Re: [sipcore] A SIP OAuth use case

[Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>]

On Mon, Sep 15, 2014 at 3:29 PM, Peterson, Jon <jon.peterson@neustar.biz>
wrote:

>
>  Format snags aside,
>

I copied that text from a different editor.
The format seems ok here:
http://www.ietf.org/mail-archive/web/sipcore/current/msg06258.html

So, it might be something on your side?



> I have a bit of difficulty even differentiating the issues listed below:
> surely the reason why enterprises assign multiple identities per user is to
> authorize access to different services separately.
>

Sorry, I do not get that.
Why would the enterprise be required to create multiple identities to allow
access to different services separately? in other words, why cannot the
enterprise create one identity and still be able to control the user's
access to different services provided by different servers?



> This is an issue that could be resolved with an access control list per
> service and a trusted identity broker in the enterprise vouching for user
> identities to these services.
>

But that means that each server that provides a service must maintain a
separate user directory, which is exactly what I am trying to avoid.



> But to convince ourselves that one approach to this is better than
> another, we need to look at a level of detail below these issue
> descriptions. Again, in order to access a voicemail service in an
> enterprise, say, what does the voicemail service need to know about the
> user?
>
>  Like, for regular access to the voicemail for "jon@enterprise," surely
> all the voicemail service needs to know is that the entity authoritative
> for the @enterprise issued me the name "jon." Maybe the "admin" account
> gets to access all the voicemails, if need be.
>

The application server needs the following pieces of information about each
user:
1. ID and credentials
2. User profile to control the level of service provided to the user.

You cannot assume that all users will get the same level of service.



> There are a variety of mechanisms that suffice to prove simple identities
> like that to a service.
>

Can you elaborate?
Are you assuming that the service still have a separate user directory?



> If, however, I as "jon" needed for a third-party transcription service to
> access a subset of the messages in my voicemail box, and I wanted the
> permissions for that access to expire as soon as the messages had been
> transcribed, then there is a much narrower set of mechanisms that could
> provide that capability.
>

You keep going back to the OAuth 2.0 model and try to impose it on SIP,
which would work in some use cases.

What I am proposing is something along the lines of OpenID, which extends
the OAuth to authenticate the *user*.
In this case, the mapping between OAuth and SIP would be something like the
following:

OAuth                                    SIP
---------------------------------------------------------------------------
Resource Owner                     End User
Resource Server                     SIP Proxy or SIP Application Server
Client                                     SIP UA
Authorization Server                Authorization Server

Do you see a problem with this model?



> But it sounds to me, from this issues list, like your requirements are
> more along the former lines than the latter.
>
>
Actually, it is both.

Here is an example of a use case that fits with the OAuth 2.0 model:

An Application Server that provides Mobile Clients with access to SIP
services.
The Mobile Client uses a proprietary protocol to communicate with the
Application Server that registers and gets service from the SIP network on
behalf of the user that is using the Mobile Client.

The communication channels between the players in this case are as follows
(hopefully the format is ok this time):

[Mobile Client]  <----------->  [Application Server] <-----------> [SIP
Proxy]
          /\                                         /\
           |                                          |
           |                                         \/
           ------------------------> [Authorization Server]


In this case, the mapping between OAuth and SIP would be something like the
following:

OAuth                                    SIP
---------------------------------------------------------------------------
Resource Owner                     End User
Resource Server                     SIP Proxy
Client                                     Application Server (providing
service to the mobile client)
Authorization Server                Authorization Server


