Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-04.txt

Paul Kyzivat <pkyzivat@alum.mit.edu> Mon, 21 October 2019 15:40 UTC

Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C1C11200E0 for <sipcore@ietfa.amsl.com>; Mon, 21 Oct 2019 08:40:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alum.mit.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wAaxN0KyyBMb for <sipcore@ietfa.amsl.com>; Mon, 21 Oct 2019 08:40:29 -0700 (PDT)
Received: from NAM05-BY2-obe.outbound.protection.outlook.com (mail-eopbgr710089.outbound.protection.outlook.com [40.107.71.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6AA7D120098 for <sipcore@ietf.org>; Mon, 21 Oct 2019 08:40:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GYImf7xhJxLsiKkqR02wedYrqIfhWND0ZIBfK6pymNuSUsZ97KRjpsHJtwmPxqRZWsqQy4r6MjDwYyFJKm7UBaj477RdFYGiuN29b9vW4yNe6DJ13cSF8Tt4Rnbl6sXFw89SK7c0LDg95INrUF+ATPC4mboGeOoDjuaajjavF8hVPAy9oEohCaCXGWRqAcBjZg6qJeWRDWCAEH0O0orAgGHllpFwYTywpjRdwwqDDL2hPr3TkYzH5vb6jy3kpXv78Ych23a5iAYtj7oAZnxc0gaF7RS+GpwlaL7uVKRr+ote0lt3JmEDKmxn4qsC8KIqbkUaCAyRCn/Efr0beu8NYQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OHxsul2k2Y7KFxqTcs4pPy69renkHxarCpVmiywk96E=; b=Nk0cAzt+7jI0j9317UgEcvwv4g1oaiz7M9kFFDUnSpZ/RkDOdy3OLeKevj/jc4KjOcooziFnIS5ItsWVxvjzkTwEd1sFrZCvxPz5NWS9ERFLUM7k2eSX2vriolAahoQHZTLFNqzxNUbd85Xa0ZKjOqpMERD6gLFEDc48wDL8i52eHEAfH0q4iQ2EwTSyPBSDDiuAfYXz9AxvsVi78aQnwvftvOpFKBdskVf+1U2+z1HE1+syBOsY1DcXku4QbN34Z9JAphbPwkLzpke2lPHOTie0bUK3/NRm+CY5hfAu1LCNXtCDSMiflXJvSxmSc51gO3fsX7bSimDErDeBR8OjLQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 18.7.68.33) smtp.rcpttodomain=ietf.org smtp.mailfrom=alum.mit.edu; dmarc=bestguesspass action=none header.from=alum.mit.edu; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alum.mit.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OHxsul2k2Y7KFxqTcs4pPy69renkHxarCpVmiywk96E=; b=EU1bRVfad/3MwsO/im4NkC22DGAhvMEmw4Wh5pZsaQitejZqb09RMKLKDbZSjqPoX5WB381uuCOjh2beqJO2TdfOmFdRLb0ZjUkUhKDY55cJftGEvl4YmecqJaBIppLhiFuPVFlAdSvlPMtH3K5l7dZ5PsH6fUBQprocrthGSWc=
Received: from DM3PR12CA0090.namprd12.prod.outlook.com (2603:10b6:0:57::34) by CY4PR12MB1541.namprd12.prod.outlook.com (2603:10b6:910:7::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2347.17; Mon, 21 Oct 2019 15:40:25 +0000
Received: from CY1NAM02FT009.eop-nam02.prod.protection.outlook.com (2a01:111:f400:7e45::203) by DM3PR12CA0090.outlook.office365.com (2603:10b6:0:57::34) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2367.21 via Frontend Transport; Mon, 21 Oct 2019 15:40:25 +0000
Authentication-Results: spf=pass (sender IP is 18.7.68.33) smtp.mailfrom=alum.mit.edu; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=alum.mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of alum.mit.edu designates 18.7.68.33 as permitted sender) receiver=protection.outlook.com; client-ip=18.7.68.33; helo=outgoing-alum.mit.edu;
Received: from outgoing-alum.mit.edu (18.7.68.33) by CY1NAM02FT009.mail.protection.outlook.com (10.152.75.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2367.14 via Frontend Transport; Mon, 21 Oct 2019 15:40:25 +0000
