IETF Logo Mail Archive

Re: [sipcore] Comments on draft-ietf-sipcore-sip-authn-02

Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> Wed, 13 June 2018 13:30 UTC

Return-Path: <rifaat.ietf@gmail.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BE65130EA1 for <sipcore@ietfa.amsl.com>; Wed, 13 Jun 2018 06:30:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lu0ORHhVAS09 for <sipcore@ietfa.amsl.com>; Wed, 13 Jun 2018 06:30:16 -0700 (PDT)
Received: from mail-vk0-x231.google.com (mail-vk0-x231.google.com [IPv6:2607:f8b0:400c:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 762EF130E37 for <sipcore@ietf.org>; Wed, 13 Jun 2018 06:30:15 -0700 (PDT)
Received: by mail-vk0-x231.google.com with SMTP id o138-v6so1508747vkd.3 for <sipcore@ietf.org>; Wed, 13 Jun 2018 06:30:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=cZB7eg9/0jX4Q4OEOLkwKGypMsoglb0W2DRMpb5sgRY=; b=WERboS1/r6WGF56rvE+uBmgbtDirgB+ClPZnr6MTaVc//qrqSWPzUMqSN08iNcGACY CLSIVpF/66qDtczcpvqFIKv5b5Z/xfefJ3vaXHLkD/EI9JaKOEj2mZKpmVgLelXiBjIs m6ELx5faD1iyaj0ihT5ZwmXP+KEpxmCJ3b4wW3+YXRfDrTzIZavQ40vE9+OfJX7vQ4uR n7mvLJDpW2kHvn/uA0nkWc54aSNtLbz4yYGhmAhmGxwEO13zxeoGRU344ULEKy5UGfjU L02uE+hbPdafRFnHifxt+9N8rAW7zvV2gyV14KlXve/lNn0gn40RTgc35iqZbQy/oPzF 8zdw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=cZB7eg9/0jX4Q4OEOLkwKGypMsoglb0W2DRMpb5sgRY=; b=NWQjJtNHeUt5Qw3+KAIcg1IQ+jbD6YDaLmydSsuqtVT99YdfEQ+UIC7s3OykPeyKwv xZlbHTNtnAInRA4NRANHdvF1NCcYUhV4/wyyCZenQTuO4YUBfCmT2397B5Pbs8EGw1ux p5I27k1cyBHD232XLFAJMC8A9PAkgQVbIr/FZjsYfqKl0+VAKjWCweSfrTLH9jN2+SY5 059ws7ZR5e0Q32I4XQxGde6JiOGV3cSjPq0RTroSwn3qtvMM/1Yj5VM3wGmOhgxhwwIK iwCU07PGJXXP1T33Y5Wkkiz1d8SyZh2Vlqr6wrf0d4buas9db7V7SSLWGM9F5BtPBu2F vIfA==
X-Gm-Message-State: APt69E0eBCeCXCXs052Iq9IUQjGLdxGjlNsr8O4xNY/4jeDph4A3QTv5 GG4e86WAz9tUHsD2vkPVxfdca2YI1CttM/2q2ldvi5PH
X-Google-Smtp-Source: ADUXVKL5cygFyTjBq+FYGZdXx5KRRLtEcAY2XNKWSVwKHoc+stpa3gMbWGo43m1Dh+DqExPh4MKPoVKxv2EKK0Tcmbs=
X-Received: by 2002:a1f:de82:: with SMTP id v124-v6mr3021299vkg.92.1528896614081; Wed, 13 Jun 2018 06:30:14 -0700 (PDT)
MIME-Version: 1.0
References: <CAGL6epLiGUdnj6oiMA2ZfoQQf32jvW+xXVUW43J9JO1it9tfAw@mail.gmail.com> <87lgbjfmtm.fsf@hobgoblin.ariadne.com>
In-Reply-To: <87lgbjfmtm.fsf@hobgoblin.ariadne.com>
From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Date: Wed, 13 Jun 2018 09:30:33 -0400
Message-ID: <CAGL6epKWLgqdZnH+XVXMSype7RNUv1UGNZ-n3Bxq47__ob82Hw@mail.gmail.com>
To: "Dale R. Worley" <worley@ariadne.com>
Cc: SIPCORE <sipcore@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000094ac35056e85fbb7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/0LaoNLHrVqYYdaSjq_IpVHaD87E>
Subject: Re: [sipcore] Comments on draft-ietf-sipcore-sip-authn-02
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jun 2018 13:30:21 -0000

Inline...


