Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt

[Christer Holmberg <christer.holmberg@ericsson.com>]

Hi,

>I am fine with referring to the OAuth definition.
>Anybody has an issue with this?

I support your suggestion.

Regards,

Christer



On Wed, Jul 10, 2019 at 8:02 AM Olle E. Johansson <oej@edvina.net<mailto:oej@edvina.net>> wrote:



On 10 Jul 2019, at 13:51, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com<mailto:rifaat.ietf@gmail.com>> wrote:



On Wed, Jul 10, 2019 at 3:08 AM Olle E. Johansson <oej@edvina.net<mailto:oej@edvina.net>> wrote:



On 9 Jul 2019, at 23:16, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com<mailto:rifaat.ietf@gmail.com>> wrote:

This document is specifically focused on confidential UAs.
UAs running in the browser, public UAs, will be addressed in a separate document.
Maybe you should make that more clear, as it is very confusing terminology… I see that section 1..2 in your draft defines theses
types, based on RFC 6749. You apply it to the term “UA” which I think confuses things. A “public UA” may have support
for confidentiality, but not from an Oauth point of view. I think we should look for other terms for this.


Any suggested text?
I carefully avoided any suggestions… Was hoping someone on the mailling list would step forward with
some brilliant new terminology. :-)

Maybe just reverting to OAuth terminology with “public clients and confidential clients” to avoid setting our own terms
and directly refer terminology to Oauth specs. I still don’t like “confidential client” when they really mean “something
that at least doesn’t show what they do in source code but may still be totally insecure”...

Yeah, I know that’s a boring suggestion.

/O :-)



In addition, I don’t find any text in your draft indicating that “Public UAs” is out of scope.


I will fix that..

Thanks,
 Rifaat


/O


Regards,
 Rifaat


On Tue, Jul 9, 2019 at 3:29 PM Roman Shpount <roman@telurix.com<mailto:roman@telurix.com>> wrote:
On Tue, Jul 9, 2019 at 3:11 PM Christer Holmberg <christer.holmberg@ericsson.com<mailto:christer.holmberg@ericsson.com>> wrote:
>> As far as I know, OAuth for SIP has only been used for REGISTER requests, between the UA and the registrar.
>> I have never heard about anyone using it for non-REGISTER authentication, and I wonder whether we even need
>> to cover it in the draft. We could limit the scope the REGISTER requests. Then, if anyone ever needs OAuth for non-REGISTER requests, a separate draft can be written.
>
> Really? Normally, for a secure solution, every SIP request, including requests sent by UA in dialog established from the
> server to the registered end point must be authenticated. OAuth for REGISTRER requests only is kind of useless since it
> does not allow UA to send any messages to the server without some additional authentication mechanism.

Not sure what you mean by "secure solution", but UAs can still use SIP Digest authentication.

What I am saying is that only use-case for SIP OAuth I am aware of is for REGISTER.
How do they get these SIP Digest credentials?

I am looking at a very simple SIP-Over-Websockets client scenario:

User logs into the web site which uses OAuth. UA, running in the browser gets a token which is used to Register UA with a SIP proxy.

What credentials is UA using to place a call (send INVITE to the proxy)?
If a call comes in from the proxy to UA, what credentials is UA using to hang up the call (send BYE message)?

Best Regards,
_____________
Roman Shpount

_______________________________________________
sipcore mailing list
sipcore@ietf.org<mailto:sipcore@ietf.org>
https://www.ietf.org/mailman/listinfo/sipcore
_______________________________________________
sipcore mailing list
sipcore@ietf.org<mailto:sipcore@ietf.org>
https://www.ietf.org/mailman/listinfo/sipcore

_______________________________________________
sipcore mailing list
sipcore@ietf.org<mailto:sipcore@ietf.org>
https://www.ietf.org/mailman/listinfo/sipcore