Regards,
 Rifaat





>  Jon Peterson
> Neustar, Inc.
>
>   From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
> Date: Saturday, September 13, 2014 at 12:32 PM
>
> To: Jon Peterson <jon.peterson@neustar.biz>
> Cc: Paul Kyzivat <pkyzivat@alum.mit.edu>, "sipcore@ietf.org" <
> sipcore@ietf.org>
> Subject: Re: [sipcore] A SIP OAuth use case
>
>
>
> On Thu, Sep 4, 2014 at 7:27 PM, Peterson, Jon <jon.peterson@neustar.biz>
> wrote:
>
>>
>>  I understand that OAuth can be altered from its basic flows to provide
>> tokens for OpenID, and IdP could be bound to OAuth, and while this is all
>> very interesting it doesn't change much about the requirements discussion I
>> think we need to have: the one about what kinds of use cases we want to
>> satisfy and who the relying parties are in those cases. Once we understand
>> that, we will understand what tools are applicable to these use cases -
>> preferably, not tools that need to be twisted into a different shape to be
>> applicable.
>>
>>
>  Well, OpenID extends the OAuth 2.0 Framework to authenticate the user;
> why do you think it is "twisting" OAuth into a different shape?
>
>
>
>
>>  It would helpful, in the enterprise SSO case, for us to understand what
>> kinds of application servers a user might need to access, and what exactly
>> those application servers need to know about the user in order to
>> accomplish their function.
>>
>>
>  Below is a description for some enterprise issues, that hopefully will
> be addressed by a new authorization framework:
>
>
>  * Multiple Identities One of the major issues in the enterprise is the
> need for a user to obtain multiple uncorrelated identities associated with
> different products to get access to the various services provided by the
> enterprise. For example, in the enterprise the user will be provided with
> different identities to: o Login his device (PC, laptop, mobile, ...) to
> the network. o Register to the SIP network and get basic SIP services. o
> Access his Voice Mail. o Host a conference. o etc Typically, these
> identities belong to different administrative domains and realms. Instead
> of these multiple identities, ideally the enterprise would like to create
> and maintain only one identity for the user and then allow the user access
> to all SIP and non-SIP services using that one identity. * Authorization of
> Access to Services Another issue in the enterprise is the need to control
> and authorize a user access to services. Because application servers have
> their own user directory, the control of access to services is spread over
> a multitude of servers in the network. Ideally, the enterprise would like
> to manage the access to services using one centralized entity and for the
> various entities that provide the service to become the enforcement points.
> * Assignment of Services In the enterprise, different users might be
> assigned to different servers providing a specific service; e.g. Voice Mail
> Box for different users might be hosted by different servers, and the user
> need to know his assigned server to be able to get access to this service.
> * Application Servers To be able to provide service, the application server
> needs a list of users allowed to get services. The application server needs
> the following pieces of information about each user: 1. User ID and
> Credentials 2. Profile to control the level of service provided to the
> user. If one application server provides different services using different
> protocols, the application server might need to maintain different
> identities associated with these protocols; e.g. an application server that
> provides presence service using SIP, and IM service using XMPP. Ideally, an
> authorization framework would: 1. Off load the application server from the
> need to manage the user credentials and authenticating the user. 2. Off
> load the application server from the need to maintain the users and their
> profiles to control the level of service provided to the user. 3. Allow the
> assignment of a user to a specific application server. * OAuth/OpenID Model
> With the OAuth/OpenID framework, the user ID and credentials will be
> handled by the authorization server, and the application server assignment
> and the level of service associated with the user will be provided in the
