IETF Logo Mail Archive

Re: [sipcore] WGLC draft-ietf-sipcore-sip-token-authnz

Paul Kyzivat <pkyzivat@alum.mit.edu> Fri, 13 December 2019 17:37 UTC

Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54CC0120855 for <sipcore@ietfa.amsl.com>; Fri, 13 Dec 2019 09:37:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alum.mit.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9PwEkScBO1xW for <sipcore@ietfa.amsl.com>; Fri, 13 Dec 2019 09:37:49 -0800 (PST)
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (mail-co1nam11on2089.outbound.protection.outlook.com [40.107.220.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0EBA3120041 for <sipcore@ietf.org>; Fri, 13 Dec 2019 09:37:48 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IZsvbAPUuKm6apEPkStktrymi69ymcsM91M6y6DwF+7VYQYbkiUMw4KLICaIhiw0J3fMQENk+g4w599PSV4kCe5bcHJTNFjCT3fiu/IlTAZn8TO2GV8Wm4ZvS4UWSiHGBiAXF2n2g+AnVyLbpAUoMKJxY4nsZwInb7YVf8JzwUELkOB6xYC84Pmue60BePHprGU4mWUNZoSlyNRlR3C7aMkJR/JZiY1B7zx+TejWfl+61cn08k3+nYJVSOgGfXv4cfktY/eFz6chLN8hRY3JOkfqTHI97Z32Vnm9Y3MJHZ0R0kNZj5UZ9nMtA4OhGn51bvWvgzKH/WYa1lAg2cdBxA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OkRKFHAxQo5eaEqRV4f+uLguFPJgFGA4LyOUlU1SpBQ=; b=Qz5xbkeVEK4aWt3+vqouWJ3nvKpokRdTPvriBT+d6hn4pWtnyZZ6J3Tqh8HfmPlk2oeZy9L5jPizlwn+lTW4/pUXZiW4HLc32AJLtRC7l6jjOqozi5LVxbFV9IK0OlmcY5nRK6wSbbc1Rd9B8Sl/lLcQcKiv9USwWZHd1iMCoR/UAaoZ0tkh5uh9UBiq1QLGAVGEIoP3wzwPiqeWsvItx6ztkMJPDN7nF5rXpFKwQJnJsAS1+eCW5X3Br6lJvGCW1eRSMXUdGcY8g/y8546xGWq0O0755kIbvPLkR6hoSCqBmxq+0FF3EZCwdMmw33H9R2KaUpVbkvIuLjNXV4/S2A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 18.7.68.33) smtp.rcpttodomain=gmail.com smtp.mailfrom=alum.mit.edu; dmarc=bestguesspass action=none header.from=alum.mit.edu; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alum.mit.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OkRKFHAxQo5eaEqRV4f+uLguFPJgFGA4LyOUlU1SpBQ=; b=S4PXph3umnKaWn8aF8PcJ8+okRpY93yQQ6bV352MyjyLfxgYoAzrVmoPb837HWqW15YztV2LJedIjjYnp6DB+Wd7l/WlD5n0xbw6KnkgVCo3ztVNx+2Pqvj/jnAvi2Yn6P+SDpme2PM7Li1EcCJqzOW9vQwKooW7Swq+J6kRVPU=
Received: from BN6PR1201CA0014.namprd12.prod.outlook.com (2603:10b6:405:4c::24) by MN2PR12MB3936.namprd12.prod.outlook.com (2603:10b6:208:16a::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2538.18; Fri, 13 Dec 2019 17:37:47 +0000
Received: from SN1NAM02FT031.eop-nam02.prod.protection.outlook.com (2a01:111:f400:7e44::208) by BN6PR1201CA0014.outlook.office365.com (2603:10b6:405:4c::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2538.15 via Frontend Transport; Fri, 13 Dec 2019 17:37:46 +0000
Authentication-Results: spf=pass (sender IP is 18.7.68.33) smtp.mailfrom=alum.mit.edu; gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=bestguesspass action=none header.from=alum.mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of alum.mit.edu designates 18.7.68.33 as permitted sender) receiver=protection.outlook.com; client-ip=18.7.68.33; helo=outgoing-alum.mit.edu;
Received: from outgoing-alum.mit.edu (18.7.68.33) by SN1NAM02FT031.mail.protection.outlook.com (10.152.72.116) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2538.14 via Frontend Transport; Fri, 13 Dec 2019 17:37:46 +0000
