Re: [sipcore] Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13: (with DISCUSS and COMMENT) - COMMENT
Christer Holmberg <christer.holmberg@ericsson.com> Mon, 27 April 2020 16:23 UTC
Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D1A03A0E91; Mon, 27 Apr 2020 09:23:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.921
X-Spam-Level:
X-Spam-Status: No, score=-2.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.82, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wXQMgJPj8_iq; Mon, 27 Apr 2020 09:23:44 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130050.outbound.protection.outlook.com [40.107.13.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C240E3A0E85; Mon, 27 Apr 2020 09:23:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mPWKAEtJnYBYnQpA23kNPM/2YDYzqAVX3zYLY9MRRKS6u+La4tUQsA+q5lOdFjSJr6DCZ+t0BbpbUdcX003AWXHH0fzO9D6Mv5VErE6yECzEJNAmCgqhEpApwQVqBJyImBIVA6XIJX9zYOzLA5TSrxD3KBNnXzJQAcNYoxE4nZEzbO5cAuZjbN0jjNnj8qqZRIoGCivY3+7kMZt/tACRAA8Z9L5Iko/M5eqAfT6YUcTBgqh9v6nD2L2sv3LhPWfkf5L2VUmN+IDXngnmBBX5WIjz6tTzZVS2BVFX10+r+19E4oUEOy4S1IjDxzY3JvHVwCOpC7sSW4cg9aG1qKMhYQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WhgazEK26tkG8aXVqAVz+CHSozyBdl99S2WhMSGznkE=; b=gkMbubBj70qSdMCy3rfZAvflZiPcgmSBr/VioMGL6COZvoQ7FeoAER2nK7H0YnZJHAsTFhOZq2EPqkUiRxip8TMch9E54cFgYcbzesAlVPjtAP/2GlcQi4GhwZowzptY7pWmGEosvOzU1QlfOK5xRTEmLXVfWsStftt3PE+cJPZZS22FBm/smQTwCYHXFIhA4OJcys7/TTzLP4ml8Np6KghbB83QGxdjk/PaqOqDddSnl8TSUXTBSv1SPKnUPam4BizEa2+8I2XYXTp/cJ8Y7InA/9oyTPnOpSTC+Ae0dLsUYMQGew+5I8TylprOK7lK/K7+ppMcKpJadTiSPUX7pQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WhgazEK26tkG8aXVqAVz+CHSozyBdl99S2WhMSGznkE=; b=ruMqllAypebmQk/1HpSGFUDIde6sxyJJdfdQ8cD1rp207fFcDKvQSuHLycpYRIF1MnSNt0Oa0ITQn4q+K5OVQ58B1/XYZQR+FT2p3Xol2NDAbQTwy5wNpEuRI4NJJeIvQYudyOfhqKaB7jj2DUgD0T6FIwalrJOH85P+jNkTJ1E=
Received: from AM7PR07MB7012.eurprd07.prod.outlook.com (2603:10a6:20b:1bc::19) by AM7PR07MB6706.eurprd07.prod.outlook.com (2603:10a6:20b:1a6::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2958.9; Mon, 27 Apr 2020 16:23:32 +0000
Received: from AM7PR07MB7012.eurprd07.prod.outlook.com ([fe80::4c:e502:13cf:87a8]) by AM7PR07MB7012.eurprd07.prod.outlook.com ([fe80::4c:e502:13cf:87a8%4]) with mapi id 15.20.2958.014; Mon, 27 Apr 2020 16:23:32 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: The IESG <iesg@ietf.org>, "draft-ietf-sipcore-sip-token-authnz@ietf.org" <draft-ietf-sipcore-sip-token-authnz@ietf.org>, "sipcore-chairs@ietf.org" <sipcore-chairs@ietf.org>, "sipcore@ietf.org" <sipcore@ietf.org>, Jean Mahoney <mahoney@nostrum.com>
Thread-Topic: Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13: (with DISCUSS and COMMENT) - COMMENT
Thread-Index: AQHWGbKxu2gQq0gnZkyF4LBa/O+0aqiIuAgAgABi2YCABA7WgIAANY+A
Date: Mon, 27 Apr 2020 16:23:32 +0000
Message-ID: <E262D171-1843-4A4C-9768-7075B05F24F4@ericsson.com>
References: <31B5AC00-A9C5-4F02-8111-2ED9EB1D10D9@ericsson.com> <20200424201954.GY27494@kduck.mit.edu> <DD534BF8-7BE8-41DC-A553-502AB906E16E@ericsson.com> <20200427161149.GX27494@kduck.mit.edu>
In-Reply-To: <20200427161149.GX27494@kduck.mit.edu>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1e.0.191013
