Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-04.txt
Paul Kyzivat <pkyzivat@alum.mit.edu> Mon, 21 October 2019 15:40 UTC
Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C1C11200E0 for <sipcore@ietfa.amsl.com>; Mon, 21 Oct 2019 08:40:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alum.mit.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wAaxN0KyyBMb for <sipcore@ietfa.amsl.com>; Mon, 21 Oct 2019 08:40:29 -0700 (PDT)
Received: from NAM05-BY2-obe.outbound.protection.outlook.com (mail-eopbgr710089.outbound.protection.outlook.com [40.107.71.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6AA7D120098 for <sipcore@ietf.org>; Mon, 21 Oct 2019 08:40:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GYImf7xhJxLsiKkqR02wedYrqIfhWND0ZIBfK6pymNuSUsZ97KRjpsHJtwmPxqRZWsqQy4r6MjDwYyFJKm7UBaj477RdFYGiuN29b9vW4yNe6DJ13cSF8Tt4Rnbl6sXFw89SK7c0LDg95INrUF+ATPC4mboGeOoDjuaajjavF8hVPAy9oEohCaCXGWRqAcBjZg6qJeWRDWCAEH0O0orAgGHllpFwYTywpjRdwwqDDL2hPr3TkYzH5vb6jy3kpXv78Ych23a5iAYtj7oAZnxc0gaF7RS+GpwlaL7uVKRr+ote0lt3JmEDKmxn4qsC8KIqbkUaCAyRCn/Efr0beu8NYQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OHxsul2k2Y7KFxqTcs4pPy69renkHxarCpVmiywk96E=; b=Nk0cAzt+7jI0j9317UgEcvwv4g1oaiz7M9kFFDUnSpZ/RkDOdy3OLeKevj/jc4KjOcooziFnIS5ItsWVxvjzkTwEd1sFrZCvxPz5NWS9ERFLUM7k2eSX2vriolAahoQHZTLFNqzxNUbd85Xa0ZKjOqpMERD6gLFEDc48wDL8i52eHEAfH0q4iQ2EwTSyPBSDDiuAfYXz9AxvsVi78aQnwvftvOpFKBdskVf+1U2+z1HE1+syBOsY1DcXku4QbN34Z9JAphbPwkLzpke2lPHOTie0bUK3/NRm+CY5hfAu1LCNXtCDSMiflXJvSxmSc51gO3fsX7bSimDErDeBR8OjLQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 18.7.68.33) smtp.rcpttodomain=ietf.org smtp.mailfrom=alum.mit.edu; dmarc=bestguesspass action=none header.from=alum.mit.edu; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alum.mit.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OHxsul2k2Y7KFxqTcs4pPy69renkHxarCpVmiywk96E=; b=EU1bRVfad/3MwsO/im4NkC22DGAhvMEmw4Wh5pZsaQitejZqb09RMKLKDbZSjqPoX5WB381uuCOjh2beqJO2TdfOmFdRLb0ZjUkUhKDY55cJftGEvl4YmecqJaBIppLhiFuPVFlAdSvlPMtH3K5l7dZ5PsH6fUBQprocrthGSWc=
Received: from DM3PR12CA0090.namprd12.prod.outlook.com (2603:10b6:0:57::34) by CY4PR12MB1541.namprd12.prod.outlook.com (2603:10b6:910:7::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2347.17; Mon, 21 Oct 2019 15:40:25 +0000
Received: from CY1NAM02FT009.eop-nam02.prod.protection.outlook.com (2a01:111:f400:7e45::203) by DM3PR12CA0090.outlook.office365.com (2603:10b6:0:57::34) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2367.21 via Frontend Transport; Mon, 21 Oct 2019 15:40:25 +0000
Authentication-Results: spf=pass (sender IP is 18.7.68.33) smtp.mailfrom=alum.mit.edu; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=alum.mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of alum.mit.edu designates 18.7.68.33 as permitted sender) receiver=protection.outlook.com; client-ip=18.7.68.33; helo=outgoing-alum.mit.edu;
Received: from outgoing-alum.mit.edu (18.7.68.33) by CY1NAM02FT009.mail.protection.outlook.com (10.152.75.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2367.14 via Frontend Transport; Mon, 21 Oct 2019 15:40:25 +0000
Received: from Kokiri.localdomain (c-24-62-227-142.hsd1.ma.comcast.net [24.62.227.142]) (authenticated bits=0) (User authenticated as pkyzivat@ALUM.MIT.EDU) by outgoing-alum.mit.edu (8.14.7/8.12.4) with ESMTP id x9LFeNKB018589 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT) for <sipcore@ietf.org>; Mon, 21 Oct 2019 11:40:23 -0400
To: sipcore@ietf.org
References: <157151641170.5128.8434066501744885978@ietfa.amsl.com> <CAGL6epLPKsZO=-2gX+MZA2yDSZQshvAkwoZ9vjM1dSmtjd_JCg@mail.gmail.com>
