IETF Logo Mail Archive

Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt

Christer Holmberg <christer.holmberg@ericsson.com> Thu, 11 July 2019 15:13 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50832120134 for <sipcore@ietfa.amsl.com>; Thu, 11 Jul 2019 08:13:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RsEgEkPEuckI for <sipcore@ietfa.amsl.com>; Thu, 11 Jul 2019 08:13:37 -0700 (PDT)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-ve1eur02on0619.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe06::619]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C89FB12004E for <sipcore@ietf.org>; Thu, 11 Jul 2019 08:13:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EP8mBhI64/8GbVOajEQbK2zPduLKtx8U4yWsJV6u6uuFl8XB2JsyXyUzrwAt+JS44phsl6E87pCEwtJMGzcuIgPMwkADa2AafdAKB6e2SCFw0FJLg6MpVOrgVZ8ctLAKt4Il1BP0fkX5G/tXX1NTK72ZhAucMLL231C6oELBzooGEOVgEQR5R9aIDHqf6sRMQmoC8iUnuLpjrW9aFgo2gbIu0QDVSH0m2rMuQmJPymwu3ijBKuW0Yl0McOkfOxFvDVlr3Zf2eHaSO3D04a4IkWSpa8tWMHweNd4D+4aBevwc21e/pwW3NH4KOv7gBJhhzbtISsaAJfYrks2T3K1Naw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=i6b/CHOwAoMjmQfPGBzDJO5DlAj6c963ABd2QeJmZrs=; b=XWbe6Iuh/i9e5UofX1fA+TDR+2z7O9oEg/B49J/Di4/jKer42gU3lG+ZjbNpSeNG66G6nv4gTdqyNR7akHuBYuMFp7uEm9ZaBGjds34paLaE30Mrb+5AQgmOp5Qpwa3qHxap79ksPAgSuxh6dKCk4MsxgcXt2iLNcT+ucfTqxFFCuZmGvduFilJWpQwX0r+azWrakuVQMgOurnb3CHl/lBv+CFs7ZSxrGdj2FviHTW4RVLq4cROsj6FvynaeVczsaqf+bledqvCf5KCYRvE/fsAt3kUl4k9J8B8Y7pH5OEhVzwdXuDz3dPeoqD2SMDCaEPlMYHgfoEBi1z0HVCrGXQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=ericsson.com;dmarc=pass action=none header.from=ericsson.com;dkim=pass header.d=ericsson.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=i6b/CHOwAoMjmQfPGBzDJO5DlAj6c963ABd2QeJmZrs=; b=hjtCdj6lQZVX6XmVrrO2BXQMwC58wkpFaMv/h643XMFd/YCWcHQqKDuc8E52OY0RbhOjYphz3wuvIr7WtxikooVtHa26A3914vI9d1TAAuKjaum9Mn+m+uuoPoQHMHR4IzAY/bbSZ8t2iT5KuzCPYrhXHzDGIdwZB8gA1ihTMAo=
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com (10.170.245.23) by HE1PR07MB3290.eurprd07.prod.outlook.com (10.170.246.33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2073.10; Thu, 11 Jul 2019 15:13:33 +0000
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43]) by HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43%5]) with mapi id 15.20.2073.008; Thu, 11 Jul 2019 15:13:33 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: "Olle E. Johansson" <oej@edvina.net>
CC: "sipcore@ietf.org" <sipcore@ietf.org>
Thread-Topic: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
Thread-Index: AQHVNLWxruT/m/C2REGBvr04oIfCDqa/Al8AgAHwRACAACa0QIAAOvWAgACKbgCAAH00gIAARqSA///Z+ACAADMUgP//1TCAgABAXACAATj+gIABDXaAgAA3igD//9RDgAALc6uA///Q/4CAADuIAP//1FUAgAA3WQD///38gIAANg6A
Date: Thu, 11 Jul 2019 15:13:33 +0000
Message-ID: <8A712633-C587-40B7-9D8A-63AA9B636580@ericsson.com>
