IETF Logo Mail Archive

Re: [sipcore] draft-ietf-sipcore-digest-scheme comments

Christer Holmberg <christer.holmberg@ericsson.com> Sat, 25 May 2019 19:36 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE0DD120096 for <sipcore@ietfa.amsl.com>; Sat, 25 May 2019 12:36:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UoIefRC1RzKU for <sipcore@ietfa.amsl.com>; Sat, 25 May 2019 12:36:08 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60043.outbound.protection.outlook.com [40.107.6.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DD20120021 for <sipcore@ietf.org>; Sat, 25 May 2019 12:36:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rZZI0Ir3OiZwSBLQZ75eYn0EKcQtInWjl89vPIUe+wA=; b=gQRJgv9vwTLUC/bgxhp+b2In32maPYIYYGpVhIPPxpD3AQ+ZXfYPaIBcWRrConhD8f+4odfeqntpjpm2/wE8hW2ERh8nSVoLkh0esdf2onBahcXU5Ooibi2HpSckXyzOqQUPyKVx3kyOde+AO7BS1IYswI2LCEVdyVnYmiTeL+w=
Received: from VI1PR07MB3167.eurprd07.prod.outlook.com (10.175.243.17) by VI1PR07MB5934.eurprd07.prod.outlook.com (20.178.81.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1943.13; Sat, 25 May 2019 19:36:03 +0000
Received: from VI1PR07MB3167.eurprd07.prod.outlook.com ([fe80::701a:45d2:1c1e:8c61]) by VI1PR07MB3167.eurprd07.prod.outlook.com ([fe80::701a:45d2:1c1e:8c61%5]) with mapi id 15.20.1943.007; Sat, 25 May 2019 19:36:03 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
CC: "Olle E. Johansson" <oej@edvina.net>, SIPCORE <sipcore@ietf.org>
Thread-Topic: [sipcore] draft-ietf-sipcore-digest-scheme comments
Thread-Index: AQHVDLXhQrBFZP79BUqVpCNPfRzS+KZxOB6AgAJLmwCAAqM3AIAFmuiAgABqJQD//9GFAIAASdoA///mjwCAADcSAP//z4EAAAjRmAA=
Date: Sat, 25 May 2019 19:36:03 +0000
Message-ID: <5671B78F-88CE-4528-B2C9-3B92AA2752A1@ericsson.com>
References: <DE595AFF-5DEA-4A32-8527-10B841D6C7C1@edvina.net> <CAGL6epLMHoneH6PNgeF5TgJhveh-xWeZSW6XQDBB2Gf5mS9eRQ@mail.gmail.com> <C1431DCD-C4DD-4BFA-9C5D-E4DFE7B0F2DA@edvina.net> <B4A08741-A092-480C-AE12-2DD25D7835D0@ericsson.com> <CAGL6epJTv+Dytk_VHNi4Sk0mimVj=cMqWR4u9uSg1q+RcUQJ_Q@mail.gmail.com> <98D9E38D-4EA3-4F55-B37D-5334FA42F362@ericsson.com> <CAGL6epL7y0jiOqBdt3UOkx31ueQofh-W8vPwjvOUZhHZsaDq3A@mail.gmail.com> <2BD32E4F-AA3F-4C61-BE9F-037353FA4083@ericsson.com> <CAGL6ep+F4Wj6uQMyLttvRaTDmROg=J8__6nwkeCNHgJTR1db_A@mail.gmail.com> <74E1C0B9-8DBE-4301-998F-66A8329CB408@ericsson.com> <CAGL6epJUBoFPWsdzYu6bKx9qVLr20btLDQ3R7DwpvxbD-CQ7dQ@mail.gmail.com>
In-Reply-To: <CAGL6epJUBoFPWsdzYu6bKx9qVLr20btLDQ3R7DwpvxbD-CQ7dQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.19.0.190512
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [178.55.236.10]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 61eec290-d9d9-4cd8-be93-08d6e1483940
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600148)(711020)(4605104)(1401327)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:VI1PR07MB5934;
x-ms-traffictypediagnostic: VI1PR07MB5934:
x-microsoft-antispam-prvs: <VI1PR07MB5934D437A1C89DE48B4DF64993030@VI1PR07MB5934.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0048BCF4DA
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(366004)(346002)(39860400002)(396003)(136003)(18543002)(189003)(199004)(6916009)(6116002)(3846002)(8936002)(86362001)(54906003)(82746002)(6246003)(26005)(71200400001)(71190400001)(186003)(446003)(83716004)(58126008)(14444005)(256004)(44832011)(11346002)(2616005)(476003)(486006)(33656002)(4326008)(25786009)(66066001)(68736007)(229853002)(73956011)(81156014)(6486002)(6436002)(305945005)(478600001)(7736002)(76176011)(14454004)(5660300002)(6506007)(99286004)(102836004)(6512007)(53936002)(36756003)(316002)(81166006)(76116006)(8676002)(66946007)(66446008)(64756008)(66556008)(91956017)(66476007)(2906002); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR07MB5934; H:VI1PR07MB3167.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: qnGUgXwzvbVXWplhjKySzqAqP3E/z1Q4nejys48SZbuBKjFtuHmGG4m8dN5a6z82HX2XGyqGDAeOFglbJBQnBkyK5xvUe2zm4X5YakvD96trAWpuEfYbuvVzRu1pD7uv1M2ZOFGkGKmslFMzXtK35QLnWMUAW02QrdAos8kD+vLkjlLRbjDJSEgu3pMHTS9roggeo6/il3/+iYxORtm2Q0SItgQlWU6wQoV7Sm1Om0xUmOLB2i98DtuprzG32fvur5KydtYCOsoG03Th7FC7iT3DDnMJvS6l/ZwYgOgJS8R7dqobCrerOq12NxYOC41I8/T5yJ37dQAOjLeh26o9tocLDguLDLoUvQd5SE+GFGi4KTj2CFLLDMzslMmH7Ns7LrEsXhql/XHWybAlFxTeeAMoLYrcPP9pOatrd6pBW70=
Content-Type: text/plain; charset="utf-8"
Content-ID: <A9800F985A97724485814C22D55432C4@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 61eec290-d9d9-4cd8-be93-08d6e1483940
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 May 2019 19:36:03.3633 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: christer.holmberg@ericsson.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB5934
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/567tmapkBcYu1QA_4YNF1NCzOUE>
Subject: Re: [sipcore] draft-ietf-sipcore-digest-scheme comments
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 May 2019 19:36:12 -0000

