Re: [sipcore] Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13: (with DISCUSS and COMMENT) - COMMENT
Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> Sat, 25 April 2020 15:11 UTC
Return-Path: <rifaat.ietf@gmail.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 426C73A112F; Sat, 25 Apr 2020 08:11:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3wDJQwMrPBVI; Sat, 25 Apr 2020 08:11:02 -0700 (PDT)
Received: from mail-io1-xd43.google.com (mail-io1-xd43.google.com [IPv6:2607:f8b0:4864:20::d43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3F1D3A112E; Sat, 25 Apr 2020 08:11:01 -0700 (PDT)
Received: by mail-io1-xd43.google.com with SMTP id u11so13894380iow.4; Sat, 25 Apr 2020 08:11:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bGjbBQb1SvDlpQP3WzzWjefC1QHZImmMbYhija/m4ng=; b=mYo6G70+FOch4pFPRsh3Hu3fA5bY9HcO/JzmevdU87vtXzyEWIgglr1eiP6vo3wVq1 aj4NCiU1iSiMBp+2nHBcaTjV4OGVUVUwkikrRhm+xDqauUGCsFOa1uyXemGmDfAfVSYY EuMeu/5n0OdDycd7hgEH8N9VpCMSfrh65hFHUPbDXimHYpuY77g6H5eRRByZbp16Z0I0 RtqpM4asDnnetU+W7bXkhFpWD4jfiUA8W8Q6QaJmDvM1jfLSC+Il3YVGw769AAQRIG// cM7A0ZyMwMCeqIP8TTKV5A8z5/xHf6d0WZg/+iFmts4a5pi0SU7fhSbnaIcdrcdMEmhe hFDg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bGjbBQb1SvDlpQP3WzzWjefC1QHZImmMbYhija/m4ng=; b=enR/dHcp47ryhSwyjjlfEfntg7R8NNt870SAGf0zJAsxeJay/z9IqR0m3/R+Gged9G ZyllAlOqFLA8uiA/mNY1BCqNygjbpmaTnZSuC17TP/BqIuCHRQQfbA0pAFvvDUmZqKQp sNSIIdQ0QGBgLTn8vL/0xr9xZyM34Yu/5cpjMq60sxGiM8NTlE8/KLgRYTAo15Xdb6vZ QkSMfLKF8CMUPYKnXER/x2BYKSevuIRPUCzCJ64D1SZVg0qr4VpOam/yRLgMCcd8qpnI 8FlFfb1SLtKPCpWozE+eCBwg9juAi4AIdJSaihhuSxPSviLUAuUOsZJ6/rZBV9BVhXxD Am+A==
X-Gm-Message-State: AGi0PubIZ1OCwJr20fQJJvmR37i0/kpHpDws/64sD/OZygXlCzvj/FeF xAY6V+wigFy60dTssu8DgyogsRRsi9VIZkuw4Yk=
X-Google-Smtp-Source: APiQypK88yVxCYj6tUQi3+15Zoau+GlKwYtQ4BJ3vD5ZmCkenET/0zF8cNrtiwDdYT0BweUxgripGXg//Gg6a1j+TJk=
X-Received: by 2002:a02:5249:: with SMTP id d70mr13357550jab.121.1587827461074; Sat, 25 Apr 2020 08:11:01 -0700 (PDT)
MIME-Version: 1.0
References: <31B5AC00-A9C5-4F02-8111-2ED9EB1D10D9@ericsson.com>
In-Reply-To: <31B5AC00-A9C5-4F02-8111-2ED9EB1D10D9@ericsson.com>
From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Date: Sat, 25 Apr 2020 11:10:50 -0400
Message-ID: <CAGL6ep+dByvWrfEmK9HJRT5iqmuw+_NkOF5GenMxroL7ZmGpuA@mail.gmail.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, The IESG <iesg@ietf.org>, "draft-ietf-sipcore-sip-token-authnz@ietf.org" <draft-ietf-sipcore-sip-token-authnz@ietf.org>, "sipcore-chairs@ietf.org" <sipcore-chairs@ietf.org>, "sipcore@ietf.org" <sipcore@ietf.org>, Jean Mahoney <mahoney@nostrum.com>
Content-Type: multipart/alternative; boundary="000000000000c830e005a41ee316"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/3c0V4_Js4eC8HPmU-XSNNbU4iR0>
Subject: Re: [sipcore] Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13: (with DISCUSS and COMMENT) - COMMENT
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Apr 2020 15:11:06 -0000
Inline... On Thu, Apr 23, 2020 at 5:04 PM Christer Holmberg < christer.holmberg@ericsson.com> wrote: > Hi Benjamin, > > Thank You for the review! In this reply I will address some of your > COMMENT issues, and indicate the ones that I want Rifaat to address. Your > DISCUSS will be addressed in a separate realy. > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > > Section 1 > > > > The OpenID Connect 1.0 specification [OPENID] defines a simple > > identity layer on top of the OAuth 2.0 protocol, which enables > > clients to verify the identity of the user based on the > > > > Please make it clear that these are OAuth/OIDC clients, not SIP > clients. > > I'll leave this for Rifaat. > > Sure. > --- > > > Section 1.3 > > > > OAuth 2.0 doesn't require the issuance of a Refresh token, but the > > discussion here implies that for the SIP case there will always be a > refresh > > token. If we're profiling 6749 in this manner, we should be more > explicit > > about the requirement to issue refresh tokens. > > I am not sure whether the intention is to say that there will always be a > refresh token. But, I'll leave this for Rifaat. > I answered in this the reply to the DISCUSS > > > * ID Token: this token contains the SIP URI and other > user-specific > > details that will be consumed by the UAC. > > > > nit: I don't think we should use the definite article in "the SIP > URI" since > > we haven't discussed any such SIP URI usage yet. That is, we should > say > > what it's used for, e.g., "a SIP URI associated with the user". > > I'll leave this for Rifaat. > > Sure. > > * Structured Token: a token that consists of a structured object > > that contains the claims associated with the token, e.g. JWT as > > defined in [RFC7519]. > > > > nit: comma after "e.g.". > > Will be fixed. > > > * Reference Token: a token that consists of a random string