Received: from Kokiri.localdomain (c-24-62-227-142.hsd1.ma.comcast.net [24.62.227.142]) (authenticated bits=0) (User authenticated as pkyzivat@ALUM.MIT.EDU) by outgoing-alum.mit.edu (8.14.7/8.12.4) with ESMTP id xBDHbhAQ016758 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Fri, 13 Dec 2019 12:37:44 -0500
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Cc: Christer Holmberg <christer.holmberg=40ericsson.com@dmarc.ietf.org>, SIPCORE <sipcore@ietf.org>
References: <9b7ddc2f-d54a-bbaa-8e56-276c8bed725f@nostrum.com> <d7efa4c6-ac85-58ac-1c6c-5b09d955ab00@alum.mit.edu> <76BD0473-8921-4931-9AEE-1880C3AA6A57@ericsson.com> <CAGL6epLqymO26cY2U=NEGgMXAA6BE+NBf12UtOkkFXxKoWdp-Q@mail.gmail.com> <8bc9d0f1-2b13-6ee0-73a5-8056c186b029@alum.mit.edu> <CAGL6epLcv-Y+u86RgWvLuzRoNKaviF-8Uv7R52Okd_zxyi_0jA@mail.gmail.com>
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
Message-ID: <9fc74274-2fd8-00e2-74ce-56ce771bba85@alum.mit.edu>
Date: Fri, 13 Dec 2019 12:37:43 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <CAGL6epLcv-Y+u86RgWvLuzRoNKaviF-8Uv7R52Okd_zxyi_0jA@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:18.7.68.33; IPV:CAL; SCL:-1; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10009020)(189003)(199004)(26005)(7596002)(246002)(8936002)(8676002)(70586007)(54906003)(70206006)(36906005)(31696002)(6916009)(86362001)(336012)(76130400001)(53546011)(186003)(2906002)(498600001)(75432002)(26826003)(356004)(2616005)(956004)(4326008)(5660300002)(31686004)(30864003); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR12MB3936; H:outgoing-alum.mit.edu; FPR:; SPF:Pass; LANG:en; PTR:outgoing-alum.mit.edu; MX:1; A:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: d4676310-e15d-42e7-23bc-08d77ff32a97
X-MS-TrafficTypeDiagnostic: MN2PR12MB3936:
X-Microsoft-Antispam-PRVS: <MN2PR12MB3936CDD88D740BEFA749C9E2F9540@MN2PR12MB3936.namprd12.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-Forefront-PRVS: 0250B840C1
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 1jo7kdkMq4pk3kFPAQaJhLdo8J6bHKvfqeMtlxj29ENRW/AcPQJ5fqBhJ4etyKoHca7OYY1tFyVaJ0eLWGmlsDGJobeO3i7v+C4m5+d+PJEzP4WhAh8PtQGs5TUYVDaUEtwvosZxdZobiiDkXZqFsk8PU/ec35gg8lRZ2jdNAJvXE9aC23xdvh92swgJB1gvmeI2GOa96EacV+35tD57qaeRcrmx/1CnSawRwWsL1kxaCskyU5zxshFZCdD89VnXUclzdHqxKxzCpydWu9OkmQ5Zg4K5p33uyIINW07wIpHKLyHaE4VyQJg0cw4nGbD6a4MzHzJcKdOqsFYGx4+gh6ReZ36J999TqrGSMRB3wddsKDR8FB0q3dt4SCD/wUu2yzmN27TQER+7jYZ4QID6JjE3OYjcg7jwjueo8A/u+NtsmpQJo01lin9ZROhozrJD
X-OriginatorOrg: alum.mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Dec 2019 17:37:46.1690 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: d4676310-e15d-42e7-23bc-08d77ff32a97
X-MS-Exchange-CrossTenant-Id: 3326b102-c043-408b-a990-b89e477d582f
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3326b102-c043-408b-a990-b89e477d582f; Ip=[18.7.68.33]; Helo=[outgoing-alum.mit.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR12MB3936
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/GhcngHfbn4VJpdPzkXDVGG1GwQU>
Subject: Re: [sipcore] WGLC draft-ietf-sipcore-sip-token-authnz
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Dec 2019 17:37:52 -0000