References: <156249821133.14592.1211919336596009446@ietfa.amsl.com> <CAGL6epLsP_UfZMAcFLsORrR05Enu-vp=jnkgUFuKSttQm8swAw@mail.gmail.com> <c8d5c42e-ab21-80e8-3189-c8592dd02d3a@alum.mit.edu> <HE1PR07MB3161C55955B2FCED2C0F6A9993F60@HE1PR07MB3161.eurprd07.prod.outlook.com> <68ed93ae-57df-6bc7-774b-47959417abda@alum.mit.edu> <HE1PR07MB3161D46B4A44FC7E789ADDB893F10@HE1PR07MB3161.eurprd07.prod.outlook.com> <4a9787e5-b5e2-bc08-0fa0-fae6bd44148d@alum.mit.edu> <527F4C39-F065-4335-A939-6D443F1801E7@ericsson.com> <5bb63c0c-130d-7f69-10b0-1ed1b274cc58@alum.mit.edu> <87AD4BB8-CE77-4FD7-BB72-6643DF513058@ericsson.com> <168b1354-b35b-edee-e5f9-d4ddbecfae40@alum.mit.edu> <607A513F-8616-4777-8B5E-59390E845709@ericsson.com> <b6ca4c79-5a17-10da-3882-20bc8b0e9b98@alum.mit.edu> <5ABB2F7B-8928-4581-8AAD-C8EFDBE95F7E@edvina.net> <99649808-9894-42B4-ADD1-52D0F70A3FB3@ericsson.com> <BCFE43BD-86FF-457E-9006-1DA7C8F3F6BE@edvina.net> <C3BFE2FE-0797-4E54-BAD4-B24E32CB183F@ericsson.com> <BD0B9B14-1E35-42C4-BF51-430C7E052145@edvina.net> <C5597D63-1B58-44D0-A2CE-4170CC1BE23E@ericsson.com> <7CE54346-6558-4605-A5DB-84C539400A19@edvina.net> <1C6CBDE3-EAD4-4470-A528-8EDA7F2487D2@ericsson.com> <D07B6838-8697-40B2-B191-1B8C411D8838@edvina.net>
In-Reply-To: <D07B6838-8697-40B2-B191-1B8C411D8838@edvina.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1a.0.190609
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [89.166.49.243]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d72ef25f-6a42-4631-f0ff-08d706125745
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:HE1PR07MB3290;
x-ms-traffictypediagnostic: HE1PR07MB3290:
x-microsoft-antispam-prvs: <HE1PR07MB3290157FF0F783C8FBC0C5F093F30@HE1PR07MB3290.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0095BCF226
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(346002)(366004)(396003)(39860400002)(376002)(136003)(189003)(199004)(478600001)(8676002)(256004)(186003)(14454004)(8936002)(81166006)(81156014)(6436002)(25786009)(6116002)(76176011)(14444005)(3846002)(6506007)(102836004)(26005)(7736002)(305945005)(486006)(86362001)(44832011)(99286004)(446003)(11346002)(229853002)(6916009)(4326008)(2616005)(476003)(6486002)(76116006)(66446008)(66556008)(53936002)(66066001)(36756003)(64756008)(66476007)(71200400001)(6512007)(6246003)(33656002)(5660300002)(316002)(58126008)(71190400001)(68736007)(2906002)(66946007); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3290; H:HE1PR07MB3161.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: CyEkWotskl8WzlNbtUDB0jf8t2wLlvWbz6GRK4f0j1nzeiT5UveSMhxCXEVzs3ybq7vOmIO+gBbsZIxcgTF3M6mJnuOBeQqZ5zf+TqdJ/rpW8G2Y9c9dMTeXOncYOsfZ7GsPSYXG0LpzHKnKXWMKLzdCaZwl2RbqVfjUYUMwWeBzpY8S/fbWRFxJoP/Oiu2eebKDs2foGaEziA3nHUawb5XwQ3Mxga3M/pgMhHxPzd47vffb8kOlY2e9IVIHtQb4bJVYwDDtPqb7HSwogEOXr+KUGKSVOEF9ociMqCr5BdAKNURLK1jUMCarxBGM2Hj4ZFoUq+UvJjHiuPtiTKvlk4yCVzHPqk0Fncw1yg6zgEfGl0NL9YE60v2DYRbkH9g07F16/j0VUooiuV3O1jCxVpaJ/Yf/caGjJekEM8vUYOM=
Content-Type: text/plain; charset="utf-8"
Content-ID: <49710FC0358B284C86EBA058429E530B@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d72ef25f-6a42-4631-f0ff-08d706125745
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jul 2019 15:13:33.8454 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: christer.holmberg@ericsson.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3290
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/1v-N8xUXQ8GS5gi7OxBJI_IbcC8>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jul 2019 15:13:40 -0000

