Re: [sipcore] WGLC draft-ietf-sipcore-sip-token-authnz
Paul Kyzivat <pkyzivat@alum.mit.edu> Tue, 03 December 2019 18:18 UTC
Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60C7D120099 for <sipcore@ietfa.amsl.com>; Tue, 3 Dec 2019 10:18:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alum.mit.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V0yuaStWKJ59 for <sipcore@ietfa.amsl.com>; Tue, 3 Dec 2019 10:18:31 -0800 (PST)
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-eopbgr760048.outbound.protection.outlook.com [40.107.76.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DFB112007A for <sipcore@ietf.org>; Tue, 3 Dec 2019 10:18:31 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=d6U4xGL9QUfgH3ITDBCxRsDD61ZpeIJyDkZczjumqoIb14wH4xjZKvQzQVtH/thBy90FFoX4jEPqTgzEpbzgPIKpLWPdjGV0E00hwn+i9fJcaYTNqXl65XtBmSH++Rw+uFEbJMf3Q16hhukvFTv8kWxlBlKq4WUP6xfM9QksOx62izq8gQpFfHuFucYhkJfzjMjbICzVNWQSaH4sJ/3nf1PA1NdMTPWcoY1SqiXqxg+ruj0r+88yQepJ+78qyvWTgQ/oH+rIQqhuq9MPfwqFzI19oZqAibqgjSlx4QnNMPKkFhOriBek5oaiaZzO+8QG7Kesdcn6UXIA3hoH88MUHw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GhTJlX/EiPUztNRFWHTdT5a5C1s5cFSjI3WARYMx1SI=; b=JVimiZe7aZozBTF7ucTQg8W3aghCwnKKG9i9gBGBjZDZOjSQyD7nKPQyMajfOe2/jITLedy0LZdHYm1qYHIg6cVtgjYGtxARftraQ4Ax90+D/f+JpQS+aEXbsGq6mzzteTT7GJmaXnuTF7nuWXnTrMeOP3+V/OwCssjw8OUyZAT4TFA5HzRryiU+QH3pgfPCrEpzoESaNB2VxKXeBUCLLR7McHyZKk95FN3Tbq0rGkGxgJ2FezYMd4M6r0bcE5a9L4PadDYcG+cKGMw1iove837CW2gkH7WQIt0BVDZBFs//PuNw6asNhWdkDnOs5RMQalWBX8iFrILe4TmCRvMXWQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 18.7.68.33) smtp.rcpttodomain=ietf.org smtp.mailfrom=alum.mit.edu; dmarc=bestguesspass action=none header.from=alum.mit.edu; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alum.mit.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GhTJlX/EiPUztNRFWHTdT5a5C1s5cFSjI3WARYMx1SI=; b=MOeXmi/i0BRB8uOL86hRDL7ctuUmLY58FiBs6tMC8EgNhagR9OzfsUyGy0FXshfWh14rQHWoofDT6FgdJOeTpszNIf1k/WguSDgnF1QYtlE0RUByCc/jpMkOqii+HluEbIG6BpEN7V0efrbH+oJTc3ed7IGBZGB8SyzIHNTKKAM=
Received: from MWHPR12CA0056.namprd12.prod.outlook.com (2603:10b6:300:103::18) by BY5PR12MB4097.namprd12.prod.outlook.com (2603:10b6:a03:213::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2495.17; Tue, 3 Dec 2019 18:18:29 +0000
Received: from SN1NAM02FT047.eop-nam02.prod.protection.outlook.com (2a01:111:f400:7e44::204) by MWHPR12CA0056.outlook.office365.com (2603:10b6:300:103::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2516.12 via Frontend Transport; Tue, 3 Dec 2019 18:18:29 +0000
Authentication-Results: spf=pass (sender IP is 18.7.68.33) smtp.mailfrom=alum.mit.edu; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=alum.mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of alum.mit.edu designates 18.7.68.33 as permitted sender) receiver=protection.outlook.com; client-ip=18.7.68.33; helo=outgoing-alum.mit.edu;
Received: from outgoing-alum.mit.edu (18.7.68.33) by SN1NAM02FT047.mail.protection.outlook.com (10.152.72.201) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2474.17 via Frontend Transport; Tue, 3 Dec 2019 18:18:29 +0000
Received: from Kokiri.localdomain (c-24-62-227-142.hsd1.ma.comcast.net [24.62.227.142]) (authenticated bits=0) (User authenticated as pkyzivat@ALUM.MIT.EDU) by outgoing-alum.mit.edu (8.14.7/8.12.4) with ESMTP id xB3IIRvT019198 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT) for <sipcore@ietf.org>; Tue, 3 Dec 2019 13:18:28 -0500
To: sipcore@ietf.org
References: <9b7ddc2f-d54a-bbaa-8e56-276c8bed725f@nostrum.com>
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
