IETF Logo Mail Archive

Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt

Christer Holmberg <christer.holmberg@ericsson.com> Wed, 10 July 2019 07:18 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98DB2120105 for <sipcore@ietfa.amsl.com>; Wed, 10 Jul 2019 00:18:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EokrfoNRds1Q for <sipcore@ietfa.amsl.com>; Wed, 10 Jul 2019 00:18:00 -0700 (PDT)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-eopbgr150045.outbound.protection.outlook.com [40.107.15.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE77C120100 for <sipcore@ietf.org>; Wed, 10 Jul 2019 00:17:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=i3DTkNBxqs6w0ZIDEmZOaSDjP5KK+gkUq3Uetqz6xzGKVRyDcTPXvRVMqCEozXWEVyENNZChuygvesPp+KVu2vakJGGf+U47C1TQzZduY659QXltpLR64pzI6w1vkrcQk/7lK0wu/XrJD2q4FQ5tsTIDxbmM50I49rG6lOEvbFAhDMymGoMuDcijEE6LzrVf3Tfmz/p0is+9OezeSkCpLzhC6ZWfUSx8l6jtRBres9jxob7QiDL0TJvkM2xsYdnpgizunmKLqi6QQOa4irAaQtK1CBrgx3m+04Yzfa4/Ghectd9f7SttbBZ6YAM4z88DG9EnFGDHiPRjS5/8OP3qDw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WZ1XYgvasxASlw/30pzDRxsXd1Gf1nAIxld+dplZekg=; b=RKXNjRGXd1D2rimPba4dEmDHTEh5I9e5VRGTU+tDREIbcekg5Gyk+rqtdnln1J10iwTPUCypOX239xque3ebD8K8Z7ltNoZDWSoZ+uBi8JlnZmY9/BGwGQNuO3e5wqR2Yn36vcThLL7T5I6AqKUs26RuYxXjU7RNSaKEJm+Xg/aj1E0umeCoEe0QDwVdISu5yLtME9GLlJoWGUTwe53ARFDvbL+UiQUKqNMGSTW9PDdo4ecO3IawVIDMvWth5lsQPqpCNpPSJ1As+608AoylbsJQ019pNnw6wy52IxUgyWf0APmT2IqhTab/IkidqWTql4yBNrLsFawFX1EkI8HIzw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=ericsson.com;dmarc=pass action=none header.from=ericsson.com;dkim=pass header.d=ericsson.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WZ1XYgvasxASlw/30pzDRxsXd1Gf1nAIxld+dplZekg=; b=XWRSbAfIexgsKOEwQsHzGSZIPP2FsuLeveNt6tAAejNFsWbXejKragM0Gy6QhOHJ+PyR6FZ386+7Z2bQqQM4XbkDAEXNk6wrXqYlHKlL6Fjxz6oxEnOvyRsnihDpzw2628fxtWsnvZa4V29ZLtGRXJvk3b2VawMTP6dPFs1nO2Q=
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com (10.170.245.23) by HE1PR07MB4409.eurprd07.prod.outlook.com (20.176.167.138) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2073.4; Wed, 10 Jul 2019 07:17:48 +0000
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43]) by HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43%5]) with mapi id 15.20.2073.008; Wed, 10 Jul 2019 07:17:48 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, Roman Shpount <roman@telurix.com>
CC: "sipcore@ietf.org" <sipcore@ietf.org>
Thread-Topic: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
Thread-Index: AQHVNLWxruT/m/C2REGBvr04oIfCDqa/Al8AgAHwRACAACa0QIAAOvWAgACKbgCAAH00gIAARqSA///8CoCAAAq/0IAABmoAgAAeAYCAABzUAIAABQKAgAACsgCAABGcAIAAcNxQ
Date: Wed, 10 Jul 2019 07:17:47 +0000
Message-ID: <HE1PR07MB316136FF32614875E4F6379593F00@HE1PR07MB3161.eurprd07.prod.outlook.com>
References: <156249821133.14592.1211919336596009446@ietfa.amsl.com> <CAGL6epLsP_UfZMAcFLsORrR05Enu-vp=jnkgUFuKSttQm8swAw@mail.gmail.com> <c8d5c42e-ab21-80e8-3189-c8592dd02d3a@alum.mit.edu> <HE1PR07MB3161C55955B2FCED2C0F6A9993F60@HE1PR07MB3161.eurprd07.prod.outlook.com> <68ed93ae-57df-6bc7-774b-47959417abda@alum.mit.edu> <HE1PR07MB3161D46B4A44FC7E789ADDB893F10@HE1PR07MB3161.eurprd07.prod.outlook.com> <4a9787e5-b5e2-bc08-0fa0-fae6bd44148d@alum.mit.edu> <527F4C39-F065-4335-A939-6D443F1801E7@ericsson.com> <CAD5OKxuK_2+JcbGvo6LNeRbCYXWXQmhKQPNUzoZvZEOupPWyjw@mail.gmail.com> <HE1PR07MB3161612130F07C8F727A2BB693F10@HE1PR07MB3161.eurprd07.prod.outlook.com> <CAD5OKxtR-WBhfa4msbAfXoK7JowYaKK3fSCbw0cXm6SRGwkLxg@mail.gmail.com> <CAGL6epK8Z938pnMKVyWGBK=6fMzNq6+gmxro-AAO2nzvGT4jeg@mail.gmail.com> <CAD5OKxs6g+6mLbMRc9C0q5BSSn=+7HHzKf5Ya5uL-+RbhVfEaA@mail.gmail.com> <CAGL6epKfLWA=RW3T84feSud9sZ+TcpB=XRA6fvTzP-jL3h4+4A@mail.gmail.com> <CAD5OKxs3=XdOFYThY1gCu23M4nqJV-bJOSCU7-Ogn0J=xy+E3A@mail.gmail.com> <CAGL6epJWXBTcnNk3nMN3Yfsh5y6+pddQSW_MbkAdNZbmWf6_Gg@mail.gmail.com>
