IETF Logo Mail Archive

Re: [sipcore] Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-15: (with DISCUSS and COMMENT) - the pull request

Christer Holmberg <christer.holmberg@ericsson.com> Tue, 05 May 2020 19:31 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34E863A093B; Tue, 5 May 2020 12:31:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hQzv1gndxqwp; Tue, 5 May 2020 12:31:41 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2051.outbound.protection.outlook.com [40.107.20.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2AD413A0934; Tue, 5 May 2020 12:31:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EhidC39RA7R28mOp/3o73M3tpcr1ypYCF1CqHehLqD/oU+msqwGAS//P4wWIqTinbWoKnkTAOhAY8Zb8wAoBMFJ7VQkMn+H5a8V4zSxtqFbp9gniMe5ik4WvnATG2HGOaAXI8tEsjQ8u2Bu10vp1ARAnOfw8NMfN2b1zgxLU47upuItN5dTkdo3foO/LIZEGaO0gpdZLk76sd2AY+uGh8FZnjTSIDkO1Xt08hT6WliOQ0OQihUzamwv+LVh0cqW6Pu7nFkY5uUM56jr5KCqDwlTPbS2SuS2Af8wA1O/0wgs9FKBOIvRApDbDMVlJBKpNYjHT30Rd1eBLL5Hl4iG4mQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BvtQvm87Q+kFEeFBwucIhrW2Kw4HgVivUiGaNJUk4t8=; b=jnrerhYNHdEkFk1cn8EwJ2JQ4sGzPGLFao6ZgMCMUbWpkIIu/6hUHM5cF/iI9ol4rbRz6oUmOYUnCKxGBTlJuCXtqCYdDnXzDucfwaWxht5oZpGs2bIEvyr6EVq/zpQ14Spbi5eA3UIPb8iDZ/Luuec0M64ju1ceiVF/vGNH9OOg4aafBCjernzF5Qgady7bQ9h8B1hxb9ymMGlNVLq0H30C/wPMs310mIXCEg5FYfM8fx+kAUs8Ur2WGeSto80qkQVzPTBI4ee7f+E3rrvs1ft74l0ymqBeeT0YNqiC1TuwBkOgzJ4vog7BhdhDfdGBO5IYjBWA+DbGEJlJRVL3lQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BvtQvm87Q+kFEeFBwucIhrW2Kw4HgVivUiGaNJUk4t8=; b=pWdTlwxuBImdzsRa1mX9fQFLb8zC9yWD4lqy4yX9N8YQ7dBp/4TYt8OIgQzkkoaf+WiC4Bz0cJv33u4m5+lWaJz7jHrWhMpIogCMZt5cyj6XZ8VG3u/hUMvT7kB2m2hCWU/RVAjZc2/iaeqwQdIESFRfl9/9o/6kF15OVBNTYW0=
Received: from AM7PR07MB7012.eurprd07.prod.outlook.com (2603:10a6:20b:1bc::19) by AM7PR07MB6754.eurprd07.prod.outlook.com (2603:10a6:20b:1b4::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2979.18; Tue, 5 May 2020 19:31:37 +0000
Received: from AM7PR07MB7012.eurprd07.prod.outlook.com ([fe80::4c:e502:13cf:87a8]) by AM7PR07MB7012.eurprd07.prod.outlook.com ([fe80::4c:e502:13cf:87a8%4]) with mapi id 15.20.2979.025; Tue, 5 May 2020 19:31:37 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, Benjamin Kaduk <kaduk@mit.edu>
CC: The IESG <iesg@ietf.org>, "draft-ietf-sipcore-sip-token-authnz@ietf.org" <draft-ietf-sipcore-sip-token-authnz@ietf.org>, "sipcore-chairs@ietf.org" <sipcore-chairs@ietf.org>, SIPCORE <sipcore@ietf.org>, Jean Mahoney <mahoney@nostrum.com>
Thread-Topic: Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-15: (with DISCUSS and COMMENT) - the pull request
Thread-Index: AQHWIxPLPYWUKpnVIEeXm15v0L16bA==
Date: Tue, 05 May 2020 19:31:37 +0000
Message-ID: <70D8F1BE-9596-4407-9C20-550449863330@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1e.0.191013
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [213.216.230.200]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0a7ac823-8e4e-4e76-0be9-08d7f12aedb0