Message-ID: <d7efa4c6-ac85-58ac-1c6c-5b09d955ab00@alum.mit.edu>
Date: Tue, 03 Dec 2019 13:18:27 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <9b7ddc2f-d54a-bbaa-8e56-276c8bed725f@nostrum.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:18.7.68.33; IPV:CAL; SCL:-1; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10009020)(199004)(189003)(53754006)(356004)(7596002)(75432002)(2351001)(305945005)(2361001)(76130400001)(31686004)(6916009)(186003)(66574012)(58126008)(6246003)(70206006)(5660300002)(36906005)(106002)(229853002)(70586007)(6306002)(446003)(11346002)(2906002)(2616005)(956004)(53546011)(2870700001)(88552002)(65956001)(31696002)(336012)(14444005)(26005)(498600001)(2486003)(26826003)(50466002)(86362001)(8936002)(76176011)(966005)(246002)(8676002)(23676004); DIR:OUT; SFP:1101; SCL:1; SRVR:BY5PR12MB4097; H:outgoing-alum.mit.edu; FPR:; SPF:Pass; LANG:en; PTR:outgoing-alum.mit.edu; A:1; MX:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 56d9bc3c-c242-48ab-b5ef-08d7781d3271
X-MS-TrafficTypeDiagnostic: BY5PR12MB4097:
X-Microsoft-Antispam-PRVS: <BY5PR12MB4097AFF3B1EADB5A1CCE3D69F9420@BY5PR12MB4097.namprd12.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:6108;
X-Forefront-PRVS: 02408926C4
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: IpQBXxR2/jZagseoQeEaNl8JfxxLyzsy1AFo28OLWSGspAK2TBTfW7gexl+IULCz+Bz8C3aTFM3ZQi7VSe7GoBh/HnC84G5QwjwvezYFAoweYkox4mzZzbiNkS4dR+ECfOBaoH7d76AfYZimlnyJ+KqXAeh4eK4HsPBq6tAmMQxPkWNhn7xR7y2iihbZR1iYzXggSgTEQl688sSOaUK2NIuBBiGLN5JamGW/+/hg0SMw8TrUjWIuIgHQUrI07Jltn/zJQ6oFSrfCzAP8yz1Bkof3G20iEPdXdi+LYG2or+gy7sZNSyFUlFoIpAhdzEFvbfrSskML2ZEA0ghDT8gAV5hhbaF0gL+oMbrCOMJlv9cYWS3Rjw1zHAcMTz3GWN1hd2Ry813EPPfso3T5I4xEaKoJdzboTvy0yS18QE2U4K22bsT4Elfighv5pWVYMQcb33lX0RCgatcaNMun170Cg4PjdPTQ7GSxl5uOG95fv+w=
X-OriginatorOrg: alum.mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Dec 2019 18:18:29.0481 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 56d9bc3c-c242-48ab-b5ef-08d7781d3271
X-MS-Exchange-CrossTenant-Id: 3326b102-c043-408b-a990-b89e477d582f
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3326b102-c043-408b-a990-b89e477d582f; Ip=[18.7.68.33]; Helo=[outgoing-alum.mit.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR12MB4097
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/3DICMng0HA62Gxl6ve8gluaZKis>
Subject: Re: [sipcore] WGLC draft-ietf-sipcore-sip-token-authnz
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Dec 2019 18:18:34 -0000
I've just reviewed the document again, in full. There are still a number of areas that need work: * Section 2.1.1 says: The method used to authenticate the user and obtain these tokens is out of scope for this document, with one potential method is the Native App mechanism defined in [RFC8252]. The advantages of using the mechanism defined in [RFC8252] is that the user will be directed to use a browser to interact with the authorization server. This allows the authorization server to prompt the user for multi-factor authentication, redirect the user to third-party identity providers, and the use of single-sign-on sessions. My problem with this is: the challenge gives the UAC an HTTPS URL of an AS. It does not normatively state how the UAC is to use this, or what usage(s) the AS MUST support. Hence there is no assurance that the UAC will be able to successfully access the AS. This could be resolved by requiring that the UAC and AS MUST support RFC8252. Or perhaps there is some more expansive RFC that can be referenced. In the end there needs to be something MTI. * Section 2.1.2: You talk about local