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [178.55.150.213]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: db03dcb4-d82b-4b3c-e8be-08d7eac753c4
x-ms-traffictypediagnostic: AM7PR07MB6706:
x-microsoft-antispam-prvs: <AM7PR07MB67061F5124308623F7AD269393AF0@AM7PR07MB6706.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0386B406AA
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR07MB7012.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(396003)(366004)(136003)(376002)(346002)(39860400002)(91956017)(66946007)(76116006)(6506007)(6486002)(66476007)(66556008)(64756008)(66446008)(4326008)(33656002)(2616005)(44832011)(186003)(2906002)(8676002)(6916009)(478600001)(6512007)(26005)(966005)(8936002)(81156014)(86362001)(36756003)(54906003)(5660300002)(71200400001)(316002); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: sv4WrNyEwuKUkijOWSLSmMykM6I4FQhdbKvyBFxuXgbRzsmLNxgfhHlxjzTTVxTBRqy9ZelOM5h/3gAFX+LBezuubWPlClGCJ84ufFVyFGCRxiHYI3mh5dfCtLi2QrxqnHhExoLhChUJVIZgV2EfSl13XKDiFDsnBXbfBMkuEWcDYQPCuzd0EwToR8nb294KL+f2sw6Kq8UKULB455kK9EiMBvU+1LAJ24PHR2Vm4M479GuPG+7TrwUc9/2/8QG+8Bj3+KAhBApGw8Wd2dHxe1BV3RR81N3n+qS+rq2RcLoGZe8CnMEiRJq037XJEd7dOgVmL7ulnk/YLBg3MR3dLVjwIG083KXka12fmK0LN8wy4LapP17IMLJHRxr/9fUgGmm0ddPKH4Q4xovUiNkhuVxN2R1mHytzWD7awnYxwwQdTQjXdVepdi14DBKzMEdBQVGbkl7YHBTDaZBp/T6JesakdsKbEUqxsHeorsrVEGscRJdBdeh1lJ4rrIhvkuxPSm/24/aaBnOZiPePVLc19A==
x-ms-exchange-antispam-messagedata: DARBbsO2QZqJRel88SP0Huo1z1SX6cBHj9vKmNvfW/p5nf0U2xryRMPB72g19V23gvoN609mdAhzgLGzNyKMzh5uWxhZrhdUAOTpowk2TTVCT2saL793wPOtfPqqq5A0cmRFROQC+bSC0ggl9w6cydoCCjfvyeLM4Ep5pOLNpU61c4KCSxRxi5IzG2XIdDK101IsOA3CG5X3Ni6HMgUC26/LLkflOBjfRiTw922pXct0teBVKvC9F8II3GVqi6pVtXxjLiTOR989WKb9Xw6zAZUBIJGWeWPJXWUKAHsiiakhEOcxYNhqmtlD8GJ5TnTbdZTUEIjBYFvhCCjJDI5JSogSFOEvS2XHE0ztAJzs/S+vW1/U7K+HMQCnvJSzL1YTxDrMCPZ9QZZrv0pIeH3dRG+mLbbae7IHxo03+F2SZPUoPfB57V26POE1vTuiKrm2RpqY4oYNuannof1gojhlWN088zxro3KNeoJkYzVAu0bJq/QhFlFuXww8csyjJQottvpbnxOZLPi6PF7jPoSFo6hvxS0KaaaLoyPAtRYNoH1ZvswNIHT0cImFo/3u96dWO/iLpNu8O34c6t/7w8l8LIsSiy5wu5L7GjTFopcjABxjVbuTQH84p9CTDu5VC0zgMe1aJU0HwKmoBgQzDnWnf6fO235iaZIjAZVBnyXIiB1/dCo1X2ftN3s65izHVR0bHx+1dEXP/qNGoa+lEkIK8KEzxm0DisoUslJGF60JrV5ZsP0RjkM8OiyFBEUXe7I7zlXMNa2ew4KsnoCMI+QitFlka7TF3Kwxq0agJu0grEk=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <F69C19074E00B14FAB1DD8D818141F67@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: db03dcb4-d82b-4b3c-e8be-08d7eac753c4
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Apr 2020 16:23:32.0332 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: mZhw2SvSPSfFcYF1YHjo01nTonWfjn61c3iZkixrznNqulxl9ZFaP0jgV362DQazcK+V9HJwsJUwH6G3Gn7cg/bimcUxhDBkEZyk1Fjb54Y=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR07MB6706
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/0MgW2cjjtqghRZlg-7bdzSIcbmk>
Subject: Re: [sipcore] Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13: (with DISCUSS and COMMENT) - COMMENT
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Apr 2020 16:23:47 -0000
Hi Benjamin,
----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------
>>
>> ...