> scope of the token associated with the user. When the application server
> receives a request from a user it will have all the details that would
> allow the application server to validate the request to make sure it is
> coming from the right authorization server, and to act upon the request
> because it has the scope associated with the user, without the need to
> contact the authorization server. * Relying Party Regarding the Relying
> Party question: I think that when the user is being authenticated, that the
> Relying Party would be the SIP Client that would be given a user token (ID
> Token in OpenID lingo) to access services on behalf of the end user. So,
> the mapping would be something like this:
> +------------------------+-----------------------------+ | OAuth | SIP |
> +------------------------+-----------------------------+ | Resource Owner |
> End User | | Resource Server | SIP Proxy or SIP App Server | | Client | SIP
> UA (Relying Party) | | Authorization Server | Authorization Server |
> +------------------------+-----------------------------+
>
>
>  Regards,
>  Rifaat
>
>
>
>
>
>
>
>>  Jon Peterson
>> Neustar, Inc.
>>
>>   From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
>> Date: Thursday, September 4, 2014 at 8:31 AM
>> To: Jon Peterson <jon.peterson@neustar.biz>
>> Cc: Paul Kyzivat <pkyzivat@alum.mit.edu>, "sipcore@ietf.org" <
>> sipcore@ietf.org>
>> Subject: Re: [sipcore] A SIP OAuth use case
>>
>>
>>
>>
>> On Wed, Sep 3, 2014 at 4:00 PM, Peterson, Jon <jon.peterson@neustar.biz>
>> wrote:
>>
>>>
>>> While I would echo Paul's thoughts below about the plausibility of
>>> service
>>> providers using this model to authorize recording, I also agree that
>>> third-party recording is an excellent example of a service architecture
>>> that requires an authorization mechanism like OAuth. An end user needs to
>>> authorize a third party to participate in the session under certain
>>> constraints, and coordinate the association between the third party and
>>> the VoIP service. This example also (rightly, in my opinion) conducts the
>>> majority of the flow in HTTP where it belongs.
>>>
>>>
>>  I agree with that.
>>
>>
>>
>>> Many of the use cases under discussion in this thread, though, are of the
>>> form where there are really only two involved parties: an end user and a
>>> service provider. If you are my service provider, then in traditional SIP
>>> I share a secret with you that I use to REGISTER my devices. I don't
>>> think
>>> you need OAuth for that.
>>
>>
>>  If you assume that there is one server that provides all the services,
>> then you are right.
>> But that is not the case all the time. I think that Dale articulated that
>> clearly in the following response:
>> http://www.ietf.org/mail-archive/web/sipcore/current/msg06233.html
>>
>>
>>
>>> I do understand that OAuth 2.0 is used in the
>>> wild for SSO, though I sympathize with Matt that the base flow shown in
>>> RFC6749 Sec 1.2 just doesn't map onto the requirements for SSO.
>>>
>>>
>>  I agree that the OAuth 2.0 "as is" does not address the SSO
>> requirements.
>> The SIP OAuth proposal is not just using OAuth 2.0 "as is", but it is
>> extending the framework to authenticate and provide a *user* specific token.
>>
>>  Since Matt mentioned OpenID few times, I looked at the OpenID
>> specification.
>> What they are doing there is that they defined a new token, called ID
>> Token, that is associated with the *user*; which is exactly what the SIP
>> OAuth proposal is doing.
>> http://openid.net/specs/openid-connect-core-1_0.html#IDToken
>>
>>  My plan is to use the same terminology, ID Token, in the next version
>> of the SIP OAuth document to clarify that, and to differentiate it from the
>> access token.
>>
>>
>>
>>> I think, though, we might usefully break uses cases here down by who the
>>> intended relying party is:
>>>
>>> - The user's own SIP service provider (my enterprise, my carrier, my OTT
>>> provider)
>>> - A third party that a user wants to authorize for a service (recording
>>> service... But anything else?)
>>>
>>> I would also append some use cases where the relying party:
>>>
>>> - Someone with no association with the user (caller ID sorts of cases)
>>>
>>> This last is where I've argued things like IdP might be relevant.
>>>
>>>
>>  EKR has a nice description for binding IdP to OAuth in his WebRTC