policy here, but which server's local policy are you talking about? I'm guessing that the AS provides a token containing whatever methods have been granted for the user, and the registrar can then use policy to decide what method(s) it wants to require for registration. Am I correct in assuming that the UAC doesn't play any role in this other than to relay the token from the AS to the registrar? And in this case why is this point being made in the section about *UAC* behavior? Can you please clarify the text here? * Section 2.1.4: This section says that the UAC MUST include an Authorization header field with the Bearer scheme. This is overly strong. This should be an explanation that *if* it has received a challenge containing the Bearer scheme then to resolve that particular challenge it needs to send a request with an Authorization header field containing the response to that challenge, including the Bearer scheme. (But note that if there were multiple challenges with different schemes then it maybe able to successfully retry the request using non-Bearer credentials.) I don't understand what distinction you are trying to draw by distinguishing the behavior for creating a binding from that for refreshing a binding. AFAIK there should be no difference. And in fact the UAC in general cannot know whether the request being send will establish or refresh a binding. * Section 2.1.5: This section has similar issues to section 2.1.4: The MUST is too strong, and the reason for distinguishing between in-dialog requests from others is unclear. * Section 2.2: Again is overly strong in its use of MUST. I think it is evident that the point being made is that a challenge containing Bearer scheme is the way to indicate that is with a challenge with Bearer scheme, but the text is at least awkward. How about: When a UAS or Registrar receives a request that fails to contain authorization credentials acceptable to it, it SHOULD challenge the request by sending a 401 (Unauthorized) response. To indicate that it is willing to accept an OAuth2 token as a credential the UAS/Registrar MUST include a Proxy-Authentication header field in the response, indicate "Bearer" scheme and include an address of an Authorization Server from which the originator can obtain an access token. In the second paragraph, please provide a reference: ... using the procedures from [RFC???] associated with the type of access token used. * Section 2.3: Similar comment to section 2.2. How about the following for the first paragraph: When a proxy receives a request that fails to contain authorization credentials acceptable to it, it SHOULD challenge the request by sending a 407 (Proxy Authentication Required) response. To indicate that it is willing to accept an OAuth2 token as a credential the proxy MUST include a Proxy-Authentication header field in the response, indicating "Bearer" scheme and including an address to an Authorization Server from which the originator can obtain an access token. I don't think the second paragraph should condition any behavior on whether it has previously challenged. That requires that the proxy be stateful, and it isn't a necessary condition. Instead, how about: When a proxy wishes to authenticate a received request, it MUST search the request for Proxy-Authorization header fields with 'realm' parameters that match its realm. It then MUST successfully validate the credentials from at least one Proxy-Authorization header field for its realm. When the scheme is Bearer the proxy MUST validate the access token, using the procedures from [RFC???] associated with the type of access token used. * Section 3: The following: The realm and auth-param parameters are defined in [RFC3261]. is incomplete, because it is missing 'challenge', 'realm', and 'https-URI. (Where is https-URI defined?) Another way to do this is by adding the following to the syntax: challenge = <defined in RFC3261> realm = <defined in RFC3261> auth-param = <defined in RFC3261> scope = <defined in RFC6749> error = <defined in RFC6749> https-URI = <where???