>>
>> Section 1.4.1
>> ...
>>
>> >>> The registrar validates the access token. If the access token is a
>> >>> reference token, the registrar MAY perform an introspection
>> >>> [RFC7662], as in steps [5] and [6], in order to obtain more
>> >>> information about the access token and its scope, per [RFC7662].
>> >>>
>> >>> I think we could tighten up the normative language a bit here.
>> >>> In particular, the registrar MUST validate the token in some fashion; for
>> >>> reference tokens, the main ways to do that are either inspection or
>> >>> (essentially) being the party that issued the token in the first place.
>> >>>
>> >>> Otherwise, after the registrar validates the token to make sure it
>> >>> was signed by a trusted entity, it inspects its claims and acts upon
>> >>> it.
>> >>>
>> >>> I think we can also be more specific than "a trusted entity" -- in this
>> >>> flow, it looks like the registrar should know exactly which entity should
>> >>> have signed the token in question (for the user in question), and should not
>> >>> accept a signed token from a different entity that happens to be trusted to
>> >>> issue other tokens.
>> >>
>> >> The text in Section 2.2. mandates the validation:
>> >>
>> >> "When a UAS/Registrar receives a SIP request that contains an
>> >> Authorization header field with an access token, the UAS/Registrar
>> >> MUST validate the access token,..."
>> >>
>> >> I don't think we should put too much normative text into the example flows.
>> >
>> > Perhaps we should just say "validates the token" (and not "to <do thing X>") in this example?
>>
>> So, something like this:
>>
>> OLD:
>>
>> The registrar validates the access token. If the access token is a
>> reference token, the registrar MAY perform an introspection
>> [RFC7662], as in steps [5] and [6], in order to obtain more
>> information about the access token and its scope, per [RFC7662].
>> Otherwise, after the registrar validates the token to make sure it
>> was signed by a trusted entity, it inspects its claims and acts upon
>> it.
>>
>> NEW:
>>
>> In step [4] and [5], the registrar validates the access token.
>>
>>
> That might be trimming down too far -- we lose the explanation of steps [5]
> and [6]. I was thinking more like:
>
> % The registrar validates the access token. If the access token is a
> % reference token, the registrar MAY perform an introspection
> % [RFC7662], as in steps [5] and [6], in order to obtain more
> % information about the access token and its scope, per [RFC7662].
> % Otherwise, after the registrar validates the token, it inspects its
> % claims and acts upon it.
>
> This level of detail seems okay to me because the dichotomy between
> "reference token" and "self-contained claims" is established earlier in the
> document.
I realized that my suggested text took away too much, and was going to suggest the following:
"The registrar validates the access token. In steps [5] and [6], the registrar
performs an introspection [RFC7662]. The introspection procedure is optional, and might
be performed by the registrar if the access token is a reference token."
But, I think the text you suggest is better :)
In addition, we were thinking about also indicate the optionality in the flow itself:
| | [3] HTTP POST /introspect |
| | {access_token} |
| | (OPTIONAL) |
| |------------------------------------->|
| | |
| | [4] 200 OK {metadata} |
| | (OPTIONAL) |
| |<-------------------------------------|
...
>> >>> I'd also suggest a quick note that TLS remains fine for protecting the
>> >>> UAC/AS interaction where the refresh token is used.
>> >>
>> >> I can do that.
>> >>
>> >> I could also say "*SIP* endpoints that support this specification...".
>> >
>> > Either sounds good.
>>
>> My suggestion was to do both changes :) Something like:
>>
>> "SIP endpoints that support this specification MUST use encrypted
>> JSON Web Tokens (JWT) [RFC7519] for encoding and protecting
>> access tokens when they are included in SIP requests, unless some other mechanism
>> is used to guarantee that only authorized SIP endpoints have access to
>> the access token. TLS can still be used for protecting traffic between
>> SIP endpoints and the AS."
>>
>
> Ah. Looks good!
