Re: [sipcore] No WebSocket level authentication scenario [was RE: I-D Action: draft-ietf-sipcore-sip-websocket-09.txt]
Iñaki Baz Castillo <ibc@aliax.net> Wed, 19 June 2013 22:11 UTC
Return-Path: <ibc@aliax.net>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A399121F9B8F for <sipcore@ietfa.amsl.com>; Wed, 19 Jun 2013 15:11:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.658
X-Spam-Level:
X-Spam-Status: No, score=-1.658 tagged_above=-999 required=5 tests=[AWL=0.020, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oUY0qon5W7lr for <sipcore@ietfa.amsl.com>; Wed, 19 Jun 2013 15:11:08 -0700 (PDT)
Received: from mail-qa0-x22a.google.com (mail-qa0-x22a.google.com [IPv6:2607:f8b0:400d:c00::22a]) by ietfa.amsl.com (Postfix) with ESMTP id 7D36521F9C53 for <sipcore@ietf.org>; Wed, 19 Jun 2013 15:11:04 -0700 (PDT)
Received: by mail-qa0-f42.google.com with SMTP id hu16so758331qab.15 for <sipcore@ietf.org>; Wed, 19 Jun 2013 15:11:03 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding:x-gm-message-state; bh=08/h9OhwVda/oxiwBiB8bc4A71A+hRtdfvpzkxnFVNo=; b=Nde/4XS0VkzKKxU/l1yPTODpCPlmRaKRZWhLcVgd/daHpIx2NBtGDMOqp+PaSFlvAy osYsQTT9o+9V86Ek64RFwuCndUgCpv6U7BKR9Z6TAutIJ4KRBtrWFbbmv5zGdEon8bt4 HGy9jXD/xdiaY417qPl600xdbwV82+GJcwouB0PO10Z7nUDQ9GYW7s+4jOXwM+O00+ss tmAsrVWwftFd3DvcsaMsk3s0/8MkXeBFJ27rkwdGmNKalDedxypp2+/fRO6pVLV9whwO vdp+SwS3IQ432t+pQ5kuX6ELZcKkvJlNkJC9+XPEkRnR5/gLwVgv4xQmRtcEZwKp/SsF firg==
X-Received: by 10.49.14.161 with SMTP id q1mr6135819qec.50.1371679863646; Wed, 19 Jun 2013 15:11:03 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.49.67.65 with HTTP; Wed, 19 Jun 2013 15:10:43 -0700 (PDT)
In-Reply-To: <949EF20990823C4C85C18D59AA11AD8B055194@FR712WXCHMBA10.zeu.alcatel-lucent.com>
References: <20130613011708.18316.28106.idtracker@ietfa.amsl.com> <CALiegfkg-KU1bB01eLXuksZV1ehBY92uf+0+F3fQuha-WnOS1A@mail.gmail.com> <013c01ce6c4e$29e33c90$7da9b5b0$@co.in> <CALiegfnQ8=R1PRbHwPSDjJ=jH+bBeiNqjU12yr8KmJvHWQg1Mg@mail.gmail.com> <12FDD6C8-F172-4B3B-A83A-211CF553DA1A@ag-projects.com> <CALiegfneR2MwFEgGnZVtNJUXbDv0Mw0uWK2RYOGi-euWvYpR1g@mail.gmail.com> <949EF20990823C4C85C18D59AA11AD8B055194@FR712WXCHMBA10.zeu.alcatel-lucent.com>
From: Iñaki Baz Castillo <ibc@aliax.net>
Date: Thu, 20 Jun 2013 00:10:43 +0200
Message-ID: <CALiegf=Q3TszCXUWPmdjDmFgap6V2e=RZS0t+fmUKOsLK7Lk_w@mail.gmail.com>
To: "DRAGE, Keith (Keith)" <keith.drage@alcatel-lucent.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQmGc0ql6wNn9ktyQTWiDSdH7j24TfZx9lmsalb1KeA+VppXufCjwoJuYP3pcFlVATHw5s0g
Cc: "SIPCORE (Session Initiation Protocol Core) WG" <sipcore@ietf.org>, Saúl Ibarra Corretgé <saul@ag-projects.com>, Parthasarathi R <partha@parthasarathi.co.in>
Subject: Re: [sipcore] No WebSocket level authentication scenario [was RE: I-D Action: draft-ietf-sipcore-sip-websocket-09.txt]
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sipcore>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jun 2013 22:11:08 -0000
