Re: [sipcore] draft-ietf-sipcore-digest-scheme comments
Christer Holmberg <christer.holmberg@ericsson.com> Sat, 25 May 2019 19:36 UTC
Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE0DD120096 for <sipcore@ietfa.amsl.com>; Sat, 25 May 2019 12:36:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UoIefRC1RzKU for <sipcore@ietfa.amsl.com>; Sat, 25 May 2019 12:36:08 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60043.outbound.protection.outlook.com [40.107.6.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DD20120021 for <sipcore@ietf.org>; Sat, 25 May 2019 12:36:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rZZI0Ir3OiZwSBLQZ75eYn0EKcQtInWjl89vPIUe+wA=; b=gQRJgv9vwTLUC/bgxhp+b2In32maPYIYYGpVhIPPxpD3AQ+ZXfYPaIBcWRrConhD8f+4odfeqntpjpm2/wE8hW2ERh8nSVoLkh0esdf2onBahcXU5Ooibi2HpSckXyzOqQUPyKVx3kyOde+AO7BS1IYswI2LCEVdyVnYmiTeL+w=
Received: from VI1PR07MB3167.eurprd07.prod.outlook.com (10.175.243.17) by VI1PR07MB5934.eurprd07.prod.outlook.com (20.178.81.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1943.13; Sat, 25 May 2019 19:36:03 +0000
Received: from VI1PR07MB3167.eurprd07.prod.outlook.com ([fe80::701a:45d2:1c1e:8c61]) by VI1PR07MB3167.eurprd07.prod.outlook.com ([fe80::701a:45d2:1c1e:8c61%5]) with mapi id 15.20.1943.007; Sat, 25 May 2019 19:36:03 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
CC: "Olle E. Johansson" <oej@edvina.net>, SIPCORE <sipcore@ietf.org>
Thread-Topic: [sipcore] draft-ietf-sipcore-digest-scheme comments
Thread-Index: AQHVDLXhQrBFZP79BUqVpCNPfRzS+KZxOB6AgAJLmwCAAqM3AIAFmuiAgABqJQD//9GFAIAASdoA///mjwCAADcSAP//z4EAAAjRmAA=
Date: Sat, 25 May 2019 19:36:03 +0000
Message-ID: <5671B78F-88CE-4528-B2C9-3B92AA2752A1@ericsson.com>
References: <DE595AFF-5DEA-4A32-8527-10B841D6C7C1@edvina.net> <CAGL6epLMHoneH6PNgeF5TgJhveh-xWeZSW6XQDBB2Gf5mS9eRQ@mail.gmail.com> <C1431DCD-C4DD-4BFA-9C5D-E4DFE7B0F2DA@edvina.net> <B4A08741-A092-480C-AE12-2DD25D7835D0@ericsson.com> <CAGL6epJTv+Dytk_VHNi4Sk0mimVj=cMqWR4u9uSg1q+RcUQJ_Q@mail.gmail.com> <98D9E38D-4EA3-4F55-B37D-5334FA42F362@ericsson.com> <CAGL6epL7y0jiOqBdt3UOkx31ueQofh-W8vPwjvOUZhHZsaDq3A@mail.gmail.com> <2BD32E4F-AA3F-4C61-BE9F-037353FA4083@ericsson.com> <CAGL6ep+F4Wj6uQMyLttvRaTDmROg=J8__6nwkeCNHgJTR1db_A@mail.gmail.com> <74E1C0B9-8DBE-4301-998F-66A8329CB408@ericsson.com> <CAGL6epJUBoFPWsdzYu6bKx9qVLr20btLDQ3R7DwpvxbD-CQ7dQ@mail.gmail.com>
In-Reply-To: <CAGL6epJUBoFPWsdzYu6bKx9qVLr20btLDQ3R7DwpvxbD-CQ7dQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.19.0.190512
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [178.55.236.10]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 61eec290-d9d9-4cd8-be93-08d6e1483940
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600148)(711020)(4605104)(1401327)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:VI1PR07MB5934;
x-ms-traffictypediagnostic: VI1PR07MB5934:
x-microsoft-antispam-prvs: <VI1PR07MB5934D437A1C89DE48B4DF64993030@VI1PR07MB5934.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0048BCF4DA