Good :)
Regards,
Christer
>
> Section 2.2
>
> >>> authorization credentials acceptable to it, it SHOULD challenge the
> >>> request by sending a 401 (Unauthorized) response. To indicate that
> >>> it is willing to accept an access token as a credential, the UAS/
> >>> Registrar MUST include a Proxy-Authentication header field in the
> >>> response that indicates "Bearer" scheme and includes an address of an
> >>>
> >>> nit(?): I'd consider just making this a declarative statement, a la "the
> >>> UAS/registrar includes a Proxy-Authentication header field with the "Bearer"
> >>> scheme to indicate that it is willing to accept an access token as a
> >>> credential" (but that wording is incomplete and would need to be fleshed
> >>> out a bit more).
> >>
> >> I think that would be weird. Because, first we say that the UAS/Registrar SHOULD challenge, and with your
> >> suggestion the text would say that the UAS/Registrar MUST include a Proxy-Authentication header field even
> >> if it does NOT challenge the request.
> >>
> >> Perhaps:
> >>
> >> "If the UAS/Registrar chooses to challenge the request, and is willing to accept an access token as a credential, the UAS/Registrar MUST include a..."
> >
> > This version does get rid of the confusion about whether the MUST is
> > conditional that I wanted to address, thanks. (I see I didn't actually say
> > why I proposed the change I did, whoops.)
>
> ...
>
> >>> [RFC7519]. If the token provided is an expired access token, then
> >>> the UAS MUST reply with 401 Unauthorized, as defined in section 3 of
> >>> [RFC6750]. If the validation is successful, the UAS/Registrar can
> >>> continue to process the request using normal SIP procedures. If the
> >>> validation fails, the UAS/Registrar MUST reject the request.
> >>>
> >>> Is "expired" the only case that should get a 401 vs. outright rejection, as
> >>> stated here?
> >>
> >> 401 is sent also in the case where the validation fails. I will clarify that.
>
> ...
>
> Section 2.3
>
> >>> sending a 407 (Proxy Authentication Required) response. To indicate
> >>> that it is willing to accept an access token as a credential, the
> >>> proxy MUST include a Proxy-Authentication header field in the
> >>> response that indicates "Bearer" scheme and includes an address to an
> >>>
> >>> [same comment as above about normative vs. declarative statement]
> >>> Also, please keep the text parallel between sections -- this copy has at
> >>> least one nit ("address to an" vs. "address of an").
> >>
> >> I will fix this in the same way.
>
> ----
>
> Section 5
>
> >>> We should probably note that SIP makes much heavier use of proxies than is
> >>> common in the web world of OAuth.
> >>
> >> Maybe something like:
> >>
> >> "However, SIP makes have use of intermediary SIP proxies, and TLS only guarantees hop-to-hop protection when used to
> >> protect SIP signaling."
> >
> > Sure, that should work.
>
> ---
>
> > > Section 8
> > >
> > > I think RFCs 8252 and 8414 could be just informative.
> >
> > I can fix that.
>
> ---
>
> The changes done so far based on your IESG review can be found in the following pull request commit:
>
> https://protect2.fireeye.com/v1/url?k=8e6297cc-d2e8b503-8e62d757-0cc47ad93ea4-de384e701a508192&q=1&e=e601bbb4-7695-4c82-a11c-34b68b5109df&u=https%3A%2F%2Fgithub.com%2Frifaat-ietf%2Fdraft-ietf-sipcore-sip-token-authnz%2Fpull%2F7%2Fcommits%2F0fc655719d7e3cefc7417b382e7662c1d9c12dbb
>
>
> Regards,
>
> Christer
>
>
>
- Re: [sipcore] Benjamin Kaduk's Discuss on draft-i… Christer Holmberg
- Re: [sipcore] Benjamin Kaduk's Discuss on draft-i… Benjamin Kaduk
- Re: [sipcore] Benjamin Kaduk's Discuss on draft-i… Christer Holmberg
- Re: [sipcore] Benjamin Kaduk's Discuss on draft-i… Rifaat Shekh-Yusef
- Re: [sipcore] Benjamin Kaduk's Discuss on draft-i… Benjamin Kaduk
- Re: [sipcore] Benjamin Kaduk's Discuss on draft-i… Benjamin Kaduk
- Re: [sipcore] Benjamin Kaduk's Discuss on draft-i… Christer Holmberg
- Re: [sipcore] Benjamin Kaduk's Discuss on draft-i… Rifaat Shekh-Yusef