Thanks a lot Keith, it's clear. I will address it in next revision. 2013/6/19 DRAGE, Keith (Keith) <keith.drage@alcatel-lucent.com>: > I would not use RFC 3261 as justification for what should, or should not, be said about authentication. The current RFC 3261 would probably fail a security directorate review if it was attempted to be approved as an RFC now. > > (I'd also point out that for any security consideration of RFC 3261, one should also read RFC 5630.) > > So I would suggest you conduct an independent security evaluation of what is needed. > > For the use case you give: > >> A website (a shop) offers a widget in which the visitor can click and >> made a SIP call (+WebRTC) that will end in the callcenter of the >> company, answered by an agent that will inform the user about the >> product he is interested in. Why do we require WWW or SIP >> authentication in this scenario? > > I'd suggest that the issue to be discussed is what happens when the action described results in a transaction of some form to a third party (in the SIP case a call). The visitor then includes information that will be relayed to the third party. Who does the third party rely on to ensure that information is authentically given by the visitor. > > Regards > > Keith > > > >> -----Original Message----- >> From: sipcore-bounces@ietf.org [mailto:sipcore-bounces@ietf.org] On Behalf >> Of Iñaki Baz Castillo >> Sent: 19 June 2013 12:32 >> To: Saúl Ibarra Corretgé >> Cc: SIPCORE (Session Initiation Protocol Core) WG; Parthasarathi R >> Subject: Re: [sipcore] No WebSocket level authentication scenario [was RE: >> I-D Action: draft-ietf-sipcore-sip-websocket-09.txt] >> >> 2013/6/19 Saúl Ibarra Corretgé <saul@ag-projects.com>: >> > Why is authentication a MUST? Lets assume that I'm using UDP and my >> proxy establishes a WS connection with a foreign domain's proxy because of >> NAPTR and my proxy supports acting as a WS client. It obviously won't be >> able to authenticate. If this scenario supposed to be covered? >> >> Honestly I agree. I cannot find in RFC 3261 (or other RFCs) a >> normative statement mandating authentication, regardless the request >> comes from a UA. >> >> In another thread we are discussing about MTI authentication >> mechanisms that must be implemented by SIP WS Clients and Servers. >> IMHO that is correct, but mandating SIP authentication or WWW >> authentication for ALL the scenarios seem innapropriate for me. I come >> back to an use case: >> >> A website (a shop) offers a widget in which the visitor can click and >> made a SIP call (+WebRTC) that will end in the callcenter of the >> company, answered by an agent that will inform the user about the >> product he is interested in. Why do we require WWW or SIP >> authentication in this scenario? >> >> If WG agrees with this, I will remove the normative statements in >> "Authentication" section, and instead address the MTI authentication >> mechanisms. >> >> >> -- >> Iñaki Baz Castillo >> <ibc@aliax.net> >> _______________________________________________ >> sipcore mailing list >> sipcore@ietf.org >> https://www.ietf.org/mailman/listinfo/sipcore -- Iñaki Baz Castillo <ibc@aliax.net>
- [sipcore] I-D Action: draft-ietf-sipcore-sip-webs… internet-drafts
- Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-… Iñaki Baz Castillo
- [sipcore] No WebSocket level authentication scena… Parthasarathi R
- Re: [sipcore] No WebSocket level authentication s… Iñaki Baz Castillo
- Re: [sipcore] No WebSocket level authentication s… Saúl Ibarra Corretgé
- Re: [sipcore] No WebSocket level authentication s… Iñaki Baz Castillo
- Re: [sipcore] No WebSocket level authentication s… DRAGE, Keith (Keith)
- Re: [sipcore] No WebSocket level authentication s… Iñaki Baz Castillo
- Re: [sipcore] No WebSocket level authentication s… Paul Kyzivat
- Re: [sipcore] No WebSocket level authentication s… Parthasarathi R
- Re: [sipcore] No WebSocket level authentication s… Paul Kyzivat