Re: [sipcore] Magnus Westerlund's Discuss on draft-ietf-sipcore-sip-token-authnz-13: (with DISCUSS and COMMENT) - the pull request
Magnus Westerlund <magnus.westerlund@ericsson.com> Tue, 28 April 2020 08:56 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50DE93A1157; Tue, 28 Apr 2020 01:56:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.921
X-Spam-Level:
X-Spam-Status: No, score=-2.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.82, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BBUkHv5buB1g; Tue, 28 Apr 2020 01:56:25 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130082.outbound.protection.outlook.com [40.107.13.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B25E3A113F; Tue, 28 Apr 2020 01:56:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=imhBVZ+/u7odSLcQwKwn91SPRfEzyEvooIXdwIofXNyNuqQhFRmfCPfgbITGe0tT6HMnbmGwUxt8BOdWNyfMYMBZbXkEevOE6TzK6Mgpw6+G0OteCz/P6IWJO03XCQgFK3ZFn1VHz0QEC7gveDuKojtlrAR2M+I0IfJs8PjUc0XfykEeFkC3kc2esY2z9IyyTsodRBNYsPrDlgUilJALPMfkwptRZlXUuKAx3nE+lNHsuKieBLVQ7AlcFbPCcwTgw+cgMvGgV/ytN2pGW4PZa12WpaTwJpqVNSH589obm6x5ClayB0/lBSVsPQCv3XqZe6cgm6lEAqsejhjNfXhmqQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=J8Nq4zS/EzRA6Ue/RM/JrAu2FdIaNCJqS2iDq2r1vTE=; b=lMQLTD9eY/pGl6H49TkxJnxvzvTKAeVJ0Auc+RUQU1K5TfkI40+OcL+QJB02NoyQuuNQTlML3oQzgubmVCa7fl0Z2J9wkUBWfAgWtYzvZsZ85fhy4YmrISHdAIjAD7mljxiBQ44MP6YMaT2R1U9CVHVZ5V5gDEMi+EuCrroJcK1dRaYwYV5zfntbE2rQesM9fgllu/hzTzpqXy2KP5LwS8vhZZ20qlH96DVAoG6fSO559Y8L9BXJ5WZjmO66u8WtHgP7KUlhltiPxICnUEgU2xzpe7g+sPoHJX032uELTcD/vwioEbIfNiBPHp2D3f12IP1MMJKyAKeHXv7lorT8Jw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=J8Nq4zS/EzRA6Ue/RM/JrAu2FdIaNCJqS2iDq2r1vTE=; b=Or5MKyZb1DZoXk0P66cd8lmeZx/Nn9Rgnu0JNlqIEDG4CTEIOHD1KmT46Uyy9eqRKbgla70s59AXPDxMXwrPOuiV3fk9+zAIpgv4tnxIPJ1zs0xkQ/u+kFo4/F1FLZNE9bqWUbVS1+ExrMikF97dmI0C85v074Jx9XZ6scQDhmw=
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com (2603:10a6:7:8e::14) by HE1PR0702MB3801.eurprd07.prod.outlook.com (2603:10a6:7:80::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2958.10; Tue, 28 Apr 2020 08:56:21 +0000
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::ec28:2c21:6d78:917a]) by HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::ec28:2c21:6d78:917a%2]) with mapi id 15.20.2958.014; Tue, 28 Apr 2020 08:56:21 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>, "iesg@ietf.org" <iesg@ietf.org>, "pkyzivat@alum.mit.edu" <pkyzivat@alum.mit.edu>
CC: "sipcore-chairs@ietf.org" <sipcore-chairs@ietf.org>, "draft-ietf-sipcore-sip-token-authnz@ietf.org" <draft-ietf-sipcore-sip-token-authnz@ietf.org>, "mahoney@nostrum.com" <mahoney@nostrum.com>, "sipcore@ietf.org" <sipcore@ietf.org>
Thread-Topic: Magnus Westerlund's Discuss on draft-ietf-sipcore-sip-token-authnz-13: (with DISCUSS and COMMENT) - the pull request
Thread-Index: AQHWHM0jGFXph8PsA0+ASqfFfMQaaaiON3WAgAA1wwD//88CgA==
Date: Tue, 28 Apr 2020 08:56:21 +0000
Message-ID: <895b6f134965ed502a24591ae86a5943bb683781.camel@ericsson.com>
References: <6BA45301-2E1D-4050-9C13-6B8BA7094B79@ericsson.com> <c674c66606c0c5c080ae749bb1e2c19324009894.camel@ericsson.com> <07CBCA10-4499-4FD1-A75C-97440906432F@ericsson.com>
In-Reply-To: <07CBCA10-4499-4FD1-A75C-97440906432F@ericsson.com>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.2
authentication-results: ericsson.com; dkim=none (message not signed) header.d=none;ericsson.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [98.128.243.138]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b342ab20-14b3-422d-4ef3-08d7eb5205ee
