IETF Logo Mail Archive

Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt

Christer Holmberg <christer.holmberg@ericsson.com> Thu, 11 July 2019 12:07 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BBC3120108 for <sipcore@ietfa.amsl.com>; Thu, 11 Jul 2019 05:07:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zkj_oK5iTAZH for <sipcore@ietfa.amsl.com>; Thu, 11 Jul 2019 05:07:22 -0700 (PDT)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00053.outbound.protection.outlook.com [40.107.0.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E161A1200F5 for <sipcore@ietf.org>; Thu, 11 Jul 2019 05:07:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vXorJp2jVCTU+hQwYoWFUdyS0uPxPg7yH+TcmFwecCw=; b=biQrn7he9lxEF2GZdur5Wh/SxBIADQ+tD05roJlTabP9Q2GmN9jkrjSxiLyd7gNsVjeArGq7oA/pkIDhtG9nmqviQPiFK5RbMXXf8PyKJDDBuEeYMph4AvKeV9mBcB1gJWci6P1qbguZ7PG1mFn3qeUlbHo9tlyjed0Othwgvuw=
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com (10.170.245.23) by HE1PR07MB3177.eurprd07.prod.outlook.com (10.170.245.27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2052.12; Thu, 11 Jul 2019 12:07:19 +0000
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43]) by HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43%5]) with mapi id 15.20.2073.008; Thu, 11 Jul 2019 12:07:18 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: "Olle E. Johansson" <oej@edvina.net>
CC: "sipcore@ietf.org" <sipcore@ietf.org>
Thread-Topic: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
Thread-Index: AQHVNLWxruT/m/C2REGBvr04oIfCDqa/Al8AgAHwRACAACa0QIAAOvWAgACKbgCAAH00gIAARqSA///Z+ACAADMUgP//1TCAgABAXACAATj+gIABDXaAgAA3igD//9RDgAALc6uA///Q/4CAADuIAP//1FUAgAA3WQA=
Date: Thu, 11 Jul 2019 12:07:18 +0000
Message-ID: <1C6CBDE3-EAD4-4470-A528-8EDA7F2487D2@ericsson.com>
References: <156249821133.14592.1211919336596009446@ietfa.amsl.com> <CAGL6epLsP_UfZMAcFLsORrR05Enu-vp=jnkgUFuKSttQm8swAw@mail.gmail.com> <c8d5c42e-ab21-80e8-3189-c8592dd02d3a@alum.mit.edu> <HE1PR07MB3161C55955B2FCED2C0F6A9993F60@HE1PR07MB3161.eurprd07.prod.outlook.com> <68ed93ae-57df-6bc7-774b-47959417abda@alum.mit.edu> <HE1PR07MB3161D46B4A44FC7E789ADDB893F10@HE1PR07MB3161.eurprd07.prod.outlook.com> <4a9787e5-b5e2-bc08-0fa0-fae6bd44148d@alum.mit.edu> <527F4C39-F065-4335-A939-6D443F1801E7@ericsson.com> <5bb63c0c-130d-7f69-10b0-1ed1b274cc58@alum.mit.edu> <87AD4BB8-CE77-4FD7-BB72-6643DF513058@ericsson.com> <168b1354-b35b-edee-e5f9-d4ddbecfae40@alum.mit.edu> <607A513F-8616-4777-8B5E-59390E845709@ericsson.com> <b6ca4c79-5a17-10da-3882-20bc8b0e9b98@alum.mit.edu> <5ABB2F7B-8928-4581-8AAD-C8EFDBE95F7E@edvina.net> <99649808-9894-42B4-ADD1-52D0F70A3FB3@ericsson.com> <BCFE43BD-86FF-457E-9006-1DA7C8F3F6BE@edvina.net> <C3BFE2FE-0797-4E54-BAD4-B24E32CB183F@ericsson.com> <BD0B9B14-1E35-42C4-BF51-430C7E052145@edvina.net> <C5597D63-1B58-44D0-A2CE-4170CC1BE23E@ericsson.com> <7CE54346-6558-4605-A5DB-84C539400A19@edvina.net>
In-Reply-To: <7CE54346-6558-4605-A5DB-84C539400A19@edvina.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1a.0.190609
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [89.166.49.243]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ad8390d4-7355-47a7-a4dd-08d705f85276
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:HE1PR07MB3177;
x-ms-traffictypediagnostic: HE1PR07MB3177:
x-microsoft-antispam-prvs: <HE1PR07MB3177BF41AA8654D060054A3293F30@HE1PR07MB3177.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0095BCF226
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(136003)(39860400002)(396003)(376002)(346002)(189003)(199004)(6486002)(58126008)(66446008)(53936002)(14444005)(6246003)(66946007)(66556008)(71200400001)(66476007)(6512007)(8936002)(71190400001)(6436002)(316002)(25786009)(256004)(64756008)(81156014)(76116006)(446003)(2616005)(81166006)(11346002)(6916009)(6116002)(26005)(7736002)(3846002)(5660300002)(305945005)(2906002)(86362001)(68736007)(476003)(8676002)(66066001)(102836004)(229853002)(44832011)(4326008)(486006)(76176011)(33656002)(36756003)(6506007)(99286004)(14454004)(478600001)(186003); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3177; H:HE1PR07MB3161.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: NCPkSHGYL5Azj3UlFXb/CPA0xZA0NiI3OSZKe4MnrBdvSMAqpXM4AjzYX0tw+Bcvn9IN3oI9oRugSVY0NDRe5mGGEsE2++ywEZMwG9Bi1TCzx7FkI+Tsf0mIpNrG244ddSWTfPAgLKg5HUAInluCvAXW4LZM7HzPqaKpTrUm7GBSuQ1ISTxC2jCrxpaGAueIG6wl4jvictY6xri0q1Xg6vmkbLJG5vlzT+dtnM1uD1s91qwCE4qwmi5M0hZau51QaSGNDytJuXN43kSgksleOm/K0cxthn5bsO3j2sFn21Dr8Zrq7B8mZ4hLXEyg2JjASc2H8ec9mxFIEZqcazG0vsmiiRrGcQUPLRi8KLv2cu9Ami1V76fPvy69e+WNnL6wtUKe9mgENpoux8Bs47GHdSW0Q6VH7hqMiMQQbdKkyno=
Content-Type: text/plain; charset="utf-8"
Content-ID: <FE3F4F554804EF409A638AA8049695C3@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ad8390d4-7355-47a7-a4dd-08d705f85276
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jul 2019 12:07:18.7961 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: christer.holmberg@ericsson.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3177
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/8eZzk3zoHVsL3TaP_OkQZVoC39Y>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jul 2019 12:07:25 -0000

