Re: [sipcore] Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13: (with DISCUSS and COMMENT) - COMMENT
Christer Holmberg <christer.holmberg@ericsson.com> Thu, 23 April 2020 21:03 UTC
Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 699A43A13C6; Thu, 23 Apr 2020 14:03:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.921
X-Spam-Level:
X-Spam-Status: No, score=-2.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.82, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SAfHWn0p7Vef; Thu, 23 Apr 2020 14:03:57 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2088.outbound.protection.outlook.com [40.107.22.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 763943A13C5; Thu, 23 Apr 2020 14:03:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=d5J89bjFPXiiT/vlYgpHIXKOMtWd6l7JGbZub35E0eQuI4R496HM9W3RYYDrvJvMcp2oEMGQ96pmeoyctMeMZRvKCWo8a0p716+XeYQC5KwRGP+N694pxJ1CIeXgDdKKuhTx79y0Fal0kE/Zz20giNMEvFAyQAWYFz8JH8v9jdFgDIOxTpy6Eptyf9f3ezQJb3+06A4Z4jl5rL1tKkrzJaW1nYLVck0AsIAqUGu+UrkCq1AnGAJPNN0SEvPNG97FNEiQtPd8KEfzANeFOuysHeNXuKH/xk//615HduoSRm7a9zFeEg+2wtVDL7hZiYGTkUSnMdb13BnWEWsoCf/eRg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7o2vGqCCpWVx1gKIKxJFNybqCEK7C8K3hkmURIK1X7E=; b=GuMBb0/mx9TrVmM+KzpBxmD8B1LhXlBM0lzxP8kZY2wcoSplNr+RK7UCRTKqAqH41NOTn0ZukCkw8y+97FKETZUxladd5KdbBzZHuvg7t1x91FXb2b7jJZRrxCKZQHua4fZxA9cBDgiQyP7/tSDZO1gSqBbjy3LGesCzHt8Kqfl5ZwVmCAbBMv8gpkJzxIMnfYB7BfmbDM0sQ71N17i1OUDIWyvnTRkGOSp5IUA6EVeDcmHjD9e4/80/WHK1MKGSuJUliXqcW8QRNGk0RLtcgaoLTce6ekEufmez18qeObaLI2pj9h5wcfPz0O/hce0Y7OpFBxgCQ25OeUnVnVF5Qw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7o2vGqCCpWVx1gKIKxJFNybqCEK7C8K3hkmURIK1X7E=; b=lDcxMnABWcZ5DBWazjlNXYfcshN87WZbCT2i0kw/fWISUaN/+7tfcoHGhUKLn5DhyYdXi1aBIK0sPrpAEnaQjNzxTJN/a7z+r1+zyR9Cef/zX/LIIMbzzuYQGJFKw8twVpX6wb9WNRjO963EMl2eorHOYh2rN9l7hxK5LttrW5E=
Received: from AM0PR07MB3987.eurprd07.prod.outlook.com (2603:10a6:208:46::31) by AM0PR07MB6162.eurprd07.prod.outlook.com (2603:10a6:208:f8::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.6; Thu, 23 Apr 2020 21:03:54 +0000
Received: from AM0PR07MB3987.eurprd07.prod.outlook.com ([fe80::b929:4e5c:6b46:3ccc]) by AM0PR07MB3987.eurprd07.prod.outlook.com ([fe80::b929:4e5c:6b46:3ccc%7]) with mapi id 15.20.2937.020; Thu, 23 Apr 2020 21:03:54 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Benjamin Kaduk <kaduk@mit.edu>, The IESG <iesg@ietf.org>
CC: "draft-ietf-sipcore-sip-token-authnz@ietf.org" <draft-ietf-sipcore-sip-token-authnz@ietf.org>, "sipcore-chairs@ietf.org" <sipcore-chairs@ietf.org>, "sipcore@ietf.org" <sipcore@ietf.org>, Jean Mahoney <mahoney@nostrum.com>
Thread-Topic: Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13: (with DISCUSS and COMMENT) - COMMENT
Thread-Index: AQHWGbKxu2gQq0gnZkyF4LBa/O+0ag==
Date: Thu, 23 Apr 2020 21:03:53 +0000
Message-ID: <31B5AC00-A9C5-4F02-8111-2ED9EB1D10D9@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1e.0.191013
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [188.127.223.154]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d5679fd6-0e89-4034-bcbe-08d7e7c9d4c3
x-ms-traffictypediagnostic: AM0PR07MB6162:
