Re: [sipcore] Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13: (with DISCUSS and COMMENT) - COMMENT
Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> Mon, 27 April 2020 17:15 UTC
Return-Path: <rifaat.ietf@gmail.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FB8E3A11DC; Mon, 27 Apr 2020 10:15:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xHRPDPnXzaLf; Mon, 27 Apr 2020 10:15:34 -0700 (PDT)
Received: from mail-io1-xd42.google.com (mail-io1-xd42.google.com [IPv6:2607:f8b0:4864:20::d42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 981783A11D9; Mon, 27 Apr 2020 10:15:33 -0700 (PDT)
Received: by mail-io1-xd42.google.com with SMTP id k6so19712235iob.3; Mon, 27 Apr 2020 10:15:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=W/FE5FP8LErWF2WGRik6R3zCmCTKodbCAS3N1YfGP+M=; b=hEB4n9FZB25hl0uz8jATFmclm2zmbNChCgQ5lj8uoEVqExIjuN8dZ1JmodFxpTrI5U Bz5YlX5iShmWxer7lg7zacM1n4ljG5eYEAj/jXfpxiBNuILQg06XL0Lf3U0BbtBqgUBT zmUxYvsznLxzlwfzm6e67gJS7jdKDA9ibzexpQAl0bKF2lGl6evgOp0ykpwoJ73bfY0U Ewm1MGvGViogg8OcUcU4t+w2gky77Q/CpeOY5U3mQuH9T4yybWZlci1P8lVMpAdjPyJX fs1+af1/8BSLoU9Qvov+Ue0SJkBgeDMnI+tNqWuRHromIgf/fbvw52NmQxU9U9DnKNHp 0vgw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=W/FE5FP8LErWF2WGRik6R3zCmCTKodbCAS3N1YfGP+M=; b=XAFRTusfYRt2yH1WKeGlWn5S/U19uDY6FOKdo+nKxH6uHdIsejPmCW1XiI/2nHPWe2 jrtplhVa1Zyy1I1hBcH/Lx1e1F+e78A2mB1/t8zj8i2TfFK25tutZYMPO+Pf58yQN1tJ FbierMD92f+GZkR4+kCD8/CxxyPzdzQOVUiHG8nQAiaHAKAV7wsrFAc1v01atqDVNWhi P2hdQ1bmfWYiglE+SAY8Nkud2pUQ4Ea7o62M4V1A8QMY86kd+6OGvUwifR9XaMyFgyro e93tVyCpPMDOJHAWKD4qPKqUwMfnXubjVIQqnauyX7qzjud/Hfah+YB7lV8NPkG07ScT OMvg==
X-Gm-Message-State: AGi0PuYns/1b78pldd/hl227JPE26uDroPM58qbvj+Fd0klMeYrkuwku rDNTqCawR0KiURiJKbov28WznKZ78yzE2GvHZ2Q=
X-Google-Smtp-Source: APiQypIch5Yn/10e/FrbJUOH+W1JBi0YiJFunKaeKaQjUBM54VsEEBqi38Dm+64fuJdG15mvSpTfuTk0oLrZjR0csnE=
X-Received: by 2002:a05:6602:15ca:: with SMTP id f10mr14815914iow.51.1588007732642; Mon, 27 Apr 2020 10:15:32 -0700 (PDT)
MIME-Version: 1.0
References: <31B5AC00-A9C5-4F02-8111-2ED9EB1D10D9@ericsson.com> <CAGL6ep+dByvWrfEmK9HJRT5iqmuw+_NkOF5GenMxroL7ZmGpuA@mail.gmail.com> <20200427161930.GY27494@kduck.mit.edu>
In-Reply-To: <20200427161930.GY27494@kduck.mit.edu>
From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Date: Mon, 27 Apr 2020 13:15:21 -0400
Message-ID: <CAGL6epK7s4qtinX3QD6_B5bj1NDgpBRG9UicvTc-6Mpu0AMgkA@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Christer Holmberg <christer.holmberg@ericsson.com>, The IESG <iesg@ietf.org>, "draft-ietf-sipcore-sip-token-authnz@ietf.org" <draft-ietf-sipcore-sip-token-authnz@ietf.org>, "sipcore-chairs@ietf.org" <sipcore-chairs@ietf.org>, "sipcore@ietf.org" <sipcore@ietf.org>, Jean Mahoney <mahoney@nostrum.com>
Content-Type: multipart/alternative; boundary="000000000000ce128005a448dc4b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/CK9Q1cSkZO5S4XyJzZEw7sf5JRE>
Subject: Re: [sipcore] Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13: (with DISCUSS and COMMENT) - COMMENT
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Apr 2020 17:15:39 -0000
I am fine with "opaque string". We have already updated the figure to indicate that the introspection step is optional. Regards, Rifaat On Mon, Apr 27, 2020 at 12:19 PM Benjamin Kaduk <kaduk@mit.edu> wrote: > Also inline, though the quoting situation doesn't look great in this MUA. > Apologies if I miss something... > > On Sat, Apr 25, 2020 at 11:10:50AM -0400, Rifaat Shekh-Yusef wrote: > > Inline... > > On Thu, Apr 23, 2020 at 5:04 PM Christer Holmberg > > <christer.holmberg@ericsson.com> wrote: > > > > Hi Benjamin, > > > > Thank You for the review! In this reply I will address some of your > > COMMENT issues, and indicate the ones that I want Rifaat to address. > > Your DISCUSS will be addressed in a separate realy. > > > > > > > ---------------------------------------------------------------------- > > COMMENT: > > > > > ---------------------------------------------------------------------- > > > > > Section 1 > > > > > > The OpenID Connect 1.0 specification [OPENID] defines a > simple > > > identity layer on top of the OAuth 2.0 protocol, which > enables > > > clients to verify the identity of the user based on the > > > > > > Please make it clear that these are OAuth/OIDC clients, not SIP > > clients. > > > > I'll leave this for