Hi,

    >>>>>>> The tokens generally, but if I understand it right not always, are JWT structures that contain various data. In 
    >>>>>>> OpenID connect both the access and identity token are JWTs.
    >>>>>>> We can either specify specific claims that  are standardised for various SIP functions or let that be open for 
    >>>>>>> the SIP implementors to specify or a combination. 
    >>>>>> 
    >>>>>> For backward compatibility, we should at least let SIP implementors specify
    >>>>> Maybe, but at least we should write something about the usage of claims and scopes.
    >>>>> I think a base level for this draft is specifying a way to say “this access token is valid for SIP usage” or
    >>>>> “this is also a SIP identity"
    >>>> 
    >>>>   Perhaps we can add some text about scope and claims, but I don't want to mandate usage of specific values, because that 
    >>>>   may not be backward compatible with existing implementations using JWT. 
    >>> 
    >>> We can mandate *if* the access token is a jwt (and there’s an identity token like OpenID Connect). 
    >> 
    >>    It may not work with existing implementations that DO use JWT access tokens (not sure whether they use OpenID Connect, though).
    >
    > Ok, you are making me interested - what are these implementations?
    
   Unfortunately I am not able to give information regarding that.

    >When writing a new standard document, should we really be blocked by pre-standard implementations? I would assume that we
    >should be inspired by them, learn by their experiences, but not be hindered by them. 
    
    The implementations are based on earlier versions of the draft.

    And, yes, there is the old saying that one should not deploy a draft before the draft becomes RFC. 

    But, in this case, the first version of Rifaat's individual draft was submitted in 2014. Then, for whatever reason, it took 3(!) years before it got adopted, and after that we have so far worked on it for two years. How long is one expected to wait for an RFC before deploying???

     Of course, if something is broken we need to fix it. But, I don't think what you suggest is fixing something that is broken, it is adding new functionality. And, I have no problem with that, as long as it is backward compatible.

    Regards,

    Christer

v2.23.0 | Report a Bug | By Email