x-microsoft-antispam-prvs: <AM0PR07MB61623BEA095B49A5B780CB4C93D30@AM0PR07MB6162.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 03827AF76E
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR07MB3987.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(366004)(396003)(346002)(376002)(136003)(39860400002)(186003)(110136005)(86362001)(5660300002)(2616005)(44832011)(6486002)(36756003)(316002)(26005)(91956017)(54906003)(478600001)(76116006)(66556008)(64756008)(66446008)(66476007)(6506007)(66946007)(6512007)(2906002)(30864003)(4326008)(33656002)(71200400001)(8676002)(81156014)(8936002); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: q0eDvapGUMHv6hcqlg2GlnVNPK6Iy9CC4r9VwKe8xoE5bAMQ+t++SR8OdZQbPKE4EVnPNHV+zB5mzikTZ/24ImqpPyL7GGOEowNdb0CBeVWBgY5WfLhPNp6+eNf6ENgSzviKqC3wcCY24evMiPO0+Dg+P33pLH21uTwrTQVObXH3HevH4NUF+viuM6Un9yTV8xQ8Rioxa8asbzz4DJn8sKuMt7XBsjGud860kMF+qb4jMkACfJc0m7poAsn+dzstxRBypSCgVMwcORnt4R6dSW0QOrNt7cNgBIo5+V6UN+zxS/ILbf+ANgOiz1JgrFtpp1c9S2EXwgmGdYZw6xVmBqQUkhiv9/dOQGtTgZDkppQwv9ciPCaO8HomaD9nwHFqiPfc2m4DVeGml/p3r1UQx22fVvJL4t31PM+d6PJFEBMHM00e6bCkjW8Hj0WYJQG8
x-ms-exchange-antispam-messagedata: o/MZegi7RhgJBvQ77hjXQ0SzRd3wGWpfe7ONqOogWpa9Y4k/Toh3mcdb2kUdaysjYcYw98CtrD03C+a5Q4ReM5lNtMlIeX04ceeiXwchnEebIHGB0t7J2Agz/iezRasnLf+vOGAfCA6m8LqGbtHhdg==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <13245F0DC1831C4BAF004E32896CBC36@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d5679fd6-0e89-4034-bcbe-08d7e7c9d4c3
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Apr 2020 21:03:53.8585 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: RblpseXrA+TTpdvLdlhTdn8qazr6+fdx5QU1EnVb3ME1lybc5MwG7m2W9rkICgyleoP4DO5aB0lLya1rbTPsfTrvVwD6aP0eFaAy2aZUOEY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB6162
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/58l2szsP3aZn8Gy_Ybgi1QhQhOU>
Subject: Re: [sipcore] Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13: (with DISCUSS and COMMENT) - COMMENT
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Apr 2020 21:04:00 -0000
Hi Benjamin,
Thank You for the review! In this reply I will address some of your COMMENT issues, and indicate the ones that I want Rifaat to address. Your DISCUSS will be addressed in a separate realy.
----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------
> Section 1
>
> The OpenID Connect 1.0 specification [OPENID] defines a simple
> identity layer on top of the OAuth 2.0 protocol, which enables
> clients to verify the identity of the user based on the
>
> Please make it clear that these are OAuth/OIDC clients, not SIP clients.
I'll leave this for Rifaat.
---
> Section 1.3
>
> OAuth 2.0 doesn't require the issuance of a Refresh token, but the
> discussion here implies that for the SIP case there will always be a refresh
> token. If we're profiling 6749 in this manner, we should be more explicit
> about the requirement to issue refresh tokens.
I am not sure whether the intention is to say that there will always be a refresh token. But, I'll leave this for Rifaat.
> * ID Token: this token contains the SIP URI and other user-specific
> details that will be consumed by the UAC.