On 12/13/19 9:02 AM, Rifaat Shekh-Yusef wrote:
> 
> 
> On Sun, Dec 8, 2019 at 5:17 PM Paul Kyzivat <pkyzivat@alum.mit.edu 
> <mailto:pkyzivat@alum.mit.edu>> wrote:

>     I'm assuming responses to my other points will be coming later.
> 
> Christer provided feedback on the rest of you comments. Do you have any 
> further comment on Christer's responses?

Hmm. I can find no evidence that I received Christer's reply. But I have 
now found it in the archives. I will reply based on the text from the 
archive. I'm sorry that this isn't properly threaded into the replies.

On 12/13/19 9:02 AM, Christer Holmberg wrote:

> Hi Paul,
> 
> My comments on some of your SIP-related issues (I am not addressing your issues on Sections 2.1.1 and 2.1.2 in this reply). 
> 
>>    * Section 2.1.4:
>>    
>>    This section says that the UAC MUST include an Authorization header 
>>    field with the Bearer scheme. This is overly strong.
>>    
>>    This should be an explanation that *if* it has received a challenge 
>>    containing the Bearer scheme then to resolve that particular challenge 
>>    it needs to send a request with an Authorization header field containing 
>>    the response to that challenge, including the Bearer scheme.
>   
> I suggest that we expand the first paragraph in the section. Something like:
> 
> "The procedures in this section apply when the UAC has received a challenge that contains a Bearer scheme, 
> and the UAC has obtained a token as specified in section Section 2.1.1."

OK

>>    (But note that if there were multiple challenges with different schemes 
>>    then it maybe able to successfully retry the request using non-Bearer 
>>    credentials.)
>>    
>>    I don't understand what distinction you are trying to draw by 
>>    distinguishing the behavior for creating a binding from that for 
>>    refreshing a binding. AFAIK there should be no difference. And in fact 
>>    the UAC in general cannot know whether the request being send will 
>>    establish or refresh a binding.
>   
> It is important to point out that the same access token might not necessarily be used throughout the lifetime of the registration, if the previously included access token has expired.

Fine. It is good to cover that. But it shouldn't be conflated with 
creating vs. refreshing a binding. For instance, the UAC may have 
knowingly allowed a registration to expire and yet still cached the 
credentials (tokens). Then later it might want to reestablish a 
registration using cached credentials. At that time it can decide if its 
access token is still good, and if not use its refresh token to get a 
fresh one, and then either way use that preemptively in its register 
request.

> ---
>  
>>    * Section 2.1.5:
>>    
>>    This section has similar issues to section 2.1.4: The MUST is too 
>>    strong, and the reason for distinguishing between in-dialog requests 
>>    from others is unclear.
>   
> See my comments for 2.1.4.
> 
> ---
> 
>>    * Section 2.2:
>>    
>>    Again is overly strong in its use of MUST. I think it is evident that 
>>    the point being made is that a challenge containing Bearer scheme is the 
>>    way to indicate that is with a challenge with Bearer scheme, but the 
>>    text is at least awkward.
>>    
>>    How about:
>>    
>>        When a UAS or Registrar receives a request that fails to contain
>>        authorization credentials acceptable to it, it SHOULD challenge the
>>        request by sending a 401 (Unauthorized) response. To indicate that
>>        it is willing to accept an OAuth2 token as a credential the
>>        UAS/Registrar MUST include a Proxy-Authentication header field in the
>>        response, indicate "Bearer" scheme and include an address of an
>>        Authorization Server from which the originator can obtain an access
>>        token.
>   
> WFM.
>   
>>    In the second paragraph, please provide a reference:
>>    
>>        ... using the procedures from [RFC???] associated with the type of
>>        access token used.
>   
> Ok.
> 
> ---
>   
>>    * Section 2.3:
>>    
>>    Similar comment to section 2.2. How about the following for the first 
>>    paragraph:
>>    
>>        When a proxy receives a request that fails to contain
>>        authorization credentials acceptable to it, it SHOULD challenge the
>>        request by sending a 407 (Proxy Authentication Required) response.
>>        To indicate that it is willing to accept an OAuth2 token as a
>>        credential the proxy MUST include a Proxy-Authentication
>>        header field in the response, indicating "Bearer" scheme and
>>        including an address to an Authorization Server from which the
>>        originator can obtain an access token.
>   
> WFM.
> 
>>    I don't think the second paragraph should condition any behavior on 
>>    whether it has previously challenged. That requires that the proxy be 
>>    stateful, and it isn't a necessary condition. Instead, how about:
>>    
>>        When a proxy wishes to authenticate a received request, it MUST
>>        search the request for Proxy-Authorization header fields with 'realm'
>>        parameters that match its realm. It then MUST successfully validate
>>        the credentials from at least one Proxy-Authorization header field
>>        for its realm. When the scheme is Bearer the proxy MUST validate the
>>        access token, using the procedures from [RFC???] associated with the
>>        type of access token used.
>   
> WFM.
> 
> ---
> 
>>    * Section 3:
>>    
>>    The following:
>>    
>>        The realm and auth-param parameters are defined in [RFC3261].
>>    
>>    is incomplete, because it is missing 'challenge', 'realm', and 
>>    'https-URI. (Where is https-URI defined?) 
>>
>> Another way to do this is by  adding the following to the syntax:
>>    
>>            challenge = <defined in RFC3261>
>>            realm = <defined in RFC3261>
>>            auth-param = <defined in RFC3261>
>>            scope = <defined in RFC6749>
>>            error = <defined in RFC6749>
>>            https-URI = <where???>
>>    
>>    (This helps those who might try to formally validate the syntax because 
>>    it removes undefined parameters.)
> 
> The section does enhance 'challenge', so I guess we can add text saying that 'challenge' is defined in RFC 3261.
> 
> Regarding the other parameters, the text already says where they are defined.
> 
> Or, are you saying that you want the references in the syntax, rather than in the normative text?