> (This helps those who might try to formally validate the syntax because it removes undefined parameters.) Also, 'scope' and 'error' are very generic rule names being used in a very restricted context. While these are not defined in RFC3261, there is the potential conflict with other extensions. I'd recommend using more specific terms. E.g., challenge =/ ("Bearer" LWS bearer-cln *(COMMA bearer-cln)) bearer-cln = realm / bearer-scope / authz-server / bearer-error / auth-param authz-server = "authz_server" EQUAL authz-server-value authz-server-value = https-URI challenge = <defined in RFC3261> realm = <defined in RFC3261> auth-param = <defined in RFC3261> bearer-scope = <defined as scope in RFC6749> bearer-error = <defined as error in RFC6749> https-URI = <where???> Regarding the scope parameter: This parameter is conveyed from the registrar to the UAC. But what is the UAC to do with it? How does it have any control over the scope of the token it gets from the AS? Is the UAC supposed to convey this to the AS? If so, how? Regarding the error parameter: Is this just intended to be of help in debugging the UAC? Or is it expected that the UAC might take some sort of pre-programmed action in response? If the latter, how might that work? Is this information suitable for presentation to the user? * Section 4: I agree with Dale - I don't see any value in this tag. I tried to search for all discussion on the point. The discussion attributes me with requesting it, but I don't think I did. * Missing: I find no syntax extensions for Authorization and Proxy-Authorization. These need to be added. Thanks, Paul On 12/2/19 8:44 AM, A. Jean Mahoney wrote: > Hi all, > > Today starts the Working Group Last Call of > draft-ietf-sipcore-sip-token-authnz-06. > > https://datatracker.ietf.org/doc/draft-ietf-sipcore-sip-token-authnz/ > > The document has changed quite a bit since its predecessor went through > WGLC. > > Please review. If you submitted feedback on a previous version, make > sure that it was addressed and your questions answered. > > Also appreciated would be any information on implementation plans. > > WGLC ends Monday, Dec 16.
- [sipcore] WGLC draft-ietf-sipcore-sip-token-authnz A. Jean Mahoney
- Re: [sipcore] WGLC draft-ietf-sipcore-sip-token-a… Paul Kyzivat
- Re: [sipcore] WGLC draft-ietf-sipcore-sip-token-a… Christer Holmberg
- Re: [sipcore] WGLC draft-ietf-sipcore-sip-token-a… Jörgen Axell
- Re: [sipcore] WGLC draft-ietf-sipcore-sip-token-a… Christer Holmberg
- Re: [sipcore] WGLC draft-ietf-sipcore-sip-token-a… Rifaat Shekh-Yusef
- Re: [sipcore] WGLC draft-ietf-sipcore-sip-token-a… Paul Kyzivat
- Re: [sipcore] WGLC draft-ietf-sipcore-sip-token-a… Christer Holmberg
- Re: [sipcore] WGLC draft-ietf-sipcore-sip-token-a… Rifaat Shekh-Yusef
- Re: [sipcore] WGLC draft-ietf-sipcore-sip-token-a… Christer Holmberg
- Re: [sipcore] WGLC draft-ietf-sipcore-sip-token-a… Paul Kyzivat
- Re: [sipcore] WGLC draft-ietf-sipcore-sip-token-a… Paul Kyzivat
- Re: [sipcore] WGLC draft-ietf-sipcore-sip-token-a… Christer Holmberg