Rifaat. > > > > Sure. > > > > > > --- > > > > > Section 1.3 > > > > > > OAuth 2.0 doesn't require the issuance of a Refresh token, but > the > > > discussion here implies that for the SIP case there will > always be > > a refresh > > > token. If we're profiling 6749 in this manner, we should be > more > > explicit > > > about the requirement to issue refresh tokens. > > > > I am not sure whether the intention is to say that there will > always be > > a refresh token. But, I'll leave this for Rifaat. > > > > I answered in this the reply to the DISCUSS > > > > > > > * ID Token: this token contains the SIP URI and other > > user-specific > > > details that will be consumed by the UAC. > > > > > > nit: I don't think we should use the definite article in "the > SIP > > URI" since > > > we haven't discussed any such SIP URI usage yet. That is, we > > should say > > > what it's used for, e.g., "a SIP URI associated with the user". > > > > I'll leave this for Rifaat. > > > > Sure. > > > > > > > * Structured Token: a token that consists of a structured > > object > > > that contains the claims associated with the token, > e.g. JWT > > as > > > defined in [RFC7519]. > > > > > > nit: comma after "e.g.". > > > > Will be fixed. > > > > > * Reference Token: a token that consists of a random string > > that is > > > used to obtain the details of the token and its > associated > > claims, > > > as defined in [RFC6749]. > > > > > > It doesn't technically have to be random (though in practice it > > should > > > contain signficant random elements); "opaque" might be better > > wording. > > > > I'll leave this for Rifaat. > > > > How about "opaque random string"? > > I'm still not entirely comfortable about that since it implies too much > (lack of) structure. We sometimes see this sort of thing described as an > "opaque handle", if that sounds better to you. > > > > > > Section 1.4.1 > > > > > > Perhaps Figure 1 could include some indication that steps 5 > and 6 > > are > > > optional/do not always occur (in the case when the access > token is > > a > > > self-contained JWT)? > > > > I'll leave this for Rifaat. > > > > This is explicitly mentioned in the text, but I agree that it would be > > helpful to include it in the figure. > > > > > > > In step [2], the registrar challenges the UA, by sending a > SIP > > 401 > > > (Unauthorized) response to the REGISTER request. In the > > response, > > > the registrar includes information about the AS to contact > in > > order > > > to obtain a token. > > > > > > The UAC needs to have a preconfigured whitelist of acceptable > ASes > > in order > > > to avoid directing the user's credentials to malicious sites. > > > > This is related to your DISCUSS, so it will be addressed as part of > > that. > > > > > The registrar validates the access token. If the access > token > > is a > > > reference token, the registrar MAY perform an introspection > > > [RFC7662], as in steps [5] and [6], in order to obtain more > > > information about the access token and its scope, per > [RFC7662]. > > > > > > I think we could tighten up the normative language a bit here. > > > In particular, the registrar MUST validate the token in some > > fashion; for > > > reference tokens, the main ways to do that are either > inspection or > > > (essentially) being the party that issued the token in the > first > > place. > > > > > > Otherwise, after the registrar validates the token to make > sure > > it > > > was signed by a trusted entity, it inspects its claims and > acts > > upon > > > it. > > > > > > I think we can also be more specific than "a trusted entity" > -- in > > this > > > flow, it looks like the registrar should know exactly which > entity > > should > > > have signed the token in question (for the user in question), > and > > should not > > > accept a signed token from a different entity that happens to > be > > trusted to > > > issue other tokens. > > > > The text in Section 2.2. mandates the validation: > > > > "When a UAS/Registrar receives a SIP request that contains an > > Authorization header field with an access token, the > UAS/Registrar > > MUST validate the access token,..." > > > > I don't think we should put too much normative text into the example > > flows. > > > > > Section 1.4.2 > > > > > > (Similarly, Figure 2 could note that steps 3 and 4 do not > always > > occur, and > > > the text about token validation should remain parallel between > > examples.) > > > > I'll leave this for Rifaat. > > > > Again, this is explicitly mentioned in the text, but I agree that it > would > > be helpful to include it in the figure. > > Yes, I agree that the text is clear, but if it's easy to put something in > the figure as well, it seems worth doing so. > > > > > ---- > > > > > Section 2 > > > > > > I note that RFC 3261 explicitly disclaims any definition of > > authorization > > > systems, which is not true for this document, given that OAuth > is > > an > > > authorization system :) > > > > RFC 3261 only says that the RFC does not recommend or discuss any > > authorization system. > > > > > Section 2.1.1 > > > > > > Required) response with a Proxy-Authenticate header field. > If > > the > > > WWW-Authenticate or Proxy-Authenticate header field > indicates > > > "Bearer" scheme authentication and contains an address to an > > > authorization server, the UAC contacts the authorization > server > > in > > > order to obtain tokens, and includes the requested scopes, > based > > on a > > > local configuration (Figure 1). > > > > > > [whitelist of allowed ASes, again] > > > > Will be addressed when the DISCUSS is addressed. > > > > > The detailed OAuth2 procedure to authenticate the user and > > obtain > > > these tokens is out of scope of this document. The address > of > > the > > > authorization server might already be known to the UAC via > > > configuration. In which case, the UAC can contact the > > authorization > > > server for tokens before it sends a SIP request (Figure 2). > > > > > > nit: I think that "in which case" functions as a conjunction, > which > > makes > > > this an incomplete sentence. > > > > The text was suggested by one of the reviewers, but I agree it > sounds > > incomplete. > > > > Perhaps "In such cases"? > > > > > The tokens returned to the UAC depend on the type of > > authorization > > > server (AS): an OAuth AS provides an access token and > refresh > > token > > > [RFC6749]. The UAC provides the access token to the SIP > servers > > to > > > > > > Again, this implies that refresh tokens are always issued; RFC > 6749 > > is quite > > > clear that "issuing a refresh token is optional at the > discretion > > of the > > > authorization server". > > > > I'll leave this for Rifaat. > > > > As I mentioned in the reply to the DISCUSS, we will clarify this. > > > > > > > authorize UAC's access to the service. The UAC uses the > refresh > > > token only with the AS to get a new access token and refresh > > token > > > before the expiry of the current access token (see > [RFC6749], > > section > > > > > > (New refresh token is also optional.) > > > > I'll leave this for Rifaat. > > > > As I mentioned in the reply to the DISCUSS, we will clarify this. > > > > > > > 1.5 Refresh Token for details). An OpenID Connect server > > returns an > > > additional ID-Token containing the SIP URI and other > > user-specific > > > details that will be consumed by the UAC. > > > > > > [same comment as above about "the SIP URI".] > > > > I'll leave this for Rifaat. > > > > Ok > > > > > > > If the UAC receives a 401/407 response with multiple WWW- > > > Authenticate/Proxy-Authenticate header fields, providing > > challenges > > > using different authentication schemes for the same realm, > the > > UAC > > > selects one or more of the provided schemes (based on local > > policy) > > > and provides credentials for those schemes. > > > > > > RFC 3261 seems to be written in a world that assumed that > Basic and > > Digest > > > are the only defined HTTP authentication schemes, and since it > > prohibits > > > Basic, that there would only be one authentication challenge > (type) > > > possible. This text righly acknowledges that we are opening > the > > field up > > > and could have cases where multiple authentication schemes are > > possible; > > > however, it goes even further and admits the possibility of > using > > them > > > simultaneously. It seems like this places an onus on us to > give > > some > > > indication of the semantics when multiple schemes are used at > the > > same time. > > > Do the authenticated identities need to match? Or are we > asserting > > that > > > both/all identities are consenting to the request in > question? (If > > we don't > > > have a concrete use case in mind, perhaps the "or more" is just > > opening a > > > box that we don't need to open right now.) > > > > I can modify as suggested. > > > > (Personally, I have never seen multiple schemes in a deployment.) > > > > > Section 2.1.2 > > > > > > access to it. Endpoints that support this specification > MUST > > support > > > encrypted JSON Web Tokens (JWT) [RFC7519] for encoding and > > protecting > > > access tokens when they are included in SIP requests, unless > > some > > > other mechanism is used to guarantee that only authorized > SIP > > > endpoints have access to the access token. > > > > > > I think we may want "MUST support" (always) and "MUST use, > unless > > some other > > > mechanism". > > > > Based on another review, I suggested to change to "MUST use". I am > not > > sure whether we need to keep "MUST support". > > > > > I'd also suggest a quick note that TLS remains fine for > protecting > > the > > > UAC/AS interaction where the refresh token is used. > > > > I can do that. > > > > I could also say "*SIP* endpoints that support this > specification...". > > > > > Whatever is done, please harmonize with Section 5 that has > > essentially the > > > same text. > > > > Will do. > > > > > Section 2.1.3 > > > > > > Based on local policy, the UAC MAY include an access token > that > > has > > > been used for another binding associated with the same > Address > > Of > > > Record (AOR) in the request. > > > > > > Just to check: there's no real privacy considerations with such > > use, as its > > > the same parties interacting and there are other identifiers > (e.g., > > IP > > > addresses) to confirm that it's the same client communicating > to > > the server? > > > > I'll leave this for Rifaat. > > > > I would not rely only on an IP address, but the answer is yes. > > Okay. > > > > > > > > Also, is it clear what will be done (new token request) when > the > > MAY is not > > > heeded? > > > > I'll leave this for Rifaat. > > > > The Client would need to obtain a new access token. I will clarify > this. > > Thanks. > > > > > > Section 2.1.4 > > > > > > The text here just talks about "a valid access token" and > similar, > > without > > > saying a whole lot about it being related in any way to the > > specifics of the > > > authentication challenge. Is there something useful to say > about, > > e.g., the > > > token in question having been issued by the authorization > server > > indicated > > > in the challenge? > > > > I'll leave this for Rifaat. > > > > Sure. > > > > > > > Section 2.2 > > > > > > authorization credentials acceptable to it, it SHOULD > challenge > > the > > > request by sending a 401 (Unauthorized) response. To > indicate > > that > > > it is willing to accept an access token as a credential, the > > UAS/ > > > Registrar MUST include a Proxy-Authentication header field > in > > the > > > response that indicates "Bearer" scheme and includes an > address > > of an > > > > > > nit(?): I'd consider just making this a declarative statement, > a la > > "the > > > UAS/registrar includes a Proxy-Authentication header field > with the > > "Bearer" > > > scheme to indicate that it is willing to accept an access > token as > > a > > > credential" (but that wording is incomplete and would need to > be > > fleshed > > > out a bit more). > > > > I think that would be weird. Because, first we say that the > > UAS/Registrar SHOULD challenge, and with your suggestion the text > would > > say that the UAS/Registrar MUST include a Proxy-Authentication > header > > field even if it does NOT challenge the request. > > > > Perhaps: > > > > "If the UAS/Registrar chooses to challenge the request, and is > willing > > to accept an access token as a credential, the UAS/Registrar MUST > > include a..." > > > > > authorization server from which the originator can obtain an > > access > > > token. > > > > > > nit: "address of" an AS, does that mean bare IP address only > or is > > a DNS > > > name okay? > > > > I'll leave this for Rifaat. > > > > I do not think that an IP address is appropriate, and what I have in > mind > > is a DNS name. > > I will clarify it. > > Ah, DNS name sounds better to me, too :) > > Thanks, > > Ben > > > > [RFC7519]. If the token provided is an expired access > token, > > then > > > the UAS MUST reply