x-ms-traffictypediagnostic: HE1PR0702MB3801:|HE1PR0702MB3801:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <HE1PR0702MB3801831F28742469D67256DF95AC0@HE1PR0702MB3801.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7219;
x-forefront-prvs: 0387D64A71
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3772.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(39860400002)(366004)(396003)(136003)(376002)(54906003)(316002)(110136005)(5660300002)(2906002)(2616005)(186003)(44832011)(99936003)(76116006)(71200400001)(66446008)(66556008)(4326008)(66476007)(66946007)(64756008)(66616009)(6512007)(6486002)(478600001)(966005)(8676002)(86362001)(8936002)(36756003)(81156014)(26005)(6506007)(99106002)(21314003); DIR:OUT; SFP:1101;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 1bPHWVAF04dZmj2QPaHIuvapHNckPDFzwBK07w5eS0KcFigt0HTmznfg1mvf3Xc/7dkYq/wHjn1mmtAFytMyl8YU7ZwQ7QbZAe2cBoigXVEV/S+uZmQChSJMgb60ZYHwDrkL+EeCqp33cMVAG4HDIddrkScBCTDNA2E1Okdbys1V5gTlayX1w0NRu8U78Bsi7131xe0IOJPHAc84MhvDSfsmNQBhsd6HEqRqNFAdaEDs2yJZhiAqsaGmYuMWA7bR8s2OSlin0DafSPy30Y2Cemf77lQVhV9bNZdm21arOJ03bWZLZO9ZQx1fEKS1+6AQ4QpLC+n4lUeetk3C/VSOE/H+5mfdMPzF3RxPniEXtyEqNe08b3odjlpGxQMbsqHOMrxyn7IngG/hJBf4q5A9yqd15bAhW/vJbFsz6co59+1yWQ/OkMDj1QVOV/6MErVQg9DDS3YA0ho2RwGLvuxW2KS5KTMyCzjlI6oelXIhS2TF9CbMKl13E1g8dWes3Dbl4ZPDu/605np+hC0HBxtTYw9/EwHy0ZlKRlZA6aOJUPVTvh2LBvPEZnD2tgj8aVLCt/eD/H5tVsz7UYxSMm7rhA==
x-ms-exchange-antispam-messagedata: uGlmlj/tZI2gE6W1KfxXGy9F31831lGaI623ORGZhROx690gMsv6yr9+HlUNfYPGTAghsr9wBpBGcVw6faRRDjB2aLPeuFD+pFh4/RlnOKncfhk4mQaAiKWeZSNZJCbNiXVcUPDcEOVDYO+pHaDp41e3k/TazUWyNbjcw/lVmetTm/IYcQOaiOnrqnzfTK3ZSPRV7pnIQVXs92AQUCrPKg9n5Wj/VQUaFLbQh6eXo3K4HZIJXa03zMN9aZws3JDL+2eBpQtlJQX1fcp8DBuv0tj97uYGbzeZI3QLV/bokd6Bo1CxWfHeYdAHLujj352icqNcVSnBiBSpGrcSgxW7jdW3kXFXhkAdpAOedhvRLtlZNohAfWh3Q0NnJYBHzt14QFTAvEqCgSnXwpOtsRMkSBvpdEP5G+63jR+lx8RWn/Et2t/piX+5x6RLENqF2Ua3dOL7evpLKw8LnSTW3EROCh5HhkDSqALTMzTo4nqBqHVhs+khMxwAvZ8wipjU+9s3ubFGHzRnzFzyuxB7Ccq5zDa6KVJyud4NtJR0E35uzpbvj4P7hee0j2yEr6Ag+xaYyXU4buEvjSP3m6W53mSKLvcpBdd4t9YC1n7kmhiTLIPjR6/XakAgdYU351QkoOjPaI2CRgTuAfgWcqo49KfVxndSCd/Ub/u0jrEO0sbf6FQzZZxKCg5cjS1+c2dN615iPtnMjTbdhV/5CJWnW8iFiikTNn4rZc7kXlVZElKGPoI9/1iWG3qPhBrxBz9I660WhTLY3qmW4ZCbvZNyiOeu9tg/AOyGnNA6Fs41CwBnvk4=
Content-Type: multipart/signed; micalg="sha-256"; protocol="application/x-pkcs7-signature"; boundary="=-OU+eDmiMaoRGTvsO9TdC"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b342ab20-14b3-422d-4ef3-08d7eb5205ee
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Apr 2020 08:56:21.4224 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: yFiR6AD4ESDeM/zZGJlrXxUrD877/Fb+tsqGFlF7q7aYrs6ypy/vO8QskqQ2bQirVplPZNMnKa02lI9PmsLq2udxEHLfjiKGEHUOhSz9tcw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3801
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/7sorOWl7MRG6CfcFcoYOOpOvZ2A>
Subject: Re: [sipcore] Magnus Westerlund's Discuss on draft-ietf-sipcore-sip-token-authnz-13: (with DISCUSS and COMMENT) - the pull request
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2020 08:56:36 -0000