x-ms-traffictypediagnostic: AM7PR07MB6754:
x-microsoft-antispam-prvs: <AM7PR07MB67544667D7714050D434936893A70@AM7PR07MB6754.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0394259C80
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: PkzowKGQzIgG0ch8BAnmHiffrVbJ6efIopeKg9f5Wpprxzm5ixwuaFiE2i52dpNRzlIEq9DT+M8Vb0zRQxPlUi5ftHlrsdHGHNMVDta8XoLD61kato0ZZRtWtbz91iUjx6nSQIoBIfYP9fjjVGIxQuZXPRhXcBp2qnRtEDnBgdp5QxHui+IWWHcpLh0Y5nffcmYlaw/a3KoUZDpVjxpql4up+KtX9m7kdLuJ/CGh1KGZFQ+/5d1pYXvNwwCO6HFp56ZnPgcxeKIcxtQyQpT36Zuctfa6GN1biEJq1mw3PbXKV5lys/j67wBeDt236FTNgxMJI+1FjGkLjN2AwPrnA4KM1X14jvb5h4lYdc39zDJa88chFgemjvquADjWFxilVceWGV8v8FlALg+zpSFrNFWLnFIu0GzoZVcDnbtg4GmTt7R8Y3LWnRd15zdrcVX2Qb8MDsSFvT4gtIViFcollMLC8Ry86n1XoWBEtG/Fhy5y5WNm97A3zbHDhhYEXiZ7YGCEg9WW7FrpFAlduNkUurC4+/g+7GsCTOyrVnR1zI/1ZYwLcNaGflRadzUxwyDaPbD/WPmkDsf2JUratkteLK8MW6Tf6h9pMxTqGLLRvfk=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR07MB7012.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(366004)(33430700001)(71200400001)(6486002)(91956017)(2906002)(166002)(33440700001)(6506007)(53546011)(8676002)(66556008)(66446008)(76116006)(66476007)(64756008)(66946007)(8936002)(966005)(33656002)(498600001)(6512007)(36756003)(26005)(186003)(4326008)(66574012)(5660300002)(21615005)(44832011)(86362001)(2616005)(54906003)(110136005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: f1Neg1NdXp6YwttleRXCR/PnTW4GjAQh7vWSfIeKqvJ3z3cb7vkKCDrK+jkJk3iafUjEpaiuikV/pnFMxObqHrOboD2JRwFV7FP8PqKmdx5DyMFHtQ8Goxp3uXYwgk+9v3HACbpRb/GHrYjh4/XKL+5vgFsMpkaOtmSZhBHoQv2YkAYMe3WrxOlXW8uMf9FRo2YWZnAZjk35UCQIBsW3PoRwVMLMJ+QxRAgNBNpDom+4Uuvls3kLqkF3vEnG9ckjVHf9hK3fxA9+2/apL8EUN0Ep8J3vikzuFfOlYOIo5eHmN7YFNWS6W6JA5+xN2Dvy4lMKtJUKzDk2dqf7ED2dcQxndznLQYxokNwF4XiCC0DWmZgAriS2xQE5dmO68DjHHrCT+u0ia4L0VBlMK7QTAd1Fiu6AcQjZIeMK+Daq39q3P/A4u+/f3yfOSs8lQfcCgQlfgOp3S/ac6qUQ4kSdOShwirREoJJTR2JKAcZVlk4HsQ1XnqjbDUoqrA6Yttws9OnrDM7XPC1eNFpzfXlwYSLpeYcfrmGu70w6WuZP4n8c7aI3k3kDl80c9jzMJTw0l33OsB1pDiMfh9RApHOOKDzrdWzFA2KmFJ9nQtB0BKErEldjBt//4I/qi5bWo2gh0yH+td1lTM/fVCtqQ2rqKWyocF+eeWtWb2iAAkx+InDqyFTSNIhVjoLbbN9k9ssct/fp6DQGvEjSvZ6E5/JC9Q5ysZNq6W+dkUDIgp8sjSFxS5Dtp6XsIipegwdCutdc6fJAKK/N/w+Src0uY1nAGSLWD4uNjSbCJ9WumAN/CUUf07aOHkinCft5bxx5A0u7
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_70D8F1BE959644079C20550449863330ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0a7ac823-8e4e-4e76-0be9-08d7f12aedb0
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 May 2020 19:31:37.3817 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Ay2zmwiTgYvWfFz+Ecic9DsBECXoTntNUS7QbXKPn03S5MJTCi4cAbXFfpyzQ4cn3JEfi7le5CIgZkY/6lPiZYddyogfgVYeZCD/ZhBsac0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR07MB6754
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/-MQ4_W_jzvOjU4M6Aj3W_wH3E7o>
Subject: Re: [sipcore] Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-15: (with DISCUSS and COMMENT) - the pull request
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 May 2020 19:31:46 -0000