>
> nit: I don't think we should use the definite article in "the SIP URI" since
> we haven't discussed any such SIP URI usage yet. That is, we should say
> what it's used for, e.g., "a SIP URI associated with the user".
I'll leave this for Rifaat.
> * Structured Token: a token that consists of a structured object
> that contains the claims associated with the token, e.g. JWT as
> defined in [RFC7519].
>
> nit: comma after "e.g.".
Will be fixed.
> * Reference Token: a token that consists of a random string that is
> used to obtain the details of the token and its associated claims,
> as defined in [RFC6749].
>
> It doesn't technically have to be random (though in practice it should
> contain signficant random elements); "opaque" might be better wording.
I'll leave this for Rifaat.
> Section 1.4.1
>
> Perhaps Figure 1 could include some indication that steps 5 and 6 are
> optional/do not always occur (in the case when the access token is a
> self-contained JWT)?
I'll leave this for Rifaat.
> In step [2], the registrar challenges the UA, by sending a SIP 401
> (Unauthorized) response to the REGISTER request. In the response,
> the registrar includes information about the AS to contact in order
> to obtain a token.
>
> The UAC needs to have a preconfigured whitelist of acceptable ASes in order
> to avoid directing the user's credentials to malicious sites.
This is related to your DISCUSS, so it will be addressed as part of that.
> The registrar validates the access token. If the access token is a
> reference token, the registrar MAY perform an introspection
> [RFC7662], as in steps [5] and [6], in order to obtain more
> information about the access token and its scope, per [RFC7662].
>
> I think we could tighten up the normative language a bit here.
> In particular, the registrar MUST validate the token in some fashion; for
> reference tokens, the main ways to do that are either inspection or
> (essentially) being the party that issued the token in the first place.
>
> Otherwise, after the registrar validates the token to make sure it
> was signed by a trusted entity, it inspects its claims and acts upon
> it.
>
> I think we can also be more specific than "a trusted entity" -- in this
> flow, it looks like the registrar should know exactly which entity should
> have signed the token in question (for the user in question), and should not
> accept a signed token from a different entity that happens to be trusted to
> issue other tokens.
The text in Section 2.2. mandates the validation:
"When a UAS/Registrar receives a SIP request that contains an
Authorization header field with an access token, the UAS/Registrar
MUST validate the access token,..."
I don't think we should put too much normative text into the example flows.
> Section 1.4.2
>
> (Similarly, Figure 2 could note that steps 3 and 4 do not always occur, and
> the text about token validation should remain parallel between examples.)
I'll leave this for Rifaat.
----
> Section 2
>
> I note that RFC 3261 explicitly disclaims any definition of authorization
> systems, which is not true for this document, given that OAuth is an
> authorization system :)
RFC 3261 only says that the RFC does not recommend or discuss any authorization system.
> Section 2.1.1
>
> Required) response with a Proxy-Authenticate header field. If the
> WWW-Authenticate or Proxy-Authenticate header field indicates
> "Bearer" scheme authentication and contains an address to an
> authorization server, the UAC contacts the authorization server in
> order to obtain tokens, and includes the requested scopes, based on a
> local configuration (Figure 1).
>
> [whitelist of allowed ASes, again]
Will be addressed when the DISCUSS is addressed.
> The detailed OAuth2 procedure to authenticate the user and obtain
> these tokens is out of scope of this document. The address of the
> authorization server might already be known to the UAC via
> configuration. In which case, the UAC can contact the authorization
> server for tokens before it sends a SIP request (Figure 2).
>
> nit: I think that "in which case" functions as a conjunction, which makes
> this an incomplete sentence.
The text was suggested by one of the reviewers, but I agree it sounds incomplete.
Perhaps "In such cases"?
> The tokens returned to the UAC depend on the type of authorization
> server (AS): an OAuth AS provides an access token and refresh token
> [RFC6749]. The UAC provides the access token to the SIP servers to
>
> Again, this implies that refresh tokens are always issued; RFC 6749 is quite
> clear that "issuing a refresh token is optional at the discretion of the
> authorization server".