that > is > > used to obtain the details of the token and its associated > claims, > > as defined in [RFC6749]. > > > > It doesn't technically have to be random (though in practice it should > > contain signficant random elements); "opaque" might be better wording. > > I'll leave this for Rifaat. > > How about "opaque random string"? > > Section 1.4.1 > > > > Perhaps Figure 1 could include some indication that steps 5 and 6 are > > optional/do not always occur (in the case when the access token is a > > self-contained JWT)? > > I'll leave this for Rifaat. > > This is explicitly mentioned in the text, but I agree that it would be helpful to include it in the figure. > > In step [2], the registrar challenges the UA, by sending a SIP 401 > > (Unauthorized) response to the REGISTER request. In the response, > > the registrar includes information about the AS to contact in order > > to obtain a token. > > > > The UAC needs to have a preconfigured whitelist of acceptable ASes in > order > > to avoid directing the user's credentials to malicious sites. > > This is related to your DISCUSS, so it will be addressed as part of that. > > > The registrar validates the access token. If the access token is a > > reference token, the registrar MAY perform an introspection > > [RFC7662], as in steps [5] and [6], in order to obtain more > > information about the access token and its scope, per [RFC7662]. > > > > I think we could tighten up the normative language a bit here. > > In particular, the registrar MUST validate the token in some fashion; > for > > reference tokens, the main ways to do that are either inspection or > > (essentially) being the party that issued the token in the first > place. > > > > Otherwise, after the registrar validates the token to make sure it > > was signed by a trusted entity, it inspects its claims and acts > upon > > it. > > > > I think we can also be more specific than "a trusted entity" -- in > this > > flow, it looks like the registrar should know exactly which entity > should > > have signed the token in question (for the user in question), and > should not > > accept a signed token from a different entity that happens to be > trusted to > > issue other tokens. > > The text in Section 2.2. mandates the validation: > > "When a UAS/Registrar receives a SIP request that contains an > Authorization header field with an access token, the UAS/Registrar > MUST validate the access token,..." > > I don't think we should put too much normative text into the example flows. > > > Section 1.4.2 > > > > (Similarly, Figure 2 could note that steps 3 and 4 do not always > occur, and > > the text about token validation should remain parallel between > examples.) > > I'll leave this for Rifaat. > > Again, this is explicitly mentioned in the text, but I agree that it would be helpful to include it in the figure. > ---- > > > Section 2 > > > > I note that RFC 3261 explicitly disclaims any definition of > authorization > > systems, which is not true for this document, given that OAuth is an > > authorization system :) > > RFC 3261 only says that the RFC does not recommend or discuss any > authorization system. > > > Section 2.1.1 > > > > Required) response with a Proxy-Authenticate header field. If the > > WWW-Authenticate or Proxy-Authenticate header field indicates > > "Bearer" scheme authentication and contains an address to an > > authorization server, the UAC contacts the authorization server in > > order to obtain tokens, and includes the requested scopes, based > on a > > local configuration (Figure 1). > > > > [whitelist of allowed ASes, again] > > Will be addressed when the DISCUSS is addressed. > > > The detailed OAuth2 procedure to authenticate the user and obtain > > these tokens is out of scope of this document. The address of the > > authorization server might already be known to the UAC via > > configuration. In which case, the UAC can contact the > authorization > > server for tokens before it sends a SIP request (Figure 2). > > > > nit: I think that "in which case" functions as a conjunction, which > makes > > this an incomplete sentence. > > The text was suggested by one of the reviewers, but I agree it sounds > incomplete. > > Perhaps "In such cases"? > > > The tokens returned to the UAC depend on the type of authorization > > server (AS): an OAuth AS provides an access token and refresh token > > [RFC6749]. The UAC provides the access token to the SIP servers to > > > > Again, this implies that refresh tokens are always issued; RFC 6749 > is quite > > clear that "issuing a refresh token is optional at the discretion of > the > > authorization server". > > I'll leave this for Rifaat. > > As I mentioned in the reply to the DISCUSS, we will clarify this. > > authorize UAC's access to the service. The