IETF Logo Mail Archive

Re: [sipcore] Alexey Melnikov's No Objection on draft-ietf-sipcore-digest-scheme-12: (with COMMENT)

Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> Thu, 31 October 2019 13:47 UTC

Return-Path: <rifaat.ietf@gmail.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2D4E120088; Thu, 31 Oct 2019 06:47:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AX7_W6oHiZeu; Thu, 31 Oct 2019 06:47:36 -0700 (PDT)
Received: from mail-io1-xd2a.google.com (mail-io1-xd2a.google.com [IPv6:2607:f8b0:4864:20::d2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBF44120043; Thu, 31 Oct 2019 06:47:35 -0700 (PDT)
Received: by mail-io1-xd2a.google.com with SMTP id p6so6773306iod.7; Thu, 31 Oct 2019 06:47:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=r+bL0rh2ZfU6x6ptzZPCMmIkPwbN03KPD7u488sO400=; b=cVKieLzez9xD79E3T0lxTwwJHPQ6dUv8XjEs8iUQIBdsadfXwI+23/rO57Iir88dCc g6RF69hvCDLd9e1YcGxvEafcAMld5STUt5n/2GWFrDIYADfL1HLs6Dc/khwKhHZsOOgy hAi13OkrNI5QXmI8lEtfd3JeQytMW2ZGTpDzn8zWy03kO84nn2BY4wJNGzKefIpAAiwB wncKopruYaMB5GUnTHJ9JuVc5vSLbxE7UabRP0nYCi90nyUC6EGaF4XmuWgX1W6aAPu7 IFK0Dg7WRm6mZUzoK3ah1hppltfQXJ7+nu9p4xJ31w1y6o770+5Ae2IxSOPelOSu1CjD DK/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=r+bL0rh2ZfU6x6ptzZPCMmIkPwbN03KPD7u488sO400=; b=eBS03Wvbw3NXlFZGJcmhdYUD/z35Jaxo86TerMpYFVs/PBVegeNiihjf/Uc/yneW0K SK+E7QcNG8mRIftjLYumejUMnUsRtKilDShlBjKxFq68CllwBtVRu9k6DP8OcXPpYDzE /dQOOHy4xbZ1KWQ+G7Rvpp4lcnYHOE3zQ51WFscD3Mf7tE7TcIecermmkrptM9J6NJdf VA/FdWAdRxfGLUOL3cDe4GOzWJK7XtgkhiDZ2dM8a3c8Q0+FGU2yKmflfAyoVvVlfApC olZdVibyoowd6Y9839CIscnXjXpFlrFHGgDoRvUuopu+bSdyZFafEHduupTNs1X7H0VT D4xQ==
X-Gm-Message-State: APjAAAVZitSA0HlTY6VXWmqlICitlhpYsHqpCP7xzef/6AIN+OEXG/mY kT6u7Shw6qdH2BV/XnacJvzf30GdGvRGSroCsoo=
X-Google-Smtp-Source: APXvYqxifAxt6d+XneDBpES1wk/wViEqn+X/isPBchlUN5vQxJmzeQbpN5Mvw5G40sUd1OvAs2s8kRiGnsdnK03IJ0c=
X-Received: by 2002:a5d:8994:: with SMTP id m20mr4896992iol.36.1572529655106; Thu, 31 Oct 2019 06:47:35 -0700 (PDT)
MIME-Version: 1.0
References: <157245577700.32490.10990766778571550817.idtracker@ietfa.amsl.com> <CAGL6epJgyr_VUYgKCgxDcP5ObKWErtDCHxaX7JusUYPXu=a6jQ@mail.gmail.com> <a9ebadcc-36ae-4bdb-af69-05486eef2569@www.fastmail.com> <CAGL6ep+AK4BuGZ2Y1RMsomAYGLiy2NbEHgm5-941FLVKS6bY9Q@mail.gmail.com> <6ec209ae-72e9-4dd1-8d68-3ee1704f3d92@www.fastmail.com> <CAGL6epLQS9xqHybZLTk1qM4i_LaDWVk8-iF0-0e_osf271R_Rg@mail.gmail.com> <7B4921E1-66A3-4D6D-A943-8EC0F44195CC@ericsson.com>
In-Reply-To: <7B4921E1-66A3-4D6D-A943-8EC0F44195CC@ericsson.com>
From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Date: Thu, 31 Oct 2019 09:47:23 -0400
Message-ID: <CAGL6epLrJYPaaYwFQjP8Lk3Uc3PUogtfPyxE5FsoTMJs3GvsgA@mail.gmail.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>
Cc: Alexey Melnikov <aamelnikov@fastmail.fm>, "sipcore-chairs@ietf.org" <sipcore-chairs@ietf.org>, "draft-ietf-sipcore-digest-scheme@ietf.org" <draft-ietf-sipcore-digest-scheme@ietf.org>, The IESG <iesg@ietf.org>, SIPCORE <sipcore@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007dd1ab05963517d2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/26srzzqfKl8vCEAcd86KAEm3LOw>
Subject: Re: [sipcore] Alexey Melnikov's No Objection on draft-ietf-sipcore-digest-scheme-12: (with COMMENT)
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Oct 2019 13:47:38 -0000

Christer,

This IMS behavior would have been in violation of RFC3261 which specified
exactly 32 Hex characters.
So, this change should not make much of a difference in this case.