I'll leave this for Rifaat.
> authorize UAC's access to the service. The UAC uses the refresh
> token only with the AS to get a new access token and refresh token
> before the expiry of the current access token (see [RFC6749], section
>
> (New refresh token is also optional.)
I'll leave this for Rifaat.
> 1.5 Refresh Token for details). An OpenID Connect server returns an
> additional ID-Token containing the SIP URI and other user-specific
> details that will be consumed by the UAC.
>
> [same comment as above about "the SIP URI".]
I'll leave this for Rifaat.
> If the UAC receives a 401/407 response with multiple WWW-
> Authenticate/Proxy-Authenticate header fields, providing challenges
> using different authentication schemes for the same realm, the UAC
> selects one or more of the provided schemes (based on local policy)
> and provides credentials for those schemes.
>
> RFC 3261 seems to be written in a world that assumed that Basic and Digest
> are the only defined HTTP authentication schemes, and since it prohibits
> Basic, that there would only be one authentication challenge (type)
> possible. This text righly acknowledges that we are opening the field up
> and could have cases where multiple authentication schemes are possible;
> however, it goes even further and admits the possibility of using them
> simultaneously. It seems like this places an onus on us to give some
> indication of the semantics when multiple schemes are used at the same time.
> Do the authenticated identities need to match? Or are we asserting that
> both/all identities are consenting to the request in question? (If we don't
> have a concrete use case in mind, perhaps the "or more" is just opening a
> box that we don't need to open right now.)
I can modify as suggested.
(Personally, I have never seen multiple schemes in a deployment.)
> Section 2.1.2
>
> access to it. Endpoints that support this specification MUST support
> encrypted JSON Web Tokens (JWT) [RFC7519] for encoding and protecting
> access tokens when they are included in SIP requests, unless some
> other mechanism is used to guarantee that only authorized SIP
> endpoints have access to the access token.
>
> I think we may want "MUST support" (always) and "MUST use, unless some other
> mechanism".
Based on another review, I suggested to change to "MUST use". I am not sure whether we need to keep "MUST support".
> I'd also suggest a quick note that TLS remains fine for protecting the
> UAC/AS interaction where the refresh token is used.
I can do that.
I could also say "*SIP* endpoints that support this specification...".
> Whatever is done, please harmonize with Section 5 that has essentially the
> same text.
Will do.
> Section 2.1.3
>
> Based on local policy, the UAC MAY include an access token that has
> been used for another binding associated with the same Address Of
> Record (AOR) in the request.
>
> Just to check: there's no real privacy considerations with such use, as its
> the same parties interacting and there are other identifiers (e.g., IP
> addresses) to confirm that it's the same client communicating to the server?
I'll leave this for Rifaat.
> Also, is it clear what will be done (new token request) when the MAY is not
> heeded?
I'll leave this for Rifaat.
> Section 2.1.4
>
> The text here just talks about "a valid access token" and similar, without
> saying a whole lot about it being related in any way to the specifics of the
> authentication challenge. Is there something useful to say about, e.g., the
> token in question having been issued by the authorization server indicated
> in the challenge?
I'll leave this for Rifaat.
> Section 2.2
>
> authorization credentials acceptable to it, it SHOULD challenge the
> request by sending a 401 (Unauthorized) response. To indicate that
> it is willing to accept an access token as a credential, the UAS/
> Registrar MUST include a Proxy-Authentication header field in the
> response that indicates "Bearer" scheme and includes an address of an
>
> nit(?): I'd consider just making this a declarative statement, a la "the
> UAS/registrar includes a Proxy-Authentication header field with the "Bearer"
> scheme to indicate that it is willing to accept an access token as a
> credential" (but that wording is incomplete and would need to be fleshed
> out a bit more).
I think that would be weird. Because, first we say that the UAS/Registrar SHOULD challenge, and with your suggestion the text would say that the UAS/Registrar MUST include a Proxy-Authentication header field even if it does NOT challenge the request.
Perhaps:
"If the UAS/Registrar chooses to challenge the request, and is willing to accept an access token as a credential, the UAS/Registrar MUST include a..."
