IETF Logo Mail Archive

Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt

"Olle E. Johansson" <oej@edvina.net> Thu, 11 July 2019 17:10 UTC

Return-Path: <oej@edvina.net>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A2EE120106 for <sipcore@ietfa.amsl.com>; Thu, 11 Jul 2019 10:10:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rR77RntfMbJ5 for <sipcore@ietfa.amsl.com>; Thu, 11 Jul 2019 10:10:39 -0700 (PDT)
Received: from smtp7.webway.se (smtp7.webway.se [212.3.14.205]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3447912003E for <sipcore@ietf.org>; Thu, 11 Jul 2019 10:10:38 -0700 (PDT)
Received: from haworthia-20.webway.org (h-205-16.A165.corp.bahnhof.se [176.10.205.16]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp7.webway.se (Postfix) with ESMTPSA id 77DD1A40; Thu, 11 Jul 2019 19:10:35 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: "Olle E. Johansson" <oej@edvina.net>
In-Reply-To: <cd23be26-c383-8b72-cdf1-4436a6bc175f@alum.mit.edu>
Date: Thu, 11 Jul 2019 19:10:34 +0200
Cc: Olle E Johansson <oej@edvina.net>, Christer Holmberg <christer.holmberg@ericsson.com>, "sipcore@ietf.org" <sipcore@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <3B02CDE8-77C3-4DD8-940B-8B41993FFD1D@edvina.net>
References: <156249821133.14592.1211919336596009446@ietfa.amsl.com> <CAGL6epLsP_UfZMAcFLsORrR05Enu-vp=jnkgUFuKSttQm8swAw@mail.gmail.com> <c8d5c42e-ab21-80e8-3189-c8592dd02d3a@alum.mit.edu> <HE1PR07MB3161C55955B2FCED2C0F6A9993F60@HE1PR07MB3161.eurprd07.prod.outlook.com> <68ed93ae-57df-6bc7-774b-47959417abda@alum.mit.edu> <HE1PR07MB3161D46B4A44FC7E789ADDB893F10@HE1PR07MB3161.eurprd07.prod.outlook.com> <4a9787e5-b5e2-bc08-0fa0-fae6bd44148d@alum.mit.edu> <527F4C39-F065-4335-A939-6D443F1801E7@ericsson.com> <5bb63c0c-130d-7f69-10b0-1ed1b274cc58@alum.mit.edu> <87AD4BB8-CE77-4FD7-BB72-6643DF513058@ericsson.com> <168b1354-b35b-edee-e5f9-d4ddbecfae40@alum.mit.edu> <607A513F-8616-4777-8B5E-59390E845709@ericsson.com> <b6ca4c79-5a17-10da-3882-20bc8b0e9b98@alum.mit.edu> <89A28FAE-A25A-4AFF-9A94-91E09FDD6C3B@ericsson.com> <2aa8cb91-aac6-b66e-e54a-b9f6c650ce02@alum.mit.edu> <D7218ABE-F204-407B-ADE1-39DAB98C2A98@ericsson.com> <cd23be26-c383-8b72-cdf1-4436a6bc175f@alum.mit.edu>
To: Paul Kyzivat <pkyzivat@alum.mit.edu>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/-smxe6P8xhUeRj1Az7mDCsPE5jY>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jul 2019 17:10:41 -0000


> On 11 Jul 2019, at 15:50, Paul Kyzivat <pkyzivat@alum.mit.edu> wrote:
> 
> On 7/11/19 3:03 AM, Christer Holmberg wrote:
>> Hi,
>> ...
>>>> All I am saying is that one should not send a token to someone that it has NOT been issued for.
>>>        Then you are saying that a token should *never* be included in a request
>>>    to a target for which you have not received a challenge some time in the
>>>    past.
>>>        That is a bit extreme, but I guess you can specify that if you think it
>>>    is the right thing to do.
>> That is my understanding of the generic OAuth security considerations: you don't give a token to someone it was not intended for.
>> Of course, if you know (based on whatever configuration/policy) that it's ok to give the token to the target I guess you could do it.
>>     
>>>    But note that this logic won't always work for Proxy-Authenticate. You
>>>    *might* know that a particular proxy will be visited (if it is mentioned
>>>    on a Route header), but it is pretty common for the request to visit
>>>    proxies unknown (at least in advance) to the UAC.
>>   It is important to remember that, since the token needs to be protected, a proxy needs to have the associated protection credentials to be able to access the token.
> 
> I'm lost here. How is the token protected? Is it because it is passed by reference, and other credentials are needed to dereference it? Or is it passed by value but encrypted?
> 
> If it is protected, then why is there any concern over who it is given to?

Normally most tokens are just digitially signed, but clear text. It can be encrypted, but then the auth server need to know which key pair to encrypt it with, which in turn means
that the client needs to tell the auth server that which leads to a requirement to have parseable access tokens.

Again, let’s stop talking about “the token”. That will confuse ourselves and other readers. Thanks :-)

/O

v2.23.0 | Report a Bug | By Email