Hi,

Based on Benjamin’s comments, I created a new pull request:

https://github.com/rifaat-ietf/draft-ietf-sipcore-sip-token-authnz/pull/9

Regards,

Christer


From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Date: Tuesday, 5 May 2020 at 22.10
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-sipcore-sip-token-authnz@ietf.org" <draft-ietf-sipcore-sip-token-authnz@ietf.org>, "sipcore-chairs@ietf.org" <sipcore-chairs@ietf.org>, "sipcore@ietf.org" <sipcore@ietf.org>, "A. Mahoney" <mahoney@nostrum.com>
Subject: Re: Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-15: (with DISCUSS and COMMENT)
Resent from: <alias-bounces@ietf.org>
Resent to: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, Christer Holmberg <christer.holmberg@ericsson.com>, Victor Pascual <victor.pascual.avila@gmail.com>
Resent date: Tuesday, 5 May 2020 at 22.10

Inline...

On Tue, May 5, 2020 at 2:46 PM Benjamin Kaduk via Datatracker <noreply@ietf.org<mailto:noreply@ietf.org>> wrote:
Benjamin Kaduk has entered the following ballot position for
draft-ietf-sipcore-sip-token-authnz-15: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-sipcore-sip-token-authnz/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

Thanks for the updates in the -14 (and -15); they cover most of my points.

Unfortunately, the new security considerations text seems to introduce a
problematic recommendation:

   Because of that, it is critical to make sure that extra security
   measures be taken to safeguard credentials used for Single Sign-On.
   Examples of such measures include long passphrase instead of a
   password, enabling multi-factor factor authentication, and the use of
   embedded browser when possible, as defined in [RFC8252].

Looking at RFC 8252 (Section 8.12), it seems to be rather strongly recommending
to *not* use an embedded browser, which is the opposite of the apparent
recommendation here.  Are we missing a word "avoiding" or similar?

Yeah, this should have been "browser" not "embedded browser".
We will remove the "embedded browser" and replace it with "the native platform browser".


Also, I am not 100% sure my note about refresh tokens was fully addressed;
in Section 2.1.1 we see:

   The refresh token is only used between the UAC and the AS.  If the AS
   provides a refresh token to the UAC, the UAC uses it to request a new
   access token and refresh token from the AS before the currently used
   access token expires ([RFC6749], Section 1.5).  If the AS does not

Is it accurate to say that the refresh token is used "to request a new access
token and refresh token" (specifically the "and refresh token" part)?  I know that
it is not always returned, but am less sure about whether the semantics always
include an (implicit) request for a new one.

Returning a refresh token is based on AS policy.
We will remove the "and refresh token".



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Some other comments on the new text that do not rise to Discuss-level.

Thanks for adding the mention of a whitelist of trusted ASes; I would consider
also mentioning it in Section 4 for the authz_server parameter, and/or in the
security considerations.
We will add that to the security consideration section.


I also would have liked to see some guidance about when one should/shouldn't
include the realm parameter in a challenge.
I think this is out of scope, as we are not updating or changing the existing SIP behavior on this issue.


Section 2.1.1

   UAC contacts the AS in order to obtain tokens, and includes the
   requested scopes, based on a local configuration (Figure 1).  The UAC
   MUST check the AS URL received in the 401/407 response against a list
   of trusted ASs configured on the UAC, in order to prevent several
   classes of possible vulnerabilities when a client blindly attempt to
   use any provided authorization.

nits: "attempts", and maybe "any provided authorization server".
Will fix it

Section 3

nit: s/claimes/claims/
Will fix it


Section 5

   When a registrar chooses to challenge a REGISTER request, if the
   registrar can provide access to different levels of services, it is
   RECOMMENDED that the registrar includes a scope in the response in
   order to indicate the minimum scope needed to register and access
   basic services.  The access token might include an extended scope
   that gives the user access to more advanced features beyond basic
   services.

Is there anything to say about how the broader scope value might be learned?
In SIP, it is typically controlled by the admin, that controls the AS, and dictates the level of access for the user.
We will add a sentence to that extent.

Regards,
 Rifaat

v2.23.0 | Report a Bug | By Email