>> Security Architecture document here:
>>
>> https://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-10#appendix-A.2
>>
>>  We could use the same idea for SIP.
>>
>>
>>  Regards,
>>  Rifaat
>>
>>
>>
>>
>>> Are there any other high-level buckets of use cases here?
>>>
>>> Jon Peterson
>>> Neustar, Inc.
>>>
>>> On 8/25/14, 11:44 AM, "Paul Kyzivat" <pkyzivat@alum.mit.edu> wrote:
>>>
>>> >On 8/25/14 11:50 AM, Rifaat Shekh-Yusef wrote:
>>> >> Hi Matt,
>>> >>
>>> >> The use case and the solution provided assumes that the VoIP Provider
>>> >> makes the decision on when and what to record.
>>> >> While this is a valid use case, there are other use cases that allow
>>> the
>>> >> user to decide on when and what to record; take a look at RFC6341 for
>>> >> more info.
>>> >> http://datatracker.ietf.org/doc/rfc6341/
>>> >
>>> >SIPREC supports numerous topologies.
>>> >It would support the one that Matt outlines as well as end-user
>>> >controlled ones.
>>> >
>>> >I found Matt's use case interesting. I think it would be nice if such
>>> >services were available in that form. But I have difficulty imagining
>>> >any of the VoIP providers I'm aware of supporting this model. My
>>> >impression is that this means that they are giving up a value added
>>> >revenue market, that they are loath to do. The most likely justification
>>> >I can imagine that they don't want to legal consequences of doing
>>> >recording.
>>> >
>>> >       Thanks,
>>> >       Paul
>>> >
>>> >> For these use cases, where the user is in control, you need to away to
>>> >> authenticate and control which users are allowed to record and the
>>> level
>>> >> of service provided for that specific user.
>>> >> This is where the solutions provided in section 3 or section 4 of the
>>> >> SIP OAuth proposal come into play.
>>> >> Obviously, in this case the authorization server is different from
>>> >> authorization server used to establish the trust relationship between
>>> >> the VoIP Provider and the CRS Provider.
>>> >> In this case, the authorization server must authenticate the user and
>>> >> provide his UA with an access token or a code that controls the user's
>>> >> access to the service.
>>> >>
>>> >> Regards,
>>> >>   Rifaat
>>> >>
>>> >>
>>> >>
>>> >> On Sat, Aug 23, 2014 at 9:05 AM, Matt Ryan <ietf@mvryan.org
>>> >> <mailto:ietf@mvryan.org>> wrote:
>>> >>
>>> >>     Included is the use case I spoke of before.  My apologies for the
>>> >>delay.
>>> >>
>>> >>     This is written as though it could be included in
>>> >>     [draft-yusef-sipcore-sip-oauth] at section 6.
>>> >>
>>> >>
>>> >>     6. Examples
>>> >>
>>> >>     6.1. Example: Call Recording Service
>>> >>
>>> >>     This example illustrates the use of SIP OAuth between three
>>> >>     parties:  A hosted VoIP service provider, a Call Recording Service
>>> >>     provider, and a phone system end-user.  In this example:
>>> >>     - The phone system end-user is a customer of both the hosted VoIP
>>> >>     provider and the Call Recording Service provider
>>> >>     - The hosted VoIP service provider is a standard provider of
>>> hosted
>>> >>     business-class VoIP telephone service using SIP
>>> >>     - The Call Recording Service provider is a distinct entity from
>>> the
>>> >>     hosted VoIP provider
>>> >>
>>> >>     The Call Recording Service provides to customers both the call
>>> >>     recording abilities and management of call recordings
>>> >>     (configuration, sharing and distribution, retention, etc.).  This
>>> >>     service can accept and record RTP traffic, associate all RTP
>>> streams
>>> >>     with a single call together, and store and catalog the recorded
>>> data
>>> >>     for future searching and retrieval.  The service also offers a web
>>> >>     interface where customers may view and retrieve stored calls.
>>> >>     Stored calls may range from simple person-to-person voice calls to
>>> >>     multi-party conferences with a multitude of audio and video
>>> >>     streams.  In this example, customers are billed based on the
>>> amount
>>> >>     of data they store, although other models are certainly possible.
>>> >>
>>> >>     6.1.1. OAuth 2.0 Roles
>>> >>
>>> >>     In this example, each party assumes the following OAuth 2.0 roles
>>> as
>>> >>     defined in [RFC6749] Section 1.1:
>>> >>     - The end-user assumes the role of resource owner