UAC uses the refresh > > token only with the AS to get a new access token and refresh token > > before the expiry of the current access token (see [RFC6749], > section > > > > (New refresh token is also optional.) > > I'll leave this for Rifaat. > > As I mentioned in the reply to the DISCUSS, we will clarify this. > > 1.5 Refresh Token for details). An OpenID Connect server returns > an > > additional ID-Token containing the SIP URI and other user-specific > > details that will be consumed by the UAC. > > > > [same comment as above about "the SIP URI".] > > I'll leave this for Rifaat. > > Ok > > If the UAC receives a 401/407 response with multiple WWW- > > Authenticate/Proxy-Authenticate header fields, providing challenges > > using different authentication schemes for the same realm, the UAC > > selects one or more of the provided schemes (based on local policy) > > and provides credentials for those schemes. > > > > RFC 3261 seems to be written in a world that assumed that Basic and > Digest > > are the only defined HTTP authentication schemes, and since it > prohibits > > Basic, that there would only be one authentication challenge (type) > > possible. This text righly acknowledges that we are opening the > field up > > and could have cases where multiple authentication schemes are > possible; > > however, it goes even further and admits the possibility of using them > > simultaneously. It seems like this places an onus on us to give some > > indication of the semantics when multiple schemes are used at the > same time. > > Do the authenticated identities need to match? Or are we asserting > that > > both/all identities are consenting to the request in question? (If > we don't > > have a concrete use case in mind, perhaps the "or more" is just > opening a > > box that we don't need to open right now.) > > I can modify as suggested. > > (Personally, I have never seen multiple schemes in a deployment.) > > > Section 2.1.2 > > > > access to it. Endpoints that support this specification MUST > support > > encrypted JSON Web Tokens (JWT) [RFC7519] for encoding and > protecting > > access tokens when they are included in SIP requests, unless some > > other mechanism is used to guarantee that only authorized SIP > > endpoints have access to the access token. > > > > I think we may want "MUST support" (always) and "MUST use, unless > some other > > mechanism". > > Based on another review, I suggested to change to "MUST use". I am not > sure whether we need to keep "MUST support". > > > I'd also suggest a quick note that TLS remains fine for protecting the > > UAC/AS interaction where the refresh token is used. > > I can do that. > > I could also say "*SIP* endpoints that support this specification...". > > > Whatever is done, please harmonize with Section 5 that has > essentially the > > same text. > > Will do. > > > Section 2.1.3 > > > > Based on local policy, the UAC MAY include an access token that has > > been used for another binding associated with the same Address Of > > Record (AOR) in the request. > > > > Just to check: there's no real privacy considerations with such use, > as its > > the same parties interacting and there are other identifiers (e.g., IP > > addresses) to confirm that it's the same client communicating to the > server? > > I'll leave this for Rifaat. > > I would not rely only on an IP address, but the answer is yes. > > Also, is it clear what will be done (new token request) when the MAY > is not > > heeded? > > I'll leave this for Rifaat. > > The Client would need to obtain a new access token. I will clarify this. > > Section 2.1.4 > > > > The text here just talks about "a valid access token" and similar, > without > > saying a whole lot about it being related in any way to the specifics > of the > > authentication challenge. Is there something useful to say about, > e.g., the > > token in question having been issued by the authorization server > indicated > > in the challenge? > > I'll leave this for Rifaat. > > Sure. > Section 2.2 > > > > authorization credentials acceptable to it, it SHOULD challenge the > > request by sending a 401 (Unauthorized) response. To indicate that > > it is willing to accept an access token as a credential, the UAS/ > > Registrar MUST include a Proxy-Authentication header field in the > > response that indicates "Bearer" scheme and includes an address of > an > > > > nit(?): I'd consider just making this a declarative statement, a la > "the > > UAS/registrar includes a Proxy-Authentication header field with the > "Bearer" > > scheme to indicate that it is willing to accept an access token as a > > credential" (but that wording is incomplete and would need to be > fleshed > > out a bit more). > > I think that would be weird. Because, first we say that the