IETF Logo Mail Archive

Re: [sipcore] Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13: (with DISCUSS and COMMENT)

Christer Holmberg <christer.holmberg@ericsson.com> Sat, 25 April 2020 20:56 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 169FF3A040E; Sat, 25 Apr 2020 13:56:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZDK0VOZTjaT6; Sat, 25 Apr 2020 13:56:20 -0700 (PDT)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00069.outbound.protection.outlook.com [40.107.0.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1711E3A040B; Sat, 25 Apr 2020 13:56:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CXjRThPlXYHChe6/vLSJEB5O3XauWBgHuK74hcxhd3v4e09CV8TO+ryS7h5On0qPX963Vqp3x6aSmJjtvEEG+7W8ISa1IumScRycCIEqQe/gNEp39rU7UnUUZlAnellosN3hF3HyqpQx/JBIUU7rwhFXt9BdRxv/WGtKQQlgmHaA0Gg59mzh1WtB0rc83R2WbPRQ05eYfcmSjzvaQtB0nauJfTRiAT5eQ4Ppqmbw+V6WCykax4D9tEj8YKvvSFMX4JLcY3Vu3RL7pUboYH+jEt9Jny0tbvhc8QlhOyjYY7AhKeWzd16UzTByYheffbQkUHmCyqYPfgLoduntKWO/Og==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=olFpVXljAj6RUITCitgHWgYQeEzEnUchksBK/FVTcCQ=; b=kecPQC5V3poX+w1AIHu8Raf3m3lEplYMSyCDoOgF/MordX9m8a3ujF/LB00t8vwqw1CyWqvrllRStI0UKEWLzAZikLH+brkQQ4jnH/7SYrwm97t7CJIHfBspRG+0X0uO33cCPDv2MUQ9DXJVhe/DSiXm2E7Qyl1mz6PnKnbPi2qhg6upd5JKH9/FivmUzl8CJ6KMbUKHof0pxMe5CdJxRf0qObK2tdDTlFzmU2VV1HsdBP0v9t/jYPddMlhFA7SNQu+87dE7KKwAtS+oniQ6N0GPJJgWtrmnofMMWE29Hn4cQrPWh6TD9iOiJsqjP8we9lo7oQiQ+NCEiapJYWFxKA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=olFpVXljAj6RUITCitgHWgYQeEzEnUchksBK/FVTcCQ=; b=KFj6OwKpAXJ3O+8VxoqCGLZvPgzPvNXDoBoiNwbBKLO0dGHNlXqTK/8kn55QpDlIwIragCV6d7Ob9oc+3hVdxiV8lwV9WXC7VKm1dkXrOh/sbQwXNV7MVtmbtonB9RABdDhUgWmspS2FN05kM1EWKpiF0OKhSaA+46TrOLYuaeU=
Received: from AM0PR07MB3987.eurprd07.prod.outlook.com (2603:10a6:208:46::31) by AM0PR07MB5217.eurprd07.prod.outlook.com (2603:10a6:208:ed::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.11; Sat, 25 Apr 2020 20:56:16 +0000
Received: from AM0PR07MB3987.eurprd07.prod.outlook.com ([fe80::b929:4e5c:6b46:3ccc]) by AM0PR07MB3987.eurprd07.prod.outlook.com ([fe80::b929:4e5c:6b46:3ccc%7]) with mapi id 15.20.2958.014; Sat, 25 Apr 2020 20:56:16 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Paul Kyzivat <pkyzivat@alum.mit.edu>, "Olle E. Johansson" <oej@edvina.net>
CC: Benjamin Kaduk <kaduk@mit.edu>, The IESG <iesg@ietf.org>, "draft-ietf-sipcore-sip-token-authnz@ietf.org" <draft-ietf-sipcore-sip-token-authnz@ietf.org>, "sipcore@ietf.org" <sipcore@ietf.org>, "sipcore-chairs@ietf.org" <sipcore-chairs@ietf.org>
Thread-Topic: [sipcore] Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13: (with DISCUSS and COMMENT)
Thread-Index: AQHWGaTv/W/UMLKp7ECr0CNaSmCuWKiHL6oAgACauACAADsIgIAAsN8AgABNwgCAAGIJgIAAyVcAgABXfwA=
Date: Sat, 25 Apr 2020 20:56:16 +0000
Message-ID: <06B3574C-B01B-45E2-A0D8-17D26ADDF462@ericsson.com>
References: <158766991009.32224.6031347936963900326@ietfa.amsl.com> <60a98de4-a8cd-5910-17f9-6849d71f4d8e@alum.mit.edu> <B61DF7BD-C304-47AA-AB10-2095CC621E5A@edvina.net> <79245079-4BE2-4CA1-9B8F-E7E71AD38458@ericsson.com> <20200424201316.GX27494@kduck.mit.edu> <34A7E724-6E92-4C66-95B5-22F3A22F8CE3@ericsson.com> <F656768B-546F-4FA9-861C-671A2C8286EA@edvina.net> <f118fa74-1387-659f-9875-b35ce46caca1@alum.mit.edu>
In-Reply-To: <f118fa74-1387-659f-9875-b35ce46caca1@alum.mit.edu>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1e.0.191013
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [178.55.150.213]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6aeb9c60-15d1-429f-5fcb-08d7e95b190c
x-ms-traffictypediagnostic: AM0PR07MB5217:
x-microsoft-antispam-prvs: <AM0PR07MB5217EB174503767CBD4568AF93D10@AM0PR07MB5217.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0384275935