>>> >>     - The hosted VoIP service provider assumes the role of client
>>> >>     - The Call Recording Service provider assumes the role of resource
>>> >>     server as well as the role of authorization server
>>> >>
>>> >>     6.1.2. Description
>>> >>
>>> >>     There are two parts to the example:  Initial configuration and
>>> >>     real-time recording authorization.
>>> >>
>>> >>     Each section includes a simplified flow diagram for the purpose of
>>> >>     describing the corresponding portion of the example.  For the sake
>>> >>     of brevity, certain parts of the OAuth dialog have been
>>> eliminated.
>>> >>     Implements should refer to [RFC6749] for details on OAuth.
>>> >>
>>> >>     6.1.2.1 Initial Configuration
>>> >>
>>> >>        +-------------+     +---------------+     +--------------+
>>> >>        |  End-User   |     | VoIP Provider |     | CRS Provider |
>>> >>        | Web Browser |     |    Website    |     |              |
>>> >>        +-------------+     +---------------+     +--------------+
>>> >>               |                    |                     |
>>> >>               | HTTP 1             |                     |
>>> >>               | (Configure CRS)    |                     |
>>> >>               |------------------->|                     |
>>> >>               |                    |                     |
>>> >>               | HTTP 2             |                     |
>>> >>               | (OAuth Redirect    |                     |
>>> >>               |  to CRS Website)   |                     |
>>> >>               |<-------------------|                     |
>>> >>               |                    |                     |
>>> >>               | HTTP 3             |                     |
>>> >>               | (Authorize SIP from VoIP provider        |
>>> >>               |----------------------------------------->|
>>> >>               |                    |                     |
>>> >>               | HTTP 4             |                     |
>>> >>               | (OAuth Redirect back to VoIP portal)     |
>>> >>               |<-----------------------------------------|
>>> >>               |                    |                     |
>>> >>               | HTTP 5             |                     |
>>> >>               |------------------->|                     |
>>> >>               |                    | HTTP 6              |
>>> >>               |                    | (Request Access and |
>>> >>               |                    |  refresh tokens)    |
>>> >>               |                    |-------------------->|
>>> >>               |                    |                     |
>>> >>
>>> >>     Some time after having signed up for both services, but prior to
>>> >>     attempting to record any calls, the end-user logs into the web
>>> >>     portal of the hosted VoIP provider with a web browser and
>>> configures
>>> >>     their call recording service (HTTP 1).  This configuration
>>> includes
>>> >>     providing a URI where the call recording service may be reached,
>>> >>     along with a set of API credentials, provided by the call
>>> recording
>>> >>     service, which will allow the client to initiate an OAuth
>>> exchange.
>>> >>     The end-user also configures the conditions under which call
>>> >>     recordings should take place.  For example, the end-user may
>>> request
>>> >>     to record every multi-party (conference) call, or every call
>>> >>     involving a specific set of users.  The end-user may also specify
>>> >>     other restrictions, such as restricting codec negotiation to
>>> G.711u
>>> >>     for audio and H.264 for video in order to record the RTP streams.
>>> >>     Once the end-user saves the configuration, the hosted VoIP
>>> provider
>>> >>     web portal redirects the end-user's web browser to the call
>>> >>     recording service website and a standard HTTP OAuth dialog begins
>>> >>     (HTTP 2).  The end-user authorizes the hosted VoIP provider to
>>> >>     access (i.e. send SIP and RTP traffic to) the call recording
>>> >>     service, for the purpose of recording calls, so long as the
>>> >>     configured conditions are met (HTTP 3).  The result of this
>>> >>     interaction is that the hosted VoIP provider ends up receiving an
>>> >>     OAuth access token and refresh token from the call recording