UAS/Registrar > SHOULD challenge, and with your suggestion the text would say that the > UAS/Registrar MUST include a Proxy-Authentication header field even if it > does NOT challenge the request. > > Perhaps: > > "If the UAS/Registrar chooses to challenge the request, and is willing to > accept an access token as a credential, the UAS/Registrar MUST include a..." > > > authorization server from which the originator can obtain an access > > token. > > > > nit: "address of" an AS, does that mean bare IP address only or is a > DNS > > name okay? > > I'll leave this for Rifaat. > > I do not think that an IP address is appropriate, and what I have in mind is a DNS name. I will clarify it. > [RFC7519]. If the token provided is an expired access token, then > > the UAS MUST reply with 401 Unauthorized, as defined in section 3 > of > > [RFC6750]. If the validation is successful, the UAS/Registrar can > > continue to process the request using normal SIP procedures. If > the > > validation fails, the UAS/Registrar MUST reject the request. > > > > Is "expired" the only case that should get a 401 vs. outright > rejection, as > > stated here? > > 401 is sent also in the case where the validation fails. I will clarify > that. > > > Section 2.3 > > > > sending a 407 (Proxy Authentication Required) response. To > indicate > > that it is willing to accept an access token as a credential, the > > proxy MUST include a Proxy-Authentication header field in the > > response that indicates "Bearer" scheme and includes an address to > an > > > > [same comment as above about normative vs. declarative statement] > > Also, please keep the text parallel between sections -- this copy has > at > > least one nit ("address to an" vs. "address of an"). > > I will fix this in the same way. > > > Section 3 > > > > If an access token is encoded as a JWT, it might contain a list of > > claims [RFC7519], some registered and some application-specific. > The > > > > I don't think there's a question of whether a JWT will contain a list > of > > claims :) > > Fair enough :) > > > Maybe "If the access token is encoded as a JWT, it will contain a > list of > > claims [RFC7519], which may include both registered and > application-specific > > claims"? > > Looks good to me, but I'll leave this for Rifaat. > > Looks good to me too. Regards, Rifaat > ---- > > > Section 4 > > > > This section claims to cover WWW-Authenticate. What specification > will the > > SIP use of Bearer for Authorization operate under? > > RFC 6750. > > Section 2.1.3 says: > > "The UAC sends a REGISTER request with an Authorization header field > containing the response to the challenge, including the Bearer scheme > carrying a valid access token in the request, as specified in > [RFC6750]." > > > challenge =/ ("Bearer" LWS bearer-cln *(COMMA bearer-cln)) > > > > side note: is there a mnemonic for the "cln" in "bearer-cln"? > > RFC 3261 uses "cln" for digest. > > > bearer-cln = realm / scope / authz-server / error / > > auth-param > > > > nit: realm is already included in auth-param, though I don't see a > harm in > > calling it out explicitly. > > auth-param is used to allow possible new parameters in the future. > > > realm = <defined in RFC3261> > > auth-param = <defined in RFC3261> > > > > RFC 3261 defers to RFC 2617 (now obsoleted by 7235) for both of > these; we > > could perhaps short-circuit the chain and say "defined in RFC 7235". > > We discussed this in the WG, and the outcome was to keep the same > references as RFC 3261, since that is what people are implementing. > > Then, as a separate task, someone could update RFC 3261 with the new > references. > > --- > > > Section 5 > > > > We should probably note that SIP makes much heavier use of proxies > than is > > common in the web world of OAuth. > > Maybe something like: > > "However, SIP makes have use of intermediary SIP proxies, and TLS only > guarantees hop-to-hop protection when used to > protect SIP signaling." > > > I'm happy to see that some privacy considerations are being added in > > response to Barry's review. > > Good :) > > --- > > > Section 8 > > > > I think RFCs 8252 and 8414 could be just informative. > > I can fix that. > > --- > > Regards, > > Christer > > > > > >
- Re: [sipcore] Benjamin Kaduk's Discuss on draft-i… Christer Holmberg
- Re: [sipcore] Benjamin Kaduk's Discuss on draft-i… Benjamin Kaduk
- Re: [sipcore] Benjamin Kaduk's Discuss on draft-i… Christer Holmberg
- Re: [sipcore] Benjamin Kaduk's Discuss on draft-i… Rifaat Shekh-Yusef
- Re: [sipcore] Benjamin Kaduk's Discuss on draft-i… Benjamin Kaduk
- Re: [sipcore] Benjamin Kaduk's Discuss on draft-i… Benjamin Kaduk
- Re: [sipcore] Benjamin Kaduk's Discuss on draft-i… Christer Holmberg
- Re: [sipcore] Benjamin Kaduk's Discuss on draft-i… Rifaat Shekh-Yusef