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR07MB3987.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(136003)(366004)(396003)(346002)(39860400002)(376002)(33656002)(8676002)(81156014)(2906002)(8936002)(86362001)(36756003)(5660300002)(26005)(6506007)(54906003)(71200400001)(478600001)(6486002)(110136005)(316002)(4326008)(2616005)(6512007)(186003)(76116006)(64756008)(91956017)(44832011)(66556008)(66946007)(66476007)(66446008); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: sBx9X0ftPMIBV13upiFwy2Wg6NXTRd802A7Vnsumbz4c4XxwWrbNZ3oyRJDeEQc/XG7aXqYgcAN02xwWjbrVK7h78i1az6aWx/WRRLChPYZBOtl3qrQ2I5VWx9/hQaeJ/wcApgzsZ09GPXbSA6N2FwPPRPoWtCm/1RoOyVJR7V8lPfYpaEuUGtKj3mtHNsyvbYxMx2VhjkICnmGrJKBaIW0rtybYMJgfm/A2Ffu9kiKqXTkTyTUoSxDH/0pxjd8TB9mvU7hwuzMMEazt3uySoLMCFIn0f3PQpQrSNGVKnLO0NiTGcI/3F4OcRag+YwiktnW+x1Taoo2TZre56gZE7xSU18xY17HixPlNSUDiqRnaHy2+3s6FNm3kzbsLDgQCX6E5iOeAAGfPQ6SUAZe3+lqtEv1ivlHvYQGC5osyis5VNl7XnVr5+bM+deBSlthq
x-ms-exchange-antispam-messagedata: rYwbq2UXMr2sLHP/McRmCg4yRH6BHYwSljYaieUPuG1VIS5XqmNpbQT2T3zy+CP23uZnlYZRSCX14ZhuFFpkzlK6X4WC1KTlcLNobWWsA51gyh/Fk3CtbkVNC7wvUWPJ0FF/2DB8rK/62I0JIvtaM3ruCni1YtHsjNaoH/yNKrz8bSCPl6Fn2pgAhZephEzY/zDja/b+bQoEmcKOGc7nOSBJEovfwyQ/3seXHhf09PL92Vw1Baz6Y3hrvavZAtAJAw9908lqwtH/MbJT/8zSRS0Y525GLDjurv63yrKlIXGXr4apKKAT0GAutaxP0VW4ConOYfhdJWLcx7p+9X5RQHdxusva3NyY7JH8sbl1pu6oMxV+YOMz+pJp14g+AR0AsldfOmT3TnpGJOuARNaaM2Gg3s5RPDPGLZ/ReAbOksD5V5p/jqjkjO/4+gqM+pOpMsYPs01DFWlO8IwVeNYunUfd7vuMr9q0MjpZZPdHdIngnTUHlNL5STV0DVBiYrqgQfvzm1/3BQgepX/kv+QjdOdgkheQB/0OcF6UrPZ6eHY19j//fzfUPZMCn2uTJfIyG2WRt6F0RwsoJdYQ7RLyG5vHzswETh9FKfNuTiMUcRgNzU2AoI4DVHnv5CqDKyTRaCLjO6Msi0mE1LO9aDccYaaOU3LXjDcLHMsNrZRsnaB340njlORG2J5RyDRSwls+TVtGyJtLUsmsROfTdgRiCkKHzfIYp91i3a7csc/6TIi/3L4tzTSTaJsdz627/DHb9ns/17uWM2Ri3LV6CIAMN+ibCOlXHOHu1qEEF+Vxdqk=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <D7182D8AD0AA854CAD976ADF6CCB8D9A@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6aeb9c60-15d1-429f-5fcb-08d7e95b190c
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Apr 2020 20:56:16.6202 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: b0LnvAY96AZmGmNxYQf8QVHKJccKU/3oaLhQ02HZKV3DA17TnAaz9juOMIG+FvtgWJOWuf5CuFZ8vDGRtTnG1WSR+alMFhwONQhfd+mudFo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB5217
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/6lKCKeAC66e6jo8q9WL0zvfuOYQ>
Subject: Re: [sipcore] Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13: (with DISCUSS and COMMENT)
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Apr 2020 20:56:22 -0000

    
    >>>    NOTE: At the time of writing this specification, detailed procedures for the cases where a UAC receives multiple
    >>>    different authentication schemes had not been defined. A future specification might define such procedures.
    >>>
    >> Until we have a point where we know we can securely handle multiple authentication schemes from the same UAS,
    >> I think we should recommend one policy per realm and/or domain.
    >> 
    >> That will mean that until we have the BCP we determine method per device - new devices gets the challenge
    >> that they support and we limit the possibilities of downgrade attacks.
    >
    > I don't understand what you are suggesting here.
    >
    > Is it that the UAS should only challenge with one scheme? That could be 
    > problematic, since it means either only use Digest, or else use Bearer 
    > and fail to work with any device that doesn't support it. (Can you say 
    >"flag day"?)
    >
    > Or do you mean that the UAC should only respond with credentials for one 
    > of the schemes it receives challenges for?
 
    The UAC only responding with credentials for one scheme is the suggestion based on Benjamin's review.

    Regards,

    Christer

v2.23.0 | Report a Bug | By Email