Received: from Kokiri.localdomain (c-24-62-227-142.hsd1.ma.comcast.net [24.62.227.142]) (authenticated bits=0) (User authenticated as pkyzivat@ALUM.MIT.EDU) by outgoing-alum.mit.edu (8.14.7/8.12.4) with ESMTP id x9LFeNKB018589 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT) for <sipcore@ietf.org>; Mon, 21 Oct 2019 11:40:23 -0400
To: sipcore@ietf.org
References: <157151641170.5128.8434066501744885978@ietfa.amsl.com> <CAGL6epLPKsZO=-2gX+MZA2yDSZQshvAkwoZ9vjM1dSmtjd_JCg@mail.gmail.com>
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
Message-ID: <73c0eeaf-1341-8480-3379-7562a6d0e62c@alum.mit.edu>
Date: Mon, 21 Oct 2019 11:40:23 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <CAGL6epLPKsZO=-2gX+MZA2yDSZQshvAkwoZ9vjM1dSmtjd_JCg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:18.7.68.33; IPV:CAL; SCL:-1; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10009020)(376002)(136003)(396003)(346002)(39860400002)(199004)(189003)(66574012)(8936002)(86362001)(6246003)(70586007)(70206006)(58126008)(76130400001)(2361001)(246002)(76176011)(2351001)(126002)(186003)(486006)(26005)(7596002)(50466002)(47776003)(75432002)(305945005)(446003)(11346002)(476003)(336012)(4001150100001)(956004)(2616005)(53546011)(106002)(31686004)(31696002)(6916009)(65806001)(5660300002)(65956001)(229853002)(36906005)(966005)(786003)(316002)(14444005)(8676002)(356004)(478600001)(26826003)(2906002)(2870700001)(88552002)(6306002)(2486003)(23676004); DIR:OUT; SFP:1101; SCL:1; SRVR:CY4PR12MB1541; H:outgoing-alum.mit.edu; FPR:; SPF:Pass; LANG:en; PTR:outgoing-alum.mit.edu; A:1; MX:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 4bb6cab5-4a1a-43a6-15f6-08d7563cfdf3
X-MS-TrafficTypeDiagnostic: CY4PR12MB1541:
X-MS-Exchange-PUrlCount: 6
X-Microsoft-Antispam-PRVS: <CY4PR12MB1541AA32E8629C69B4E737CBF9690@CY4PR12MB1541.namprd12.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-Forefront-PRVS: 0197AFBD92
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: o+gZhYg2OyQegztfg23ZfMFSkWMZmHZhXwsLWU25kcl/C8VKb/VU9KDaROS6LzAsFTzs7h2OoVTVBa9j3NUPH+lAqjfvKsOOsPmayHv2dV7Gmg3sca+2sihEhaS+qAv+Wn/F2neoAEAz0S4UPqisLAtzrQbXiS9bP3P6lC7sf3a4VKHZBPLuhWl9TtudwPk5pHwYIU6oABI9gt3hwAfNCDlaEuDf2SnOYoYePaV8NQNbSSUBlRSq9vs7+IgTGU64kAXcGU/3vWtzPp60j97vwg8NvDSB2Ur08vC9pivjqgiqZmX9BiMa71X31lMP2IC0Mz3NddUXA4io6evFHFhvcPzUXbk78lVWuF5AFGXSpJuGiiEA8a7BCSa6ltQaxuM4ZRsWg817AqR7XvsfaedW0WrGBIuHu4Y04NPDN3VdcEkEsSrBsWHiG+tH1QHSztQiZD+q0jR+bXlVlzcW/5yUnsheYvotPxw0RRV62MVi/C4=
X-OriginatorOrg: alum.mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Oct 2019 15:40:25.1875 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 4bb6cab5-4a1a-43a6-15f6-08d7563cfdf3
X-MS-Exchange-CrossTenant-Id: 3326b102-c043-408b-a990-b89e477d582f
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3326b102-c043-408b-a990-b89e477d582f; Ip=[18.7.68.33]; Helo=[outgoing-alum.mit.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR12MB1541
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/4w8okiNnhVrdGR6-b3Tfu4Dn_fM>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-04.txt
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Oct 2019 15:40:33 -0000

Rifaat,

On 10/19/19 4:23 PM, Rifaat Shekh-Yusef wrote:
> All,
> 
> We update the draft based on the latest comments, mainly from Paul.
> Please, take a look and let us know what you think.

