IETF Logo Mail Archive

Re: [Sip] Event Lists: Back-End Credentials

David R Oran <oran@cisco.com> Fri, 22 October 2004 00:41 UTC

Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA14936 for <sip-web-archive@ietf.org>; Thu, 21 Oct 2004 20:41:36 -0400 (EDT)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CKnhf-00072m-4b for sip-web-archive@ietf.org; Thu, 21 Oct 2004 20:54:47 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CKl8T-0007CY-Do; Thu, 21 Oct 2004 18:10:17 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CKj8s-0003tk-Ly for sip@megatron.ietf.org; Thu, 21 Oct 2004 16:02:34 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA14428 for <sip@ietf.org>; Thu, 21 Oct 2004 16:02:32 -0400 (EDT)
Received: from sj-iport-3-in.cisco.com ([171.71.176.72] helo=sj-iport-3.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CKjLY-000565-T7 for sip@ietf.org; Thu, 21 Oct 2004 16:15:41 -0400
Received: from sj-core-2.cisco.com (171.71.177.254) by sj-iport-3.cisco.com with ESMTP; 21 Oct 2004 13:19:26 +0000
X-BrightmailFiltered: true
Received: from imail.cisco.com (imail.cisco.com [128.107.200.91]) by sj-core-2.cisco.com (8.12.10/8.12.6) with ESMTP id i9LK0tYJ023242; Thu, 21 Oct 2004 13:00:56 -0700 (PDT)
Received: from [10.32.245.154] (stealth-10-32-245-154.cisco.com [10.32.245.154]) by imail.cisco.com (8.12.11/8.12.10) with SMTP id i9LK35bI029143; Thu, 21 Oct 2004 13:03:08 -0700
In-Reply-To: <41780D08.3090007@nostrum.com>
References: <41780D08.3090007@nostrum.com>
Mime-Version: 1.0 (Apple Message framework v619)
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Message-Id: <EB3ABC23-239B-11D9-A86C-000A95C73842@cisco.com>
Content-Transfer-Encoding: 7bit
From: David R Oran <oran@cisco.com>
Subject: Re: [Sip] Event Lists: Back-End Credentials
Date: Thu, 21 Oct 2004 16:00:55 -0400
To: Adam Roach <adam@nostrum.com>
X-Mailer: Apple Mail (2.619)
IIM-SIG: v:"1"; h:"imail.cisco.com"; d:"cisco.com"; z:"home"; m:"krs"; t:"1098388990.91026"; x:"432200"; a:"rsa-sha1"; b:"nofws:4628"; e:"Iw=="; n:"sQYarK2E51MdcTiUqeif3F7cWdxIfoCiXhdfb9vD5ee/j0jXL15gbFxF2pXIw" "eAblu0N6XAgK7k+wrbr7bQDJaCDqOmzqpRUBjIRQAXQ7NzadpmR3pUL6wxaRU" "tW+c43sl9jC50Qg1sXHpPjt8Y+Y16ioyQAQAdSunM4YhevURc="; s:"icJRJHoRqfBxaENFrRIx4fG2HtdPnlAPAXvj77b6NxduVOJf1r3UPj2LHtKPu" "sOliwvvLCpmUw1u8Ucv1dnopdLzK2JzSuuHXHD0MU4GcHEKXj35GBbO3MXUGU" "FRVtU1Pq6XBMR+oT84CeRZg3BarEYxZ1Es/NtOo4SFU+/QUak="; c:"From: David R Oran <oran@cisco.com>"; c:"Subject: Re: [Sip] Event Lists: Back-End Credentials"; c:"Date: Thu, 21 Oct 2004 16:00:55 -0400"
IIM-VERIFY: s:"y"; v:"y"; r:"60"; h:"imail.cisco.com"; c:"message from imail.cisco.com verified; "
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 5011df3e2a27abcc044eaa15befcaa87
Content-Transfer-Encoding: 7bit
Cc: sip@ietf.org
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Sender: sip-bounces@ietf.org
Errors-To: sip-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 057ebe9b96adec30a7efb2aeda4c26a4
Content-Transfer-Encoding: 7bit

Sigh. Delegation is hard. I frankly don't like any of these solutions 
because they allow full user impersonation by the RLS, which is a lot 
more trust that I think ought to be given it.