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(366004)(346002)(39860400002)(396003)(136003)(18543002)(189003)(199004)(6916009)(6116002)(3846002)(8936002)(86362001)(54906003)(82746002)(6246003)(26005)(71200400001)(71190400001)(186003)(446003)(83716004)(58126008)(14444005)(256004)(44832011)(11346002)(2616005)(476003)(486006)(33656002)(4326008)(25786009)(66066001)(68736007)(229853002)(73956011)(81156014)(6486002)(6436002)(305945005)(478600001)(7736002)(76176011)(14454004)(5660300002)(6506007)(99286004)(102836004)(6512007)(53936002)(36756003)(316002)(81166006)(76116006)(8676002)(66946007)(66446008)(64756008)(66556008)(91956017)(66476007)(2906002); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR07MB5934; H:VI1PR07MB3167.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: qnGUgXwzvbVXWplhjKySzqAqP3E/z1Q4nejys48SZbuBKjFtuHmGG4m8dN5a6z82HX2XGyqGDAeOFglbJBQnBkyK5xvUe2zm4X5YakvD96trAWpuEfYbuvVzRu1pD7uv1M2ZOFGkGKmslFMzXtK35QLnWMUAW02QrdAos8kD+vLkjlLRbjDJSEgu3pMHTS9roggeo6/il3/+iYxORtm2Q0SItgQlWU6wQoV7Sm1Om0xUmOLB2i98DtuprzG32fvur5KydtYCOsoG03Th7FC7iT3DDnMJvS6l/ZwYgOgJS8R7dqobCrerOq12NxYOC41I8/T5yJ37dQAOjLeh26o9tocLDguLDLoUvQd5SE+GFGi4KTj2CFLLDMzslMmH7Ns7LrEsXhql/XHWybAlFxTeeAMoLYrcPP9pOatrd6pBW70=
Content-Type: text/plain; charset="utf-8"
Content-ID: <A9800F985A97724485814C22D55432C4@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 61eec290-d9d9-4cd8-be93-08d6e1483940
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 May 2019 19:36:03.3633 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: christer.holmberg@ericsson.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB5934
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/567tmapkBcYu1QA_4YNF1NCzOUE>
Subject: Re: [sipcore] draft-ietf-sipcore-digest-scheme comments
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 May 2019 19:36:12 -0000
Hi, ... >>>>>>>> Section 2.4: >>>>>>>> >>>>>>>> "When the UAC receives a response with multiple header fields with the >>>>>>>> same realm it SHOULD use the topmost header field that it supports, >>>>>>>> unless a local policy dictates otherwise.” >>>>>>>> >>>>>>>> Why a SHOULD? I would prefer a MUST. >>>>>>> >>>>>>> I can do that, but the last part of this paragraph states that local policy can override this recommendations anyway. >>>>>>> So, does it make any difference? >>>>>>> Should we allow that? Why would local policy enforce a downgrade? >>>>>>> >>>>>>>> “When the UAC receives a 401 response with multiple WWW-Authenticate >>>>>>>> header fields with different realms it SHOULD retry and include an >>>>>>>> Authorization header field containing credentials that match the >>>>>>>> topmost header field of any one of the realms.” >>>>>>>> >>>>>>>> If you are disallowing multiple Authorization headers for the same realm, >>>>>>>> but with different algorithms I think this should be clearly written. In my >>>>>>>> view, that would be a good thing. >>>>>>> >>>>>>> This is allowed. >>>>>> >>>>>> RFC 3261 does not say anything about using the topmost header, does it? >>>>>> >>>>>> I was referring to this document. >>>>> >>>>> So, the should-use-topmost is something new, defined in this document? >>>> >>>> Yes, as per RFC7616. >>> >>> Perhaps then say "As defined in RFC7617,...." >>> >>> And, perhaps mention it in section 2, where the changes are listed. >>> >>> The normative text for SIP is specified in this document, so I do not see the need to add such a sentence. >> >> When we