IETF Logo Mail Archive

Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt

Christer Holmberg <christer.holmberg@ericsson.com> Wed, 10 July 2019 09:28 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD705120099 for <sipcore@ietfa.amsl.com>; Wed, 10 Jul 2019 02:28:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qeHB5txi0vfm for <sipcore@ietfa.amsl.com>; Wed, 10 Jul 2019 02:28:26 -0700 (PDT)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40053.outbound.protection.outlook.com [40.107.4.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75CC01200FA for <sipcore@ietf.org>; Wed, 10 Jul 2019 02:28:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=T4E6do7KLcnmMCTk2hviKY4/SJ6T7Rv8pXwfLwXMJ2nB+Xj8ItdllkdPSBTLmdfKNgPkms+ao4OZcqp3s8AWCrH5tK8P8UlnElTbYmQhDob0yM95a+F4l8qygUBiBYahuD9ZXUeNWVCCw6Vapi7O4KMtZ+2oN6z9fYFpA2zI5W1h4nF6kyKqTLQTcx0qF7RkcEncp1slr6Z9l+ZVHM4n0aMmZIbUr2ahDewUm9gCZPTdBgF5zZWUOB9zC0B1AkTu0zEYpWeh366q0TnExDeJN7rv64pKauQp52WPng7sZ60apbLfIco+168b+A9Ahu6zT5YEkU5k/ahlwcPWXfv/sQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZJ8Iu6qN9+7ijpq6Aho0UPILAeHEOHt7azRlyFBaxmw=; b=OLaLZbhgZnIV6SEWqEkpm5FojYVP0ZSK32fzPeEfcWBF9PiYB12wrTTVXjlR1TlDjWggfZfX36szvMPuw0vC8GfLdhqtaTQCdj2TeXDXaRVu6C7+CvhtA1NNeaKCAtrp6P+KdNr7Zox7EJVklCmS/Xw29RksdIz7npynPN0XumPHtmLUeOUbwjHTqhnVE3emUctaNZKz4KQGFi3RIEu67fX67QfH6+451ocD6FRvDBQmjA9bMC4uVtBy4QgOrFnEehDPH8tpY79O+nMhAK6YCvgtM390xE7ZVirSvOOJJpqc+kGz7X4CC5M07eR/mm5dbKqlv4t+CiDZgvQKDV7eoQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=ericsson.com;dmarc=pass action=none header.from=ericsson.com;dkim=pass header.d=ericsson.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZJ8Iu6qN9+7ijpq6Aho0UPILAeHEOHt7azRlyFBaxmw=; b=bMmDd1OMqIoNNQ0wiQl1uV4DVR+WH02Ow4Bn68Y9xrMEMyH3FtRzIUzvKxpDMh9vWELQbTJ3I8O5qXQD9E9uUba8HAPI/wGiwxiD6p4iVkrmYlmCJt9KsvkPd5pOW68GQ5ZJgZRNeMoywMFHKDA0qoaOkDzDdfH+i5H0Wgq+KSs=
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com (10.170.245.23) by HE1PR07MB3163.eurprd07.prod.outlook.com (10.170.245.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2073.5; Wed, 10 Jul 2019 09:28:22 +0000
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43]) by HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43%5]) with mapi id 15.20.2073.008; Wed, 10 Jul 2019 09:28:22 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: "Olle E. Johansson" <oej@edvina.net>, Paul Kyzivat <pkyzivat@alum.mit.edu>
CC: "sipcore@ietf.org" <sipcore@ietf.org>
Thread-Topic: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
Thread-Index: AQHVNLWxruT/m/C2REGBvr04oIfCDqa/Al8AgAHwRACAACa0QIAAOvWAgACKbgCAAH00gIAARqSA///Z+ACAADMUgP//1TCAgADykoCAAFUggA==
Date: Wed, 10 Jul 2019 09:28:22 +0000
Message-ID: <13F2FBCE-DBA3-4582-9CDF-6D6D4684952C@ericsson.com>
References: <156249821133.14592.1211919336596009446@ietfa.amsl.com> <CAGL6epLsP_UfZMAcFLsORrR05Enu-vp=jnkgUFuKSttQm8swAw@mail.gmail.com> <c8d5c42e-ab21-80e8-3189-c8592dd02d3a@alum.mit.edu> <HE1PR07MB3161C55955B2FCED2C0F6A9993F60@HE1PR07MB3161.eurprd07.prod.outlook.com> <68ed93ae-57df-6bc7-774b-47959417abda@alum.mit.edu> <HE1PR07MB3161D46B4A44FC7E789ADDB893F10@HE1PR07MB3161.eurprd07.prod.outlook.com> <4a9787e5-b5e2-bc08-0fa0-fae6bd44148d@alum.mit.edu> <527F4C39-F065-4335-A939-6D443F1801E7@ericsson.com> <5bb63c0c-130d-7f69-10b0-1ed1b274cc58@alum.mit.edu> <87AD4BB8-CE77-4FD7-BB72-6643DF513058@ericsson.com> <168b1354-b35b-edee-e5f9-d4ddbecfae40@alum.mit.edu> <F07E881F-2B35-4CE3-A145-15ED45201720@edvina.net>
In-Reply-To: <F07E881F-2B35-4CE3-A145-15ED45201720@edvina.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1a.0.190609
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [89.166.49.243]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 08a8509b-1453-4b7b-eb6c-08d70518f3d4
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:HE1PR07MB3163;
x-ms-traffictypediagnostic: HE1PR07MB3163:
x-microsoft-antispam-prvs: <HE1PR07MB31630473833490A71678B30693F00@HE1PR07MB3163.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0094E3478A
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(366004)(376002)(396003)(346002)(39860400002)(199004)(189003)(316002)(486006)(44832011)(58126008)(33656002)(476003)(6506007)(68736007)(2616005)(11346002)(110136005)(446003)(305945005)(76176011)(26005)(36756003)(71190400001)(71200400001)(186003)(2906002)(76116006)(102836004)(99286004)(3846002)(14454004)(53936002)(66476007)(66446008)(86362001)(6116002)(229853002)(5660300002)(6486002)(256004)(14444005)(25786009)(7736002)(4326008)(8676002)(478600001)(6512007)(66066001)(6246003)(6436002)(2171002)(64756008)(8936002)(81156014)(81166006)(66946007)(66556008); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3163; H:HE1PR07MB3161.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: wYLg43iy/gIwzME0t5n36Z9mdHCL2gpJUpBHCgPeY7ueFPwvaXofQjZHsCTSe2RF42ruIEejPS7YPVhExOeFwNL/UbsHCyUM7SaLOWAoC/7HVwSzPIcwWfBu0CkdlWkFhCZU1EVacrzbtjJsxK2yCVJPy5SuqrILyEfAKO7p27XmNur8TwQnm+NHqHTsUUbbMYCAa0lu2jMAgYMHEyZBUKKnmRsPx4iu8rjsqynXzSj7+Mli/K5zqQ4tcjwVc2S5p2LWbLK/o5ZyjRtkOJk9k0JAde8wW7NwsH3sNTgQeuhVAoOdWZjndeBsjB4voGuocxwpfikYEeO8Q1JnGvH9wpOIeNUkndfaxVrOYSF757yEmO+G4yIV8AI4hs3H3EyY/dQdnw5/u4FoHwUSfEJdmfaVpYV3+bKrSguUH5nISuc=
Content-Type: text/plain; charset="utf-8"
Content-ID: <A0B456612DDEB543B537C3F71217FE17@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 08a8509b-1453-4b7b-eb6c-08d70518f3d4
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jul 2019 09:28:22.2826 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: christer.holmberg@ericsson.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3163
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/-iH7D5sStUUIxjGlSF92lSMfUOg>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jul 2019 09:28:29 -0000