> authorization server from which the originator can obtain an access
> token.
>
> nit: "address of" an AS, does that mean bare IP address only or is a DNS
> name okay?
I'll leave this for Rifaat.
> [RFC7519]. If the token provided is an expired access token, then
> the UAS MUST reply with 401 Unauthorized, as defined in section 3 of
> [RFC6750]. If the validation is successful, the UAS/Registrar can
> continue to process the request using normal SIP procedures. If the
> validation fails, the UAS/Registrar MUST reject the request.
>
> Is "expired" the only case that should get a 401 vs. outright rejection, as
> stated here?
401 is sent also in the case where the validation fails. I will clarify that.
> Section 2.3
>
> sending a 407 (Proxy Authentication Required) response. To indicate
> that it is willing to accept an access token as a credential, the
> proxy MUST include a Proxy-Authentication header field in the
> response that indicates "Bearer" scheme and includes an address to an
>
> [same comment as above about normative vs. declarative statement]
> Also, please keep the text parallel between sections -- this copy has at
> least one nit ("address to an" vs. "address of an").
I will fix this in the same way.
> Section 3
>
> If an access token is encoded as a JWT, it might contain a list of
> claims [RFC7519], some registered and some application-specific. The
>
> I don't think there's a question of whether a JWT will contain a list of
> claims :)
Fair enough :)
> Maybe "If the access token is encoded as a JWT, it will contain a list of
> claims [RFC7519], which may include both registered and application-specific
> claims"?
Looks good to me, but I'll leave this for Rifaat.
----
> Section 4
>
> This section claims to cover WWW-Authenticate. What specification will the
> SIP use of Bearer for Authorization operate under?
RFC 6750.
Section 2.1.3 says:
"The UAC sends a REGISTER request with an Authorization header field
containing the response to the challenge, including the Bearer scheme
carrying a valid access token in the request, as specified in
[RFC6750]."
> challenge =/ ("Bearer" LWS bearer-cln *(COMMA bearer-cln))
>
> side note: is there a mnemonic for the "cln" in "bearer-cln"?
RFC 3261 uses "cln" for digest.
> bearer-cln = realm / scope / authz-server / error /
> auth-param
>
> nit: realm is already included in auth-param, though I don't see a harm in
> calling it out explicitly.
auth-param is used to allow possible new parameters in the future.
> realm = <defined in RFC3261>
> auth-param = <defined in RFC3261>
>
> RFC 3261 defers to RFC 2617 (now obsoleted by 7235) for both of these; we
> could perhaps short-circuit the chain and say "defined in RFC 7235".
We discussed this in the WG, and the outcome was to keep the same references as RFC 3261, since that is what people are implementing.
Then, as a separate task, someone could update RFC 3261 with the new references.
---
> Section 5
>
> We should probably note that SIP makes much heavier use of proxies than is
> common in the web world of OAuth.
Maybe something like:
"However, SIP makes have use of intermediary SIP proxies, and TLS only guarantees hop-to-hop protection when used to
protect SIP signaling."
> I'm happy to see that some privacy considerations are being added in
> response to Barry's review.
Good :)
---
> Section 8
>
> I think RFCs 8252 and 8414 could be just informative.
I can fix that.
---
Regards,
Christer
- Re: [sipcore] Benjamin Kaduk's Discuss on draft-i… Christer Holmberg
- Re: [sipcore] Benjamin Kaduk's Discuss on draft-i… Benjamin Kaduk
- Re: [sipcore] Benjamin Kaduk's Discuss on draft-i… Christer Holmberg
- Re: [sipcore] Benjamin Kaduk's Discuss on draft-i… Rifaat Shekh-Yusef
- Re: [sipcore] Benjamin Kaduk's Discuss on draft-i… Benjamin Kaduk
- Re: [sipcore] Benjamin Kaduk's Discuss on draft-i… Benjamin Kaduk
- Re: [sipcore] Benjamin Kaduk's Discuss on draft-i… Christer Holmberg
- Re: [sipcore] Benjamin Kaduk's Discuss on draft-i… Rifaat Shekh-Yusef