update an RFC, it is good to have an overview about what the updates are, so that people don't have to start reading 3261, 7617 >> and try to figure out themselves. They will obviously have to read the RFCs to figure out the details, but it helps if they know what the updates >> are about. > > Section 2 is all about the changes introduced to the Digest mechanism. Yes, but that doesn't really say anything about what exactly is updated. > If that is not sufficient, can you propose some text? Something like this: "2. Updates RFC 3261 This section replaces the reference to RFC2617 with a reference to RFC7617 in RFC3261, and describes the modifications to the usage of the Digest mechanism in RFC3261 resulting from that reference update. It adds support for the SHA-256 and SHA-512/256 algorithms. It adds required support for the "qop" option. It provides additional UAC and UAS procedures regarding usage of multiple SIP Authorization, WWW-Authenticate and Proxy-Authenticate header fields, including in which order to insert and process them. It provides guidance regarding forking. Finally, it updates the SIP protocol BNF as required by the updates." Feel free to modify, remove - or add if I have forgot something. In addition, I suggest to change the names of subsections 2.3 and 2.4. The current name of subsection 2.3 is "The Authenticate Response Header Field". But, there is no such header field described. The section talks about other header fields (with similar names). Could we simply call it "UAS behavior"? The current name of subsection 2.4 is "The Authorization Request Header Field". But, the section also talks about the WWW-Authenticate header field. Could we simply call it "UAC behavior"? Regards, Christer
- [sipcore] draft-ietf-sipcore-digest-scheme commen… Olle E. Johansson
- Re: [sipcore] draft-ietf-sipcore-digest-scheme co… Rifaat Shekh-Yusef
- Re: [sipcore] draft-ietf-sipcore-digest-scheme co… Olle E. Johansson
- Re: [sipcore] draft-ietf-sipcore-digest-scheme co… Christer Holmberg
- Re: [sipcore] draft-ietf-sipcore-digest-scheme co… Olle E. Johansson
- Re: [sipcore] draft-ietf-sipcore-digest-scheme co… Christer Holmberg
- Re: [sipcore] draft-ietf-sipcore-digest-scheme co… Rifaat Shekh-Yusef
- Re: [sipcore] draft-ietf-sipcore-digest-scheme co… Rifaat Shekh-Yusef
- Re: [sipcore] draft-ietf-sipcore-digest-scheme co… Christer Holmberg
- Re: [sipcore] draft-ietf-sipcore-digest-scheme co… Rifaat Shekh-Yusef
- Re: [sipcore] draft-ietf-sipcore-digest-scheme co… Paul Kyzivat
- Re: [sipcore] draft-ietf-sipcore-digest-scheme co… Christer Holmberg
- Re: [sipcore] draft-ietf-sipcore-digest-scheme co… Christer Holmberg
- Re: [sipcore] draft-ietf-sipcore-digest-scheme co… Rifaat Shekh-Yusef
- Re: [sipcore] draft-ietf-sipcore-digest-scheme co… Rifaat Shekh-Yusef
- Re: [sipcore] draft-ietf-sipcore-digest-scheme co… Christer Holmberg
- Re: [sipcore] draft-ietf-sipcore-digest-scheme co… Rifaat Shekh-Yusef
- Re: [sipcore] draft-ietf-sipcore-digest-scheme co… Christer Holmberg
- Re: [sipcore] draft-ietf-sipcore-digest-scheme co… Christer Holmberg
- Re: [sipcore] draft-ietf-sipcore-digest-scheme co… Rifaat Shekh-Yusef
- Re: [sipcore] draft-ietf-sipcore-digest-scheme co… Christer Holmberg