Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt

["Olle E. Johansson" <oej@edvina.net>]

> On 11 Jul 2019, at 14:07, Christer Holmberg <christer.holmberg@ericsson.com> wrote:
> 
> Hi,
> 
>>>>>>>> The tokens generally, but if I understand it right not always, are JWT structures that contain various data. In 
>>>>>>>> OpenID connect both the access and identity token are JWTs.
>>>>>>>> We can either specify specific claims that  are standardised for various SIP functions or let that be open for 
>>>>>>>> the SIP implementors to specify or a combination. 
>>>>>>> 
>>>>>>> For backward compatibility, we should at least let SIP implementors specify
>>>>>> Maybe, but at least we should write something about the usage of claims and scopes.
>>>>>> I think a base level for this draft is specifying a way to say “this access token is valid for SIP usage” or
>>>>>> “this is also a SIP identity"
>>>>> 
>>>>>  Perhaps we can add some text about scope and claims, but I don't want to mandate usage of specific values, because that 
>>>>>  may not be backward compatible with existing implementations using JWT. 
>>>> 
>>>> We can mandate *if* the access token is a jwt (and there’s an identity token like OpenID Connect). 
>>> 
>>>   It may not work with existing implementations that DO use JWT access tokens (not sure whether they use OpenID Connect, though).
>> 
>> Ok, you are making me interested - what are these implementations?
> 
>   Unfortunately I am not able to give information regarding that.
> 
>> When writing a new standard document, should we really be blocked by pre-standard implementations? I would assume that we
>> should be inspired by them, learn by their experiences, but not be hindered by them. 
> 
>    The implementations are based on earlier versions of the draft.
> 
>    And, yes, there is the old saying that one should not deploy a draft before the draft becomes RFC. 
> 
>    But, in this case, the first version of Rifaat's individual draft was submitted in 2014. Then, for whatever reason, it took 3(!) years before it got adopted, and after that we have so far worked on it for two years. How long is one expected to wait for an RFC before deploying???
> 
>     Of course, if something is broken we need to fix it. But, I don't think what you suggest is fixing something that is broken, it is adding new functionality. And, I have no problem with that, as long as it is backward compatible.
> 
>   
Christer, 
I’ve been thinking about this. We are almost in the same situation as the old discussion about the DIversion: header. While waiting
for another better solution, that’s what all of us implemented. Then came SIP HIstory and we had no docs to refer to for interoperability…
The old draft was later published as an informational RFC.

Can we look into the same solution? Publishing the current draft wiith minor nits as an informational RFC that your implementation is compliant with
and then work on something more up-to-par with current OAuth2/OpenID connect BCPs and thinking?

As an example: When reading the docs I see ways of protecting the access token so that only a specific service (read SIP domain)  may decrypt and
use it. That way we don’t need to disallow forwarding of SIP messages with a bearer token, as the token will be useless beyond that point.
Starting to go down that road, wlil definitely mean that we leave the implementation you currently have behind. And that is just
one issue. The other is having a parsable access token, which I think would be a requirement to follow the BCP and propably to get through
the hole security audit for any standard-track RFC publication.

What do you think? Is this a way forward?

/O