>>> service
>>> >>     (HTTP 4, HTTP 5, HTTP 6).  These tokens are saved in the
>>> end-user's
>>> >>     hosted VoIP account database.
>>> >>
>>> >>     6.1.2.2 Real-time Recording Authorization
>>> >>
>>> >>        +-------------+     +---------------+      +--------------+
>>> >>        |  End-User   |     | VoIP Provider |      | CRS Provider |
>>> >>        |  SIP Phone  |     |    Website    |      |              |
>>> >>        +-------------+     +---------------+      +--------------+
>>> >>               |                    |                      |
>>> >>               | SIP INVITE 1       |                      |
>>> >>               |------------------->|                      |
>>> >>               |                    | SIP INVITE 2         |
>>> >>               |                    | (with access token)  |
>>> >>               |                    |--------------------->|
>>> >>               |                    |                      |
>>> >>               |                    | SIP 401 Unauthorized |
>>> >>               |                    |<---------------------|
>>> >>               |                    |                      |
>>> >>               |                    | SIP INVITE 3         |
>>> >>               |                    | (with refresh token) |
>>> >>               |                    |--------------------->|
>>> >>               |                    |                      |
>>> >>               |                    | SIP 200 1            |
>>> >>               |                    | (new access token)   |
>>> >>               |                    |<---------------------|
>>> >>               |                    |                      |
>>> >>               |                    | SIP INVITE 4         |
>>> >>               |                    | (with access token)  |
>>> >>               |                    |--------------------->|
>>> >>               |                    |                      |
>>> >>               |                    | SIP 200 2            |
>>> >>               |                    |<---------------------|
>>> >>               |                    |                      |
>>> >>
>>> >>     Independently of and after the initial configuration phase, the
>>> >>     end-user makes a telephone call using the hosted VoIP provider
>>> (SIP
>>> >>     INVITE 1).  When this call takes place, the hosted VoIP provider
>>> >>     looks to see whether it believes this call should be recorded.  If
>>> >>     so, at this point it would branch the call session to the call
>>> >>     recording service, using SIP OAuth to pass the previously provided
>>> >>     access token for authorization (SIP INVITE 2).  Once the access
>>> >>     token is validated by the call recording service (perhaps after
>>> >>     first providing a new access token based on receipt of a valid
>>> >>     refresh token), the call recording service will check the rights
>>> >>     that were previously authorized and examine the SIP to determine
>>> >>     whether it can accept the call.  If so, it completes the
>>> >>     establishment of the session and begins receiving and recording
>>> the
>>> >>     RTP stream(s) (SIP 200 OK).  The call recording service provider
>>> >>     could also deny the request, either because the tokens are invalid
>>> >>     or because the content of
>>> >>       the SIP invite does not match the previously authorized
>>> >>     conditions, in which case a SIP 403 would be returned by the call
>>> >>     recording service provider and the call would not be recorded -
>>> >>     however, the initial call branch would continue without
>>> >>interruption.
>>> >>
>>> >>     Note:
>>> >>     [RFC6749] specifies that when a client uses a refresh token to
>>> >>     request a new access token, the response is HTTP 200 with the new
>>> >>     access token and optionally a new refresh token included in the
>>> >>     payload.  In this example, a SIP 200 response (SIP 200 1) is sent
>>> >>     which contains the new token(s).  However, this could be confusing
>>> >>     as SIP 200 is generally viewed as the acceptance of the INVITE,
>>> >>     which is not what is happening in this case.  Should SIP 200 be
>>> used
>>> >>     for consistency, or should another mechanism be used?
>>> >>
>>> >>     6.1.3. Justification
>>> >>
