a flag which indicates whether the RLS is 
> authoritative for the resource.
>
Sure, but that's just saying that the RLS optimizations are of less 
value, and the subscriber's job of sorting through the policy versus 
overhead tradeoffs is made harder.

> Finally, we would mention in the document that future work may define 
> a mechanism by which the subscriber can pass the RLS an authorization 
> token; the RLS could include this token in requests to show that it 
> has been authorized by the user to send SUBSCRIBE messages for 
> arbitrary resources on the user's behalf (mostly likely for a limited 
> time period).
>
That's a form of delegation which seems like it would work well for 
this purpose.

> Of the solutions we've seen so far, I think this one is the cleanest 
> from a security perspective. Further, it will almost certainly allow 
> us to progress the draft now, and separate the delegation problem so 
> that it can be solved in a way that works well with the other identity 
> and authentication work currently underway (and might even be reusable 
> in other applications, such as dial-out conference bridges).
>
True, but are the tradeoffs with other aspects of utility and 
complexity right? I'm not sure but on the small amount of thought I've 
given this it strikes me as questionable.

> Thoughts?
>
One option is to delay RLS until we have delegation (at least in the 
limited context of RLS) solved, since as you point out above 
subscribers may have to fall back to separate subscriptions to all the 
resources anyway.

I'll observe that once a spec gets through to RFC, the enthusiasm to 
enhance it to do its full job wanes, and the complexities of multiple 
variants in the the wild reduces the practical utility of the "correct" 
solution.

I don't feel strongly about this one way or the other.

Dave.

> /a
>
> _______________________________________________
> Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
> This list is for NEW development of the core SIP Protocol
> Use sip-implementors@cs.columbia.edu for questions on current sip
> Use sipping@ietf.org for new developments on the application of sip
>
David R. Oran
Cisco Fellow
Cisco Systems
7 Ladyslipper Lane
Acton, MA 01720 USA
Tel: +1 978 264 2048
Email: oran@cisco.com

_______________________________________________
Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sipping@ietf.org for new developments on the application of sip

v2.23.0 | Report a Bug | By Email