Hi,

...

>> My main point here is not to get you to explain it to me in this email thread. What I want is to see this discussed adequately in the security considerations of the document. If it isn't "safe" to send the token to everybody, then how do I decide who I can safely send it to?
>>
>> One partial answer might be: if a challenge results in asking the user to authenticate for the realm, then the user gets to decide if he wants to, and if so then the resulting token should be sent to the same target just then. But this doesn't address when the same token can be used preemptively later. That still needs discussion.
>>
> This is an interesting topic that we really need to look into seriously. Consider an access token that has a validity of one hour. That token can be copied by any proxys or network elements on the path and be re-used by others within the validity period to get access.
>
> RFC 6749 Section 10.3 clearly states the need for confidentiality of the access token:
>
> "Access token credentials (as well as any confidential access token
>   attributes) MUST be kept confidential in transit and storage, and
>   only shared among the authorization server, the resource servers the
>   access token is valid for, and the client to whom the access token is
>   issued."
>
> One solution would be that the challenge indicates a pointer to a valid cert with a public key to use for encryption of the tokens. We have the identity-info header in RFC 4474 
> as an example of pointing to a cert. The implementation supporting this draft already supports https…

As I indicated in another e-mail, the token needs to be protected, so that proxies between the UA and registrar (in the case of REGISTER) can't use it.

Regards,

Christer

v2.23.0 | Report a Bug | By Email