IETF Logo Mail Archive

Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt

Christer Holmberg <christer.holmberg@ericsson.com> Thu, 11 July 2019 17:55 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1603A1200A4 for <sipcore@ietfa.amsl.com>; Thu, 11 Jul 2019 10:55:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.003
X-Spam-Level:
X-Spam-Status: No, score=-2.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L7XOPgM_GKWC for <sipcore@ietfa.amsl.com>; Thu, 11 Jul 2019 10:55:24 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50053.outbound.protection.outlook.com [40.107.5.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D6D512002E for <sipcore@ietf.org>; Thu, 11 Jul 2019 10:55:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Kw2Pg/7jbeUwzGUXMr06PfcrAZcEKtJl4adPdIxNhOMz4ULUIaRySnrCFxEI3MxeJKxV9t2BtzdhVm4YQzs6l0cDSdhrvOmNTp7CF1eGA4m/k3FcEt/Qx2z4sUjK9uoQqODqyAyr74LrnN43BZu1jDZswgt1mleECo170Y4bxrtlK/BcGbNxPUGwt7JPSHNUQXHTG40ENwsq6gD6hcuuilHKZy10VRxAXTcbFwt7Js8nuI/vliyNLipfhGvDMeEdkOuh+GjKvM/QEhzzPC9aeikEqlpsBGD7as59JWTYUDorAlmVzB81d6CSaCiF7cPmd3P0nqhWTVF0aQDS5F7fRA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qhkhHNzgbcLhWkz22wuzEyKlIGLRxuAn3HR6BhcgqGQ=; b=Jy0RpU+Ko+yAN84OG9piJ5CSPng1UMEdjFIQvPIoTmBNAH1M6jaVC6+cgIcWSuwFHb0bDPxqceIvOSLYGk5DMbE1qepkgs0lXJyPo0lyQ3bnbeOj6CVncOojhHckS7pR283GdwjupKmvg6EvbN/CogS1DgvJitUXF433lDfutdmVu9HTSMURyXZHulJE612EJSQyx+F39QBttxIlwZpzIRpYByEZNxMJdJkVoGA6E7ML+3UEqkiA/X8s9thkI/ohpjJlev4OdGJ84Ghnki51Dx+lsYvtM0uh3SMJY86jZmJQVRWi4KFel+BY/HLyTaPgcYfsHe3yf0IbyiVZzQsCyQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=ericsson.com;dmarc=pass action=none header.from=ericsson.com;dkim=pass header.d=ericsson.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qhkhHNzgbcLhWkz22wuzEyKlIGLRxuAn3HR6BhcgqGQ=; b=YhlydiSY76ZDALThJI91VxJPcoNhv6X8bNfuSY1DosWOjNkyT18s7HCHLWfSUPIYDlszJJv/DNRAsc/bfkGuFO9aKd0fh79+RUfmH4FYsp0zGR0q9UpR/yIScorwC4Xf37fKW2xjxq2sX7KN55JZH2CFk8Sy1fZe4BRBWZ2OZo0=
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com (10.170.245.23) by HE1PR07MB3129.eurprd07.prod.outlook.com (10.170.245.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2094.7; Thu, 11 Jul 2019 17:55:20 +0000
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43]) by HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43%5]) with mapi id 15.20.2073.008; Thu, 11 Jul 2019 17:55:20 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: "Olle E. Johansson" <oej@edvina.net>
CC: Paul Kyzivat <pkyzivat@alum.mit.edu>, "sipcore@ietf.org" <sipcore@ietf.org>
Thread-Topic: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
Thread-Index: AQHVNLWxruT/m/C2REGBvr04oIfCDqa/Al8AgAHwRACAACa0QIAAOvWAgACKbgCAAH00gIAARqSA///Z+ACAADMUgP//1TCAgABAXACAATj+gIAAOeSAgABE8QCAALlBgIAAP24AgAA4AgCAADVqAP//0S4AAAcGhIA=
Date: Thu, 11 Jul 2019 17:55:19 +0000
Message-ID: <88220567-FF78-4680-B724-1FB9D72F2FBD@ericsson.com>
References: <156249821133.14592.1211919336596009446@ietfa.amsl.com> <CAGL6epLsP_UfZMAcFLsORrR05Enu-vp=jnkgUFuKSttQm8swAw@mail.gmail.com> <c8d5c42e-ab21-80e8-3189-c8592dd02d3a@alum.mit.edu> <HE1PR07MB3161C55955B2FCED2C0F6A9993F60@HE1PR07MB3161.eurprd07.prod.outlook.com> <68ed93ae-57df-6bc7-774b-47959417abda@alum.mit.edu> <HE1PR07MB3161D46B4A44FC7E789ADDB893F10@HE1PR07MB3161.eurprd07.prod.outlook.com> <4a9787e5-b5e2-bc08-0fa0-fae6bd44148d@alum.mit.edu> <527F4C39-F065-4335-A939-6D443F1801E7@ericsson.com> <5bb63c0c-130d-7f69-10b0-1ed1b274cc58@alum.mit.edu> <87AD4BB8-CE77-4FD7-BB72-6643DF513058@ericsson.com> <168b1354-b35b-edee-e5f9-d4ddbecfae40@alum.mit.edu> <607A513F-8616-4777-8B5E-59390E845709@ericsson.com> <b6ca4c79-5a17-10da-3882-20bc8b0e9b98@alum.mit.edu> <89A28FAE-A25A-4AFF-9A94-91E09FDD6C3B@ericsson.com> <2aa8cb91-aac6-b66e-e54a-b9f6c650ce02@alum.mit.edu> <D7218ABE-F204-407B-ADE1-39DAB98C2A98@ericsson.com> <cd23be26-c383-8b72-cdf1-4436a6bc175f@alum.mit.edu> <3B02CDE8-77C3-4DD8-940B-8B41993FFD1D@edvina.net> <C87ED703-09CE-452F-AF03-ECD05BAF6334@ericsson.com> <104E5E9E-8294-4DE0-A2DA-19199C2CD2BE@edvina.net>
In-Reply-To: <104E5E9E-8294-4DE0-A2DA-19199C2CD2BE@edvina.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1a.0.190609
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [89.166.49.243]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: beb503a6-34f8-4ef9-33d4-08d70628f093
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:HE1PR07MB3129;
x-ms-traffictypediagnostic: HE1PR07MB3129:
x-microsoft-antispam-prvs: <HE1PR07MB31296F49C3DD34B50AD872F693F30@HE1PR07MB3129.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0095BCF226
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(346002)(366004)(39860400002)(376002)(136003)(189003)(199004)(305945005)(81166006)(3846002)(66446008)(71190400001)(99286004)(81156014)(7736002)(71200400001)(76176011)(8676002)(6436002)(6506007)(6486002)(64756008)(66476007)(66556008)(6116002)(229853002)(25786009)(5660300002)(102836004)(2906002)(486006)(66946007)(8936002)(26005)(76116006)(256004)(14444005)(58126008)(36756003)(68736007)(478600001)(316002)(44832011)(6916009)(66066001)(53936002)(14454004)(33656002)(6246003)(476003)(2616005)(4326008)(446003)(11346002)(186003)(86362001)(54906003)(6512007); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3129; H:HE1PR07MB3161.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: golwWG0FeDfMIz0ATFvFauY60NHRiznYKGgwG0vshOSri5VXHJF7H/U9SIYrsziI0kygHbnxSDFkIbmYRj/TLejOcFqBzPmRGsUBF0a+FxXkN46+ys3DOgjz8M4H3DZOI9jlt4RugzJBsCyrKEm428urnhAxOq0Pi0s6TcjsttSnK3b7a8FPDfOZtjURrClhT/c4TTmJN+uBMS95Zn857Dm2GymhssTsSau7KpEdrY7YIgcCrymHl6LH4TSno5v3ak0lExzyCJsbyfhXSi0Ub1vw9lDnlIPPThX5fSqpIJSHdH/jfqSSw37ruGJ3827UiLsvU7kX8y4au/ro3d4E20DTZIrH6huxD9d/z9Qu1/UTjM1mKjyBy1QHahEaoEVfL11e3EQDYq+C5JMJvQVHll0Y+nGJQ8hP5XYWcTsXinU=
Content-Type: text/plain; charset="utf-8"
Content-ID: <3D0C9517FDB3B943B18FCCF2449B763D@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: beb503a6-34f8-4ef9-33d4-08d70628f093
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jul 2019 17:55:19.9852 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: christer.holmberg@ericsson.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3129
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/FN_KZe-5OGVGOrwjDnkWT6sInKs>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jul 2019 17:55:27 -0000