If we want to really tackle delegation, I'd suggest that we extend SIP 
generally to allow SIP-specific delegation capability. One way to do 
this is for the user to construct a certificate for the RLS giving it 
specific rights (e.g. Subscribe on my behalf), and then signing it 
based on a credential that would be accepted by the ultimate target of 
the request. SAML might be our friend here.

It might be worth going back and seeing what applies to REFER as well 
while we're at it since REFER has some pretty brittle security 
properties due to our needing to to get done quickly.

Dave.

On Oct 21, 2004, at 3:24 PM, Adam Roach wrote:

> During IESG review of draft-ietf-simple-event-list-05, the IESG raised 
> a concern that section 7.1 does not specify a mandatory-to-implement 
> mechanism for transfer of a secret to the RLS. This secret transfer is 
> necessary under some circumstances for the purposes of authenticating 
> on the users behalf for back-end subscriptions.
>
> There is no clear-cut solution to this problem. The options that I've 
> been able to think of -- and there are almost certainly more -- are as 
> follows:
>
>    * Make HTML forms mandatory
>
>    The current example in the draft is to send the credentials in an
>    HTML form over HTTP. Making this mandatory has the obvious drawback
>    that it requires HTML browsers in all devices that make use of event
>    lists. This is probably not an acceptable requirement.
>
>    * Disallow back-end subscriptions altogether
>
>    For this solution, the list server would pass back the resource list
>    in notifications, along with state for any locally managed states.
>    The client would be responsible for sending subscriptions for the
>    state for any resources in the list that are not managed by the RLS.
>    This defeats some of the purpose of event lists, since the client is
>    left with maintaining several subscriptions for resources -- so it's
>    really rather suboptimal.
>
>    * Add new SIP header field (or maybe method) for credential upload
>
>    One very simple solution would be to add a new header which contains
>    a triple of [realm,userid,password]. We would specify that this
>    header is disallowed except over SIPS connections. The client would
>    include one or more such headers in its SUBSCRIBE request, and the
>    RLS would use them to obtain information on the user's behalf.
>
>    To make this work, we would also add a status field to the
>    <instance> element that indicates something like "authorization
>    failed" and the realm for which credentials are needed. The user,
>    upon seeing this in the RLMI, could re-subscribe with the missing
>    credentials.
>
>    * Try to leverage ongoing work in draft-ietf-sip-identity and/or
>      draft-jennings-sipping certs
>
>    This feels like the class of problem that the ongoing identity work
>    is trying to solve, but I can't figure out how to apply the existing
>    drafts to it. The problem is that the RLS needs to change almost
>    everything that would be protected by the identity draft.
>
> Of these, I prefer the simplicity of adding a new SIP header-- but I'm 
> a bit scared of it because the obvious, most simple solution in 
> security typically ends up being the wrong solution. However, I'll 
> point out that the concern that was raised by the IESG was *not* that 
> we are passing the user's secret to a third party; it was the fact 
> that we're not defining *how* to do so.
>
> Unless I'm missing something, the RLS simply needs to be trusted to 
> act on the user's behalf to make more-or-less arbitrary SUBSCRIBE 
> requests, since the user doesn't know the contents of the list before 
> subscribing. There might be some really clever way to do this without 
> passing the user's secret over wholesale, but I don't see it.
>
> Thoughts? Ideas? Brilliant solutions?
>
> /a
>
> _______________________________________________
> Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
> This list is for NEW development of the core SIP Protocol
> Use sip-implementors@cs.columbia.edu for questions on current sip
> Use sipping@ietf.org for new developments on the application of sip
>
David R. Oran
Cisco Fellow
Cisco Systems
7 Ladyslipper Lane
Acton, MA 01720 USA
Tel: +1 978 264 2048
Email: oran@cisco.com


_______________________________________________
Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sipping@ietf.org for new developments on the application of sip

v2.23.0 | Report a Bug | By Email