Hi,

    >>>>>>>>> The tokens generally, but if I understand it right not always, are JWT structures that contain various data. In 
    >>>>>>>>> OpenID connect both the access and identity token are JWTs.
    >>>>>>>>> We can either specify specific claims that  are standardised for various SIP functions or let that be open for 
    >>>>>>>>> the SIP implementors to specify or a combination. 
    >>>>>>>> 
    >>>>>>>> For backward compatibility, we should at least let SIP implementors specify
    >>>>>>> Maybe, but at least we should write something about the usage of claims and scopes.
    >>>>>>> I think a base level for this draft is specifying a way to say “this access token is valid for SIP usage” or
    >>>>>>> “this is also a SIP identity"
    >>>>>> 
    >>>>>>  Perhaps we can add some text about scope and claims, but I don't want to mandate usage of specific values, because that 
    >>>>>>  may not be backward compatible with existing implementations using JWT. 
    >>>>> 
    >>>>> We can mandate *if* the access token is a jwt (and there’s an identity token like OpenID Connect). 
    >>>> 
    >>>>   It may not work with existing implementations that DO use JWT access tokens (not sure whether they use OpenID Connect, though).
    >>> 
    >>> Ok, you are making me interested - what are these implementations?
    >> 
    >>   Unfortunately I am not able to give information regarding that.
    >> 
    >>> When writing a new standard document, should we really be blocked by pre-standard implementations? I would assume that we
    >>> should be inspired by them, learn by their experiences, but not be hindered by them. 
    >> 
    >>    The implementations are based on earlier versions of the draft.
    >> 
    >>    And, yes, there is the old saying that one should not deploy a draft before the draft becomes RFC. 
    >> 
    >>    But, in this case, the first version of Rifaat's individual draft was submitted in 2014. Then, for whatever reason, it took 3(!) years before it 
    >>   got adopted, and after that we have so far worked on it for two years. How long is one expected to wait for an RFC before deploying???
    >> 
    >>     Of course, if something is broken we need to fix it. But, I don't think what you suggest is fixing something that is broken, it is adding new 
    >>     functionality. And, I have no problem with that, as long as it is backward compatible.
    > 
    >   
    > Christer, 
    > I’ve been thinking about this. We are almost in the same situation as the old discussion about the DIversion: header. While waiting
    > for another better solution, that’s what all of us implemented. Then came SIP HIstory and we had no docs to refer to for interoperability…
    > The old draft was later published as an informational RFC.
    >
    > Can we look into the same solution? Publishing the current draft wiith minor nits as an informational RFC that your implementation is compliant with
    > and then work on something more up-to-par with current OAuth2/OpenID connect BCPs and thinking?

    I really think that is an unfair request, considering how many years some of us have been working on this, especially since I don't think the current solution is broken.

    Yes, there are lots of things that need to be clarified, and some things may be added, so let's first try to do that and see where it takes us.

    >As an example: When reading the docs I see ways of protecting the access token so that only a specific service (read SIP domain)  may decrypt and
    >use it. That way we don’t need to disallow forwarding of SIP messages with a bearer token, as the token will be useless beyond that point.

    JWT gives you that property, doesn't it? There is nothing in the current draft that forbids or prevents you from using JWT. As we noted earlier, it's probably 
    what most (all?) people are using anyway.

    > Starting to go down that road, wlil definitely mean that we leave the implementation you currently have behind. And that is just
    > one issue. The other is having a parsable access token, which I think would be a requirement to follow the BCP and propably to get through
    > the hole security audit for any standard-track RFC publication.
    
    JWT is parsable :)

    Is your issue that we don't mandate JWT? If so, why don't we liaise (as you suggested earlier) with the oauth wg to see whether it would be safe to assume that everyone uses JWT.

    Regards,

    Christer

v2.23.0 | Report a Bug | By Email