Hi,

    >>>>>>> All I am saying is that one should not send a token to someone that it has NOT been issued for.
    >>>>>>       Then you are saying that a token should *never* be included in a request
    >>>>>>   to a target for which you have not received a challenge some time in the
    >>>>>>   past.
    >>>>>>       That is a bit extreme, but I guess you can specify that if you think it
    >>>>>>   is the right thing to do.
    >>>>> That is my understanding of the generic OAuth security considerations: you don't give a token to someone it was not intended for.
    >>>>> Of course, if you know (based on whatever configuration/policy) that it's ok to give the token to the target I guess you could do it.
    >>>>> 
    >>>>>>   But note that this logic won't always work for Proxy-Authenticate. You
    >>>>>>   *might* know that a particular proxy will be visited (if it is mentioned
    >>>>>>   on a Route header), but it is pretty common for the request to visit
    >>>>>>   proxies unknown (at least in advance) to the UAC.
    >>>>>  It is important to remember that, since the token needs to be protected, a proxy needs to have the associated protection credentials to be able to access the token.
    >>>> 
    >>>> I'm lost here. How is the token protected? Is it because it is passed by reference, and other credentials are needed to dereference it? Or is it passed by value but encrypted?
    >>>> 
    >>>> If it is protected, then why is there any concern over who it is given to?
    >>> 
    >>> Normally most tokens are just digitially signed, but clear text. It can be encrypted, but then the auth server need to know which key pair to encrypt it with, which in turn means
    >>> that the client needs to tell the auth server that which leads to a requirement to have parseable access tokens.
    >> 
    >>    I think the oauth2 token can be delivered non-encrypted to the SIIP UA over HTTPS. The SIP UA can then encrypt the oauth2 token before sending it over SIP.
    > Now you have to have a shared key pair between every UA and the intended SIP server. That’s far more complex than having it in the authorization server.

    Now we are coming back to where this would actually be used :)

    Again, the only use-case I am aware of is SIP registration, and then the only "intended SIP server" is the registrar.

    In any case, I think this is a deployment question, so we don't need to mandate one way or another. What matters is that the JWT is protected on the SIP interface.

    > You put a lot of trust in TLS, which is fine. How do you handle intercepting TLS proxys in the path in this scenario?

    I guess we'd have to ask the OAuth experts about that, but in general I think we can put as much trust in HTTPS as any else does :) 

    And, for the SIP registration case, I don't think it even would be a problem for the authorization server to maintain the keys of the UA and the registrar.

    At the end of the day, you have to choose a solution that fits your use-case. Maybe this solution isn't feasible for all use-cases, even if it technically supports them. OAuth may fit certain use-cases better than others, and there is nothing we can do about that.
   
    Regards,

    Christer

v2.23.0 | Report a Bug | By Email