Hi, I think this addresses all my issues. I will clear with the assumption that a new version will be submitted before the AD approves the publication. Cheers Magnus On Tue, 2020-04-28 at 08:51 +0000, Christer Holmberg wrote: > Hi Magnus, > > > I think keeping _ in authz is okay to do, and allowed by the syntax. So > > if the > > WG want to correct this to have it align with the norm or leave it as it > > is is > > up to the WG. > > > > However, the changes did may wonder one thing about the the inclusion of > > scope > > and error. The ABNF constructs defined in RFC 6749 are only including the > > value > > part. So to my understanding they really should have an parameter-name = > > value > > construct defined. Like this. > > > > scope-param = "scope" EQUAL DQUOTE scope DQUTE > > scope = <defined in RFC6749> > > error- > > param = "error" EQUAL DQUOTE error DQUOTE > > error = <defined in RFC6749> > > > You are right. Good catch! :) > > > The IANA section looks good. > > > Good :) > > Fixed in this commit: > https://github.com/rifaat-ietf/draft-ietf-sipcore-sip-token-authnz/pull/7/commits/fb8a94084c5ef3490f3e6c2ba2f00550d79fbb2b > > Regards, > > Christer > > > > On Mon, 2020-04-27 at 19:50 +0000, Christer Holmberg wrote: > > Hi, > > > > The following pull request commits contains the syntax and IANA changes > based > > on Magnus DISCUSS: > > > > > > https://github.com/rifaat-ietf/draft-ietf-sipcore-sip-token-authnz/pull/7/commits/168086b4f1220620d063af07a3292b667e30ef37 > > (Syntax) > > > > https://github.com/rifaat-ietf/draft-ietf-sipcore-sip-token-authnz/pull/7/commits/22f810025d1bf8df45875e92e4d4c11d0f574693 > > (IANA Considerations) > > > > Please note the parameter name "authz_server". Following the naming > style of > > other header field parameters it should perhaps be "authz-server". > However, > > for backward compatibility I would prefer to not change it at this > point. > > > > Paul, I would appreciate if you could also take a look at these. Thanks! > > > > Regards, > > > > Christer > > > > > > > > On 23/04/2020, 22.51, "Christer Holmberg" < > christer.holmberg@ericsson.com> > > wrote: > > > > Hi Magnus, > > > > Thank You for the review! Please see inline. > > > > -------------------------------------------------------------- > -------- > > DISCUSS: > > -------------------------------------------------------------- > -------- > > > > > I think these resolution for this is rather straight forward, > > however the > > > implications of one is going to break deployed > implementations. > > > > > > 1. Section 4: > > > > > > This is rather straight forward to resolve but you do have a > SIP > > syntax > > > violation in these rules. > > > > > > challenge =/ ("Bearer" LWS bearer-cln *(COMMA bearer- > cln)) > > > bearer-cln = realm / scope / authz-server / error / > auth-param > > > authz-server = "authz_server" EQUAL authz-server-value > > > authz-server-value = https-URI > > > realm = <defined in RFC3261> > > > auth-param = <defined in RFC3261> > > > scope = <defined in RFC6749> > > > error = <defined in RFC6749> > > > https-URI = <defined in RFC7230> > > > > > > So RFC 3261 defines the Challenge construct as: > > > > > > challenge = ("Digest" LWS digest-cln *(COMMA > digest- > > cln)) / other-challenge > > > > > > Where this extension needs to match the syntax of the other- > > challenge: > > > > > > other-challenge = auth-scheme LWS auth-param *(COMMA > auth- > > param) > > > > > > Where we need to look at: > > > auth-param = auth-param-name EQUAL ( token / quoted- > string > > ) > > > > > > Please note what is included in the "token" rule. > > > token = 1*(alphanum / "-" / "." / "!" / "%" / "*" > > > / "_" / "+" / "`" / "'" / "~" ) > > > > > > the allowed syntax for https-URI in RFC 7230 is: > > > > > > https-URI = "https:" "//" authority path-abempty [ "?" > query ] [ > > "#" fragment ] > > > > > > Which include both "/", "?" and "#" that are not allowed in > token. > > Thus, the > > > URI included in the authz-server-value MUST be converted into > a > > quoted-string > > > matching syntax rule. > > > > You are correct. We currently reference https-URI in RFC 7230, > but the > > definition in 7230 does not place quotes around it. > > > > The same applies to scope and error. > > > > So, we need to fix: > > > > OLD: > > > > authz-server = "authz_server" EQUAL authz-server-value > > > > scope = <defined in RFC6749> > > error = <defined in RFC6749> > > > > NEW: > > > > authz-server = "authz_server" EQUAL DQUOTE authz-server-value > DQUOTE > > > > scope-cln = DQUOTE scope DQUOTE > > scope = <defined in RFC6749> > > error-cln = DQUPTE error DQUOTE > > error = <defined in RFC6749> > > > > > > (I noted that that Benjamin has some comments regarding the > referenced > > RFCs for the parameter values, but I will address that in the reply to > his > > review.) > > > > > > ----- > > > > > 2. In addition should not the "authz_server" be registered in > the > > > > > > https://www.iana.org/assignments/sip-parameters/sip-parameters.xhtml#sip-parameters-12 > > > registry? > > > > I guess so. And, then I guess we also need to register "scope" > and > > "error". > > > > -------------------------------------------------------------- > -------- > > COMMENT: > > -------------------------------------------------------------- > -------- > > > > > An additional thing. > > > > > > Is SIP directly using the HTTP Authentication Schemes IANA > registry > > > ( > > > https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml#authschemes > > ) > > > or does it have its own tucked away somewhere? And if it is > the > > former, should > > > its references for the "bearer" add this RFC as a reference? > > > > SIP uses the HTTP registry. > > > > (The SIP registry does register a "digest" value, but that is for > the > > Security-XXX headers defined in RFC 3329) > > > > Regards, > > > > Christer > > > > > > > > > > > -- > Cheers > > Magnus Westerlund > > > ---------------------------------------------------------------------- > Networks, Ericsson Research > ---------------------------------------------------------------------- > Ericsson AB | Phone +46 10 7148287 > Torshamnsgatan 23 | Mobile +46 73 0949079 > SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com > ---------------------------------------------------------------------- > > -- Cheers Magnus Westerlund ---------------------------------------------------------------------- Networks, Ericsson Research ---------------------------------------------------------------------- Ericsson AB | Phone +46 10 7148287 Torshamnsgatan 23 | Mobile +46 73 0949079 SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com ----------------------------------------------------------------------
- Re: [sipcore] Magnus Westerlund's Discuss on draf… Christer Holmberg
- Re: [sipcore] Magnus Westerlund's Discuss on draf… Magnus Westerlund
- Re: [sipcore] Magnus Westerlund's Discuss on draf… Christer Holmberg
- Re: [sipcore] Magnus Westerlund's Discuss on draf… Magnus Westerlund
- Re: [sipcore] Magnus Westerlund's Discuss on draf… Christer Holmberg