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
Message-ID: <73c0eeaf-1341-8480-3379-7562a6d0e62c@alum.mit.edu>
Date: Mon, 21 Oct 2019 11:40:23 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <CAGL6epLPKsZO=-2gX+MZA2yDSZQshvAkwoZ9vjM1dSmtjd_JCg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:18.7.68.33; IPV:CAL; SCL:-1; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10009020)(376002)(136003)(396003)(346002)(39860400002)(199004)(189003)(66574012)(8936002)(86362001)(6246003)(70586007)(70206006)(58126008)(76130400001)(2361001)(246002)(76176011)(2351001)(126002)(186003)(486006)(26005)(7596002)(50466002)(47776003)(75432002)(305945005)(446003)(11346002)(476003)(336012)(4001150100001)(956004)(2616005)(53546011)(106002)(31686004)(31696002)(6916009)(65806001)(5660300002)(65956001)(229853002)(36906005)(966005)(786003)(316002)(14444005)(8676002)(356004)(478600001)(26826003)(2906002)(2870700001)(88552002)(6306002)(2486003)(23676004); DIR:OUT; SFP:1101; SCL:1; SRVR:CY4PR12MB1541; H:outgoing-alum.mit.edu; FPR:; SPF:Pass; LANG:en; PTR:outgoing-alum.mit.edu; A:1; MX:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 4bb6cab5-4a1a-43a6-15f6-08d7563cfdf3
X-MS-TrafficTypeDiagnostic: CY4PR12MB1541:
X-MS-Exchange-PUrlCount: 6
X-Microsoft-Antispam-PRVS: <CY4PR12MB1541AA32E8629C69B4E737CBF9690@CY4PR12MB1541.namprd12.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-Forefront-PRVS: 0197AFBD92
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: o+gZhYg2OyQegztfg23ZfMFSkWMZmHZhXwsLWU25kcl/C8VKb/VU9KDaROS6LzAsFTzs7h2OoVTVBa9j3NUPH+lAqjfvKsOOsPmayHv2dV7Gmg3sca+2sihEhaS+qAv+Wn/F2neoAEAz0S4UPqisLAtzrQbXiS9bP3P6lC7sf3a4VKHZBPLuhWl9TtudwPk5pHwYIU6oABI9gt3hwAfNCDlaEuDf2SnOYoYePaV8NQNbSSUBlRSq9vs7+IgTGU64kAXcGU/3vWtzPp60j97vwg8NvDSB2Ur08vC9pivjqgiqZmX9BiMa71X31lMP2IC0Mz3NddUXA4io6evFHFhvcPzUXbk78lVWuF5AFGXSpJuGiiEA8a7BCSa6ltQaxuM4ZRsWg817AqR7XvsfaedW0WrGBIuHu4Y04NPDN3VdcEkEsSrBsWHiG+tH1QHSztQiZD+q0jR+bXlVlzcW/5yUnsheYvotPxw0RRV62MVi/C4=
X-OriginatorOrg: alum.mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Oct 2019 15:40:25.1875 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 4bb6cab5-4a1a-43a6-15f6-08d7563cfdf3
X-MS-Exchange-CrossTenant-Id: 3326b102-c043-408b-a990-b89e477d582f
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3326b102-c043-408b-a990-b89e477d582f; Ip=[18.7.68.33]; Helo=[outgoing-alum.mit.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR12MB1541
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/4w8okiNnhVrdGR6-b3Tfu4Dn_fM>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-04.txt
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Oct 2019 15:40:33 -0000
Rifaat, On 10/19/19 4:23 PM, Rifaat Shekh-Yusef wrote: > All, > > We update the draft based on the latest comments, mainly from Paul. > Please, take a look and let us know what you think. Thanks. This is better. I have some followup questions to broaden my understanding. (Once I understand better, I may have some suggestions on how to make the document clearer in this regard.) IIUC, upon getting a challenge for which there is no cached response, the typical expected behavior for a UA is to launch a browser using the URL from the authz-server-value in the challenge. Is that right? I'm not clear on the sequence of events following that. IOW, I'm looking for more detail on step [3] in the figure in section 5.1. I would expect that this first action of the browser will result in the AS returning a form to the browser that will be displayed