>>> >>     6.1.3.1. Hosted VoIP Service Provider
>>> >>
>>> >>     In this example, the hosted VoIP service provider can allow their
>>> >>     customers to enable call recording in their VoIP service by
>>> >>     selecting from any of a number of supported call recording service
>>> >>     providers.  This allows the hosted VoIP service provider to offer
>>> >>     this feature to customers without requiring that the hosted VoIP
>>> >>     service provider implement and support this feature themselves.
>>> >>
>>> >>     6.1.3.2. Call Recording Service Provider
>>> >>
>>> >>     In this example, the Call Recording Service provider can focus on
>>> >>     value and innovation in the area of recording calls and managing
>>> >>     recorded calls without having to build a full-featured telephony
>>> >>     offering.
>>> >>
>>> >>     6.1.3.3. Customer
>>> >>
>>> >>     In this example, the customer has more flexibility in choosing a
>>> >>     complete solution that meets all of the customer needs.  The
>>> >>     customer does not have to settle for a substandard call recording
>>> >>     service offering in order to obtain other features they seek in a
>>> >>     hosted VoIP provider, and vice versa.
>>> >>
>>> >>     6.1.4. Variants
>>> >>
>>> >>     A simple variant of this example is one wherein one of the
>>> services
>>> >>     (either the VoIP service or the call recording service) is managed
>>> >>     directly by the end-user, but the other is not.  For example, the
>>> >>     end-user may wish to make use of an external hosted VoIP service
>>> >>     provider, but may have business or legal reasons that forbid the
>>> >>     end-user from allowing a third party to store and manage recorded
>>> >>     calls.  The end-user could choose to set up their own call
>>> recording
>>> >>     service as described in this example, and use SIP OAuth to
>>> >>     facilitate interaction between the hosted VoIP service and the
>>> >>     end-user's own call recording service.
>>> >>
>>> >>     6.2. Other SIP OAuth examples
>>> >>
>>> >>     Many other SIP-based services could leverage SIP OAuth to provide
>>> >>     value-added service to an end-user of a hosted VoIP service
>>> >>     provider.  Some examples of these types of services are listed
>>> >>below.
>>> >>
>>> >>     Voicemail service provider:  The end-user configures their hosted
>>> >>     VoIP service provider to manage voicemail through a separate
>>> >>     voicemail service provider, which chooses whether to store
>>> voicemail
>>> >>     based on existing quotas, Caller ID, etc.
>>> >>
>>> >>     Conferencing service provider:  A conferencing service may wish to
>>> >>     bill customers in a more granular fashion, for example, based on
>>> the
>>> >>     number of participants and attendees in a conference, the duration
>>> >>     of conference, whether video was also included, which codecs were
>>> >>     being used, etc. instead of a flat monthly rate.  SIP OAuth would
>>> >>     facilitate metered authorization for a client's use of the
>>> service,
>>> >>     instead of all-or-nothing access.
>>> >>
>>> >>     Call center service provider:  A third party may provide ring
>>> groups
>>> >>     or call queues for a hosted VoIP provider along with detailed
>>> >>     reports and dashboards.  The end-user uses OAuth over SIP to
>>> control
>>> >>     who can log into which queues or ring groups, etc.
>>> >>
>>> >>
>>> >>
>>> >>     --
>>> >>     Matt Ryan
>>> >>     code slinger | zoomulus.com <http://zoomulus.com>
>>> >>     ietf at mvryan dot org
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>     _______________________________________________
>>> >>     sipcore mailing list
>>> >>     sipcore@ietf.org <mailto:sipcore@ietf.org>
>>> >>     https://www.ietf.org/mailman/listinfo/sipcore
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> _______________________________________________
>>> >> sipcore mailing list
>>> >> sipcore@ietf.org
>>> >> https://www.ietf.org/mailman/listinfo/sipcore
>>> >>
>>> >
>>> >_______________________________________________
>>> >sipcore mailing list
>>> >sipcore@ietf.org
>>> >https://www.ietf.org/mailman/listinfo/sipcore
>>>
>>> _______________________________________________
>>> sipcore mailing list
>>> sipcore@ietf.org
>>> https://www.ietf.org/mailman/listinfo/sipcore
>>>
>>
>>
>