On Tue, Jun 12, 2018 at 10:21 PM Dale R. Worley <worley@ariadne.com> wrote:

> Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> writes:
> > (As a consequence, the meaning of the Location header in the 401
> >> response (section 2.1.1) is not fixed -- the UA is expected to do
> >> something with the value of the header, but there is no specification
> >> of what that is.)
> >>
> >> The missing parts are the ones that use the existing OAuth 2.0 mechanism
> > defined in RFC6749.
> > I will try to add more details to make it clearer.
>
> One suggestion is that the Location header in the F2 401 response should
> have a field parameter to indicate to the Agent the intended
> meaning of the Location URI, i.e., its the URL of an OAuth Authorization
> Server and should be accessed per the protocols in this document.
>

Will do.



>
> More importantly, a quick look suggests that where section 2.1 shows
> this
>
>      |           F2 401 Unauthorized |                               |
>      |              Location: AuthZ Server                           |
>      |<------------------------------|                               |
>      |                               |                               |
>      |                               |                               |
> >  The UA prompts the user to provide his/her credentials.           |
> >  The UA then, as per OAuth 2.0 protocol, authenticates the user to |
> >  the AuthZ server, and obtains an authorization code, which the UA |
> >  will later hand to the Proxy.                                     |
>      |<------------------------------------------------------------->|
>      |                               |                               |
>      |                               |                               |
>      | F3 REGISTER [authz code]      |                               |
>      |------------------------------>|                               |
>
> there is intended to be a reference to 4.1.1 and 4.1.2 of RFC 6749.
> 4.1.1 tells how the Agent is to construct an HTTP GET request, which
> starts the interaction between the user and the Authorization Server.
> Eventually, per 4.1.2, the Authorization Server sends the web client a
> redirection to a URL based on the redirect_uri parameter in the initial
> GET request.  The Agent recognizes that URL and extracts from it the
> authorization code, which it includes in the body of the F3 REGISTER per
> 2.1.1 in this draft.
>
> Generally speaking, I estimate that nobody reading this document will
> have prior knowledge of OAuth, so it would help greatly if you could
> provide the cross-references between the parts of the protocol described
> here with the sections of RFC 6749 that are incorporated into it.
> Currently, the document only says "The method used by the UA to obtain
> the code is out of scope for this document." which is generally used to
> mean "that part is not defined", not "that part is specified in RFC
> XXXX, so we won't repeat it here"!
>
> Sure.
I did assume that people are familiar with OAuth, which in hindsight it is
clear that was a mistake.


>> - The document doesn't give a clear statement of which requests are
> >> authenticated, what guarantees the authentication provides, or how the
> >> call flows might be used in authorizing requests.  The only use of the
> >> authentication/authorization information specified in the document is
> >> SIP registration, but I suspect the intention is that SIP requests
> >> carrying authentication/authorization can be forwarded to other server
> >> entities, which can validate the AA information to determine whether
> >> to service the request.
> >>
> >> This part is out of scope for this document.
> > We had a long debate on the mailing list about this, so we left it for
> > future documents.
>
> The problem is that if there's no specification of how this would be
> used to actually do something, you haven't answered the question "Why
> bother?".


> If I guess correctly, once the registration is set up (F3 in 2.1), then
> the proxy is expected to apply the "tokens" to any request that the
> Agent sends to it, before the proxy forwards the request to its
> destination.  If you would specify how that is done, I would see how
> this could be used in a practical system.
>
>
The main problem that this document is trying to address is the *Single-Sign
On*.
We would like to allow the SIP UA to use one set of credentials to
authenticate
and get access to SIP and non-SIP services.

With regards to the authorization part, take a look at the following thread:
https://www.ietf.org/mail-archive/web/sipcore/current/msg07223.html

Because we could not get to an agreement at that time, we decided to work
on the parts that there is agreement on, and that is the reason for this
document and its limited scope.

Regards,
 Rifaat



> Dale
>

v2.23.0 | Report a Bug | By Email