Regards,
 Rifaat



On Thu, Oct 31, 2019 at 9:37 AM Christer Holmberg <
christer.holmberg@ericsson.com> wrote:

>
>
> Hi,
>
>
>
> The reason for the empty value comes from IMS and AKA, where you need to
> include the user id already in the initial REGISTER request (this seems to
> be missing from RFC 3310, but that’s a separate topic) in order for the
> server to create the challenge,  meaning that in the initial REGISTER
> request you include an Authorization header field with the username
> parameter carrying the IMS private user identity, the realm parameter and
> the uri parameter. At this point you obviously don’t yet have the response,
> so in IMS it is specified that the response parameter is inserted with an
> empty value.
>
>
>
> WHY it was specified that way (instead of simply not including the
> response parameter) I don’t know, but I do know that it has been
> implemented and deployed that way for many years.
>
>
>
> Regards,
>
>
>
> Christer
>
>
>
>
>
> *From: *sipcore <sipcore-bounces@ietf.org> on behalf of Rifaat
> Shekh-Yusef <rifaat.ietf@gmail.com>
> *Date: *Thursday, 31 October 2019 at 15.20
> *To: *Alexey Melnikov <aamelnikov@fastmail.fm>
> *Cc: *"sipcore-chairs@ietf.org" <sipcore-chairs@ietf.org>, "
> draft-ietf-sipcore-digest-scheme@ietf.org" <
> draft-ietf-sipcore-digest-scheme@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>,
> "sipcore@ietf.org" <sipcore@ietf.org>
> *Subject: *Re: [sipcore] Alexey Melnikov's No Objection on
> draft-ietf-sipcore-digest-scheme-12: (with COMMENT)
>
>
>
> Done.
>
>
>
> On Thu, Oct 31, 2019 at 9:13 AM Alexey Melnikov <aamelnikov@fastmail.fm>
> wrote:
>
> On Thu, Oct 31, 2019, at 1:11 PM, Rifaat Shekh-Yusef wrote:
>
> Hi Alexey,
>
>
>
> I am fine with Paul's suggestion.
>
> Are you ok with "32*LHEX"?
>
> Yes!
>
>
>
> Thank you,
>
> Alexey
>
>
>
> Regards,
>
>  Rfaat
>
>
>
>
>
> On Thu, Oct 31, 2019 at 7:22 AM Alexey Melnikov <aamelnikov@fastmail.fm>
> wrote:
>
>
>
> Hi Rifaat,
>
>
>
> On Wed, Oct 30, 2019, at 9:50 PM, Rifaat Shekh-Yusef wrote:
>
> Thanks Alexey!
>
>
>
> I am fine with the first two comments, and will fix these in the coming
> version of the document.
>
>
>
> I am not sure I follow the 3rd one. Why do you see the need for a minimum
> number of hex digits?
>
> You do say that the number of hex digits match the hash lenght, so it is
> probably Ok. However empty value is never valid (and I am worried it might
> hit some boundary condition bug in implementations), so prohibiting it in
> ABNF would be the best.
>
>
>
> Best Regards,
>
> Alexey
>
>
>
> Regards,
>
>  Rifaat
>
>
>
>
>
>
>
> On Wed, Oct 30, 2019 at 1:16 PM Alexey Melnikov via Datatracker <
> noreply@ietf.org> wrote:
>
> Alexey Melnikov has entered the following ballot position for
>
> draft-ietf-sipcore-digest-scheme-12: No Objection
>
>
>
> When responding, please keep the subject line intact and reply to all
>
> email addresses included in the To and CC lines. (Feel free to cut this
>
> introductory paragraph, however.)
>
>
>
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
>
> for more information about IESG DISCUSS and COMMENT positions.
>
>
>
>
>
> The document, along with other ballot positions, can be found here:
>
> https://datatracker.ietf.org/doc/draft-ietf-sipcore-digest-scheme/
>
>
>
>
>
>
>
> ----------------------------------------------------------------------
>
> COMMENT:
>
> ----------------------------------------------------------------------
>
>
>
> I am agreeing with Alissa's DISCUSS.
>
>
>
> Also, I have a few comments of my own:
>
>
>
> 1) Last para of Section 2.1:
>
>
>
> 2.1.  Hash Algorithms
>
>
>
>    A UAS prioritizes which algorithm to use based on the ordering of the
>
>    challenge header fields in the response it is preparing.
>
>
>
> This looks either wrong or confusing to me. I think you are just saying
> here
>
> that the order is decided by the server at this point.
>
>
>
>    That
>
>    process is specified in section 2.3 and parallels the process used in
>
>    HTTP specified by [RFC7616].
>
>
>
> So based on the above, my suggested replacement for both sentences:
>
>
>
>    A UAS prioritizes which algorithm to use based on its policy,
>
>    which is specified in section 2.3 and parallels the process used in
>
>    HTTP specified by [RFC7616].
>
>
>
> 2) Last para of Section 2.4:
>
>
>
>    If the UAC cannot respond to any of the challenges in the response,
>
>    then it SHOULD abandon attempts to send the request unless a local
>
>    policy dictates otherwise.
>
>
>
> Is trying other non Digest algorithms covered by "SHOULD abandon"?
>
> If yes, maybe you should make this clearer.
>
>
>
>    For example, if the UAC does not have
>
>    credentials or has stale credentials for any of the realms, the UAC
>
>    will abandon the request.
>
>
>
> 3) In Section 2.7:
>
>
>
>       request-digest = LDQUOT *LHEX RDQUOT
>
>
>
> This now allows empty value. I suggest you specify a minimum number of hex
>
> digits allowed in the ABNF. Or at least change "*LHEX" to "2*LHEX".
>
>
>
>
>
>
>
>
>
>

v2.23.0 | Report a Bug | By Email