Thanks. This is better. I have some followup questions to broaden my 
understanding. (Once I understand better, I may have some suggestions on 
how to make the document clearer in this regard.)

IIUC, upon getting a challenge for which there is no cached response, 
the typical expected behavior for a UA is to launch a browser using the 
URL from the authz-server-value in the challenge. Is that right?

I'm not clear on the sequence of events following that. IOW, I'm looking 
for more detail on step [3] in the figure in section 5.1. I would expect 
that this first action of the browser will result in the AS returning a 
form to the browser that will be displayed to the user. Then the user 
will presumably need to fill in that form and send it to the AS. And 
this may involve a dialog of multiple exchanges. This will presumably 
eventually end with a response from the AS containing a token. How does 
the UA recognize this as the completion of the dialog?

In particular, does the UA need to know anything about the AS or the 
authentication environment in which it is operating? Or is this 
consistent across all types of AS?

Also, I gather there can be different kinds of token in the response. Is 
this of concern to the UA? Or does the UA blindly pass the resulting 
token on to the registrar, so that the registrar can decide what to do 
with it?

Another point I want to follow up on is: you have now clarified that the 
authz-server-value contains a URL referencing the AS. Why not tighten 
the syntax to specify the allowed value types? I presume you intend this 
to be something that a browser can use to query the AS. The obvious type 
for this is an HTTPS URL. I am guessing that you are leaving this vague 
to allow other types that might be supported by browsers and ASs. But 
presumably there is something you can say about the properties expected 
of this URL. I guess it ought to be something that is generally 
supported by browsers, and that can be used to reference forms. (E.g., a 
SIP URL wouldn't be appropriate here.)

	Thanks,
	Paul

> 
> Regards,
>   Rifaat
> 
> 
> On Sat, Oct 19, 2019 at 4:21 PM <internet-drafts@ietf.org 
> <mailto:internet-drafts@ietf.org>> wrote:
> 
> 
>     A New Internet-Draft is available from the on-line Internet-Drafts
>     directories.
>     This draft is a work item of the Session Initiation Protocol Core WG
>     of the IETF.
> 
>              Title           : Third-Party Token-based Authentication
>     and Authorization for Session Initiation Protocol (SIP)
>              Authors         : Rifaat Shekh-Yusef
>                                Christer Holmberg
>                                Victor Pascual
>              Filename        : draft-ietf-sipcore-sip-token-authnz-04.txt
>              Pages           : 14
>              Date            : 2019-10-19
> 
>     Abstract:
>         This document defines a mechanism for SIP, that is based on the
>     OAuth
>         2.0 and OpenID Connect Core 1.0 specifications, to enable the
>         delegation of the user authentication and SIP registration
>         authorization to a dedicated third-party entity that is separate
>     from
>         the SIP network elements that provide the SIP service.
> 
> 
>     The IETF datatracker status page for this draft is:
>     https://datatracker.ietf.org/doc/draft-ietf-sipcore-sip-token-authnz/
> 
>     There are also htmlized versions available at:
>     https://tools.ietf.org/html/draft-ietf-sipcore-sip-token-authnz-04
>     https://datatracker.ietf..org/doc/html/draft-ietf-sipcore-sip-token-authnz-04
>     <https://datatracker.ietf.org/doc/html/draft-ietf-sipcore-sip-token-authnz-04>
> 
>     A diff from the previous version is available at:
>     https://www.ietf.org/rfcdiff?url2=draft-ietf-sipcore-sip-token-authnz-04
> 
> 
>     Please note that it may take a couple of minutes from the time of
>     submission
>     until the htmlized version and diff are available at tools.ietf.org
>     <http://tools.ietf.org>.
> 
>     Internet-Drafts are also available by anonymous FTP at:
>     ftp://ftp.ietf.org/internet-drafts/
> 
>     _______________________________________________
>     sipcore mailing list
>     sipcore@ietf.org <mailto:sipcore@ietf.org>
>     https://www.ietf.org/mailman/listinfo/sipcore
> 
> 
> _______________________________________________
> sipcore mailing list
> sipcore@ietf.org
> https://www.ietf.org/mailman/listinfo/sipcore
>