I'm just *suggesting* that doing so in ABNF will make life easier for 
anybody who wants to process the abnf using tools.

>>    Also, 'scope' and 'error' are very generic rule names being used in a 
>>    very restricted context. While these are not defined in RFC3261, there 
>>    is the potential conflict with other extensions. I'd recommend using 
>>    more specific terms. E.g.,
>>    
>>            challenge  =/  ("Bearer" LWS bearer-cln *(COMMA bearer-cln))
>>            bearer-cln = realm / bearer-scope / authz-server / bearer-error /
>>                         auth-param
>>            authz-server = "authz_server" EQUAL authz-server-value
>>            authz-server-value = https-URI
>>
>>            challenge = <defined in RFC3261>
>>            realm = <defined in RFC3261>
>>            auth-param = <defined in RFC3261>
>>            bearer-scope = <defined as scope in RFC6749>
>>            bearer-error = <defined as error in RFC6749>
>>            https-URI = <where???>
> 
> The HTTP WWW-Authenticate header field uses 'error' and 'scope', and I think it would be good to be aligned.

The context in which abnf from HTTP is processed is distinct from that 
in which SIP abnf is processed.

Consider somebody who is trying to pull together complete abnf for sip 
and all the sip extensions that they implement. All the rule names newly 
defined in one sip extension need to be distinct from those defined in 
other sip extensions. (Except in cases of extensions to extensions.)

If the new rule names are sufficiently unique to effectively eliminate 
conflicts then all should be good. If common words are used as rule 
names, then multiple extensions may inadvertently conflict. We have no 
mechanisms for easily detecting such conflicts.

I'm just trying to suggest practices that help with this. I don't think 
that what I suggest above will confuse anyone that is familiar with the 
HTTP abnf.

>>    Regarding the scope parameter:
>>    
>>    This parameter is conveyed from the registrar to the UAC. But what is 
>>    the UAC to do with it? How does it have any control over the scope of 
>>    the token it gets from the AS? Is the UAC supposed to convey this to the 
>>    AS? If so, how?
>   
> The UAC will get the scope from the AS, and will forward it towards the UAS/registrar.

I'm confused. According to RFC6749 the client and user agent are passing 
the scope *to* the AS. Then (I think) that influences whether a token is 
returned and if so which one. In our context here, I gather that the 
registrar is conveying the scope for credentials it will accept. Then I 
guess the UAC is expected to pass this on to the AS.

I think the processing of scope needs more explanation.

>>    Regarding the error parameter:
>>    
>>    Is this just intended to be of help in debugging the UAC? Or is it 
>>    expected that the UAC might take some sort of pre-programmed action in 
>>    response? If the latter, how might that work? Is this information 
>>    suitable for presentation to the user?
>   
> I see no reason why it can't be presented to the user, and I guess the UAC actions depend on what the error code is.
> 
> However, as the parameter is described in RFC 6749, I don't think we need to repeat that in this draft.

I'm not sure I understand it there, but it appears to me that the error 
parameter is returned by the AS to the client in response to a request 
for a token. In that case I don't see why it will be present in a 
WWW-Authenticate header field.

Can you explain the flow that results in this being in WWW-Authenticate?

> ---
>   
>>    * Section 4:
>>    
>>    I agree with Dale - I don't see any value in this tag. I tried to search 
>>    for all discussion on the point. The discussion attributes me with 
>>    requesting it, but I don't think I did.
>   
> It was Olle who requested it.
> 
> However, I don't see any harm in having it. It allows the UAC to inform proxies/UAS/Registrar whether it supports the bearer scheme.

There is no particular harm other than added complexity and the 
likelihood that others will in the future ask about it.

> ---
> 
>>    * Missing:
>>    
>>    I find no syntax extensions for Authorization and Proxy-Authorization. 
>>    These need to be added.
>   
> Ok.

	Thanks,
	Paul

v2.23.0 | Report a Bug | By Email