to the user. Then the user will presumably need to fill in that form and send it to the AS. And this may involve a dialog of multiple exchanges. This will presumably eventually end with a response from the AS containing a token. How does the UA recognize this as the completion of the dialog? In particular, does the UA need to know anything about the AS or the authentication environment in which it is operating? Or is this consistent across all types of AS? Also, I gather there can be different kinds of token in the response. Is this of concern to the UA? Or does the UA blindly pass the resulting token on to the registrar, so that the registrar can decide what to do with it? Another point I want to follow up on is: you have now clarified that the authz-server-value contains a URL referencing the AS. Why not tighten the syntax to specify the allowed value types? I presume you intend this to be something that a browser can use to query the AS. The obvious type for this is an HTTPS URL. I am guessing that you are leaving this vague to allow other types that might be supported by browsers and ASs. But presumably there is something you can say about the properties expected of this URL. I guess it ought to be something that is generally supported by browsers, and that can be used to reference forms. (E.g., a SIP URL wouldn't be appropriate here.) Thanks, Paul > > Regards, > Rifaat > > > On Sat, Oct 19, 2019 at 4:21 PM <internet-drafts@ietf.org > <mailto:internet-drafts@ietf.org>> wrote: > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Session Initiation Protocol Core WG > of the IETF. > > Title : Third-Party Token-based Authentication > and Authorization for Session Initiation Protocol (SIP) > Authors : Rifaat Shekh-Yusef > Christer Holmberg > Victor Pascual > Filename : draft-ietf-sipcore-sip-token-authnz-04.txt > Pages : 14 > Date : 2019-10-19 > > Abstract: > This document defines a mechanism for SIP, that is based on the > OAuth > 2.0 and OpenID Connect Core 1.0 specifications, to enable the > delegation of the user authentication and SIP registration > authorization to a dedicated third-party entity that is separate > from > the SIP network elements that provide the SIP service. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-sipcore-sip-token-authnz/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-sipcore-sip-token-authnz-04 > https://datatracker.ietf..org/doc/html/draft-ietf-sipcore-sip-token-authnz-04 > <https://datatracker.ietf.org/doc/html/draft-ietf-sipcore-sip-token-authnz-04> > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-sipcore-sip-token-authnz-04 > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org > <http://tools.ietf.org>. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > sipcore mailing list > sipcore@ietf.org <mailto:sipcore@ietf.org> > https://www.ietf.org/mailman/listinfo/sipcore > > > _______________________________________________ > sipcore mailing list > sipcore@ietf.org > https://www.ietf.org/mailman/listinfo/sipcore >
- [sipcore] I-D Action: draft-ietf-sipcore-sip-toke… internet-drafts
- Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-… Rifaat Shekh-Yusef
- Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-… Christer Holmberg
- Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-… Paul Kyzivat
- Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-… Rifaat Shekh-Yusef
- Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-… Paul Kyzivat
- Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-… Rifaat Shekh-Yusef