Hi,

... 

>>>>>>>> Section 2.4:
>>>>>>>>
>>>>>>>> "When the UAC receives a response with multiple header fields with the
>>>>>>>>   same realm it SHOULD use the topmost header field that it supports,
>>>>>>>>   unless a local policy dictates otherwise.”
>>>>>>>>
>>>>>>>> Why a SHOULD? I would prefer a MUST.
>>>>>>>
>>>>>>> I can do that, but the last part of this paragraph states that local policy can override this recommendations anyway.
>>>>>>> So, does it make any difference?
>>>>>>> Should we allow that? Why would local policy enforce a downgrade?
>>>>>>>
>>>>>>>> “When the UAC receives a 401 response with multiple WWW-Authenticate
>>>>>>>>   header fields with different realms it SHOULD retry and include an
>>>>>>>>   Authorization header field containing credentials that match the
>>>>>>>>   topmost header field of any one of the realms.”
>>>>>>>>
>>>>>>>> If you are disallowing multiple Authorization headers for the same realm,
>>>>>>>> but with different algorithms I think this should be clearly written. In my
>>>>>>>> view, that would be a good thing.
>>>>>>>
>>>>>>> This is allowed.
>>>>>>
>>>>>> RFC 3261 does not say anything about using the topmost header, does it?
>>>>>>
>>>>>> I was referring to this document.
>>>>>
>>>>> So, the should-use-topmost is something new, defined in this document?
>>>>
>>>> Yes, as per RFC7616.
>>>
>>> Perhaps then say "As defined in RFC7617,...."
>>>
>>> And, perhaps mention it in section 2, where the changes are listed.
>>>
>>> The normative text for SIP is specified in this document, so I do not see the need to add such a sentence.
>>
>> When we update an RFC, it is good to have an overview about what the updates are, so that people don't have to start reading 3261, 7617 
>> and try to figure out themselves. They will obviously have to read the RFCs to figure out the details, but it helps if they know what the updates 
>> are about.
>
> Section 2 is all about the changes introduced to the Digest mechanism.

Yes, but that doesn't really say anything about what exactly is updated.

> If that is not sufficient, can you propose some text?
 
Something like this:

"2.  Updates RFC 3261

This section replaces the reference to RFC2617 with a reference to RFC7617 in RFC3261, and
describes the modifications to the usage of the Digest mechanism in RFC3261 resulting from 
that reference update. It adds support for the SHA-256 and SHA-512/256 algorithms. It adds
required support for the "qop" option. It provides additional UAC and UAS procedures regarding usage of
multiple SIP Authorization, WWW-Authenticate and Proxy-Authenticate header fields, including 
in which order to insert and process them. It provides guidance regarding forking. Finally, it
updates the SIP protocol BNF as required by the updates."

Feel free to modify, remove - or add if I have forgot something.


In addition, I suggest to change the names of subsections 2.3 and 2.4.

The current name of subsection 2.3 is "The Authenticate Response Header Field". But, there is no such header field described. The section talks about other header fields (with similar names). Could we simply call it "UAS behavior"?

The current name of subsection 2.4 is "The Authorization Request Header Field". But, the section also talks about the WWW-Authenticate header field. Could we simply call it "UAC behavior"?

Regards,

Christer

v2.23.0 | Report a Bug | By Email