with 401 Unauthorized, as defined in > section > > 3 of > > > [RFC6750]. If the validation is successful, the > UAS/Registrar > > can > > > continue to process the request using normal SIP > procedures. If > > the > > > validation fails, the UAS/Registrar MUST reject the request. > > > > > > Is "expired" the only case that should get a 401 vs. outright > > rejection, as > > > stated here? > > > > 401 is sent also in the case where the validation fails. I will > clarify > > that. > > > > > Section 2.3 > > > > > > sending a 407 (Proxy Authentication Required) response. To > > indicate > > > that it is willing to accept an access token as a > credential, > > the > > > proxy MUST include a Proxy-Authentication header field in > the > > > response that indicates "Bearer" scheme and includes an > address > > to an > > > > > > [same comment as above about normative vs. declarative > statement] > > > Also, please keep the text parallel between sections -- this > copy > > has at > > > least one nit ("address to an" vs. "address of an"). > > > > I will fix this in the same way. > > > > > Section 3 > > > > > > If an access token is encoded as a JWT, it might contain a > list > > of > > > claims [RFC7519], some registered and some > > application-specific. The > > > > > > I don't think there's a question of whether a JWT will contain > a > > list of > > > claims :) > > > > Fair enough :) > > > > > Maybe "If the access token is encoded as a JWT, it will > contain a > > list of > > > claims [RFC7519], which may include both registered and > > application-specific > > > claims"? > > > > Looks good to me, but I'll leave this for Rifaat. > > > > Looks good to me too. > > Regards, > > Rifaat > > > > > > ---- > > > > > Section 4 > > > > > > This section claims to cover WWW-Authenticate. What > specification > > will the > > > SIP use of Bearer for Authorization operate under? > > > > RFC 6750. > > > > Section 2.1.3 says: > > > > "The UAC sends a REGISTER request with an Authorization header > field > > containing the response to the challenge, including the Bearer > scheme > > carrying a valid access token in the request, as specified in > > [RFC6750]." > > > > > challenge =/ ("Bearer" LWS bearer-cln *(COMMA > bearer-cln)) > > > > > > side note: is there a mnemonic for the "cln" in "bearer-cln"? > > > > RFC 3261 uses "cln" for digest. > > > > > bearer-cln = realm / scope / authz-server / error / > > > auth-param > > > > > > nit: realm is already included in auth-param, though I don't > see a > > harm in > > > calling it out explicitly. > > > > auth-param is used to allow possible new parameters in the future. > > > > > realm = <defined in RFC3261> > > > auth-param = <defined in RFC3261> > > > > > > RFC 3261 defers to RFC 2617 (now obsoleted by 7235) for both of > > these; we > > > could perhaps short-circuit the chain and say "defined in RFC > > 7235". > > > > We discussed this in the WG, and the outcome was to keep the same > > references as RFC 3261, since that is what people are implementing. > > > > Then, as a separate task, someone could update RFC 3261 with the new > > references. > > > > --- > > > > > Section 5 > > > > > > We should probably note that SIP makes much heavier use of > proxies > > than is > > > common in the web world of OAuth. > > > > Maybe something like: > > > > "However, SIP makes have use of intermediary SIP proxies, and TLS > only > > guarantees hop-to-hop protection when used to > > protect SIP signaling." > > > > > I'm happy to see that some privacy considerations are being > added > > in > > > response to Barry's review. > > > > Good :) > > > > --- > > > > > Section 8 > > > > > > I think RFCs 8252 and 8414 could be just informative. > > > > I can fix that. > > > > --- > > > > Regards, > > > > Christer > >
- Re: [sipcore] Benjamin Kaduk's Discuss on draft-i… Christer Holmberg
- Re: [sipcore] Benjamin Kaduk's Discuss on draft-i… Benjamin Kaduk
- Re: [sipcore] Benjamin Kaduk's Discuss on draft-i… Christer Holmberg
- Re: [sipcore] Benjamin Kaduk's Discuss on draft-i… Rifaat Shekh-Yusef
- Re: [sipcore] Benjamin Kaduk's Discuss on draft-i… Benjamin Kaduk
- Re: [sipcore] Benjamin Kaduk's Discuss on draft-i… Benjamin Kaduk
- Re: [sipcore] Benjamin Kaduk's Discuss on draft-i… Christer Holmberg
- Re: [sipcore] Benjamin Kaduk's Discuss on draft-i… Rifaat Shekh-Yusef