In-Reply-To: <CAGL6epJWXBTcnNk3nMN3Yfsh5y6+pddQSW_MbkAdNZbmWf6_Gg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [62.113.190.248]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: cfe11394-34fb-49c5-f6a5-08d70506b627
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:HE1PR07MB4409;
x-ms-traffictypediagnostic: HE1PR07MB4409:
x-microsoft-antispam-prvs: <HE1PR07MB4409A4D98BC16ABBD53DD55E93F00@HE1PR07MB4409.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0094E3478A
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(376002)(136003)(346002)(39860400002)(366004)(199004)(189003)(6306002)(54896002)(8936002)(8676002)(55016002)(53936002)(81156014)(81166006)(33656002)(316002)(186003)(2906002)(9686003)(68736007)(71200400001)(71190400001)(236005)(6436002)(110136005)(478600001)(9326002)(229853002)(26005)(486006)(44832011)(52536014)(6246003)(102836004)(74316002)(790700001)(6116002)(3846002)(6506007)(53546011)(86362001)(5660300002)(476003)(25786009)(446003)(11346002)(14454004)(76176011)(7696005)(76116006)(4326008)(66066001)(66476007)(66556008)(64756008)(66446008)(66946007)(14444005)(256004)(99286004)(7736002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB4409; H:HE1PR07MB3161.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: qqQYrLVP7zvbCDrOuVJI9CZFDMVca7HMn872TAk0yrxdC7TdUPc5d7Tz6DoqpAq7hQkTfFr/XmSAsPHX2SB6vi1uZkm0qLzDfNOe3cG01YgnWMnuiE85IwxZCzHaLLgmn0bmLwvNGBrhvYmNdWhhFDeHx/yic4a3NXrjKvc/Wq8qVx8oUwNo+il8gGlfzTmyWD+WfJ47TrF4cL8ORZBOMeHbdmpF1tIy1ClVtXGONT5vjlV9h0Ipea/J0fOQJX40MLDg59O2PAtsRIgZ7d7AfVPVkwiYycMm7kayGOWJzP5M550d7yWKLISRTBOW9ZgmBUVcbEIKuv5EI608ojlDH4ZBS9gMujUecfUS6ceivNQ806UMRpsfi+cNR92jtABMVMOSaq0v4UYdrGKDrYJqhsaYlqzhsPe1xjYuMoncQ6A=
Content-Type: multipart/alternative; boundary="_000_HE1PR07MB316136FF32614875E4F6379593F00HE1PR07MB3161eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: cfe11394-34fb-49c5-f6a5-08d70506b627
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jul 2019 07:17:47.8190 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: christer.holmberg@ericsson.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB4409
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/JTzbrFl_c76K22RJBDQ5HhO5ylk>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jul 2019 07:18:03 -0000

Hi,

To clarify my comment, as Rifaat said, the document does allow usage of access token to authenticate non-REGISTER requests.

I questioned whether the draft needs to cover such use-cases.

Regards,

Christer


From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Sent: 10 July 2019 03:30
To: Roman Shpount <roman@telurix.com>
Cc: Christer Holmberg <christer.holmberg@ericsson.com>; sipcore@ietf.org
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt

The document clearly allows the use of access token to authenticate non-REGISTER requests when challenged in the context of the same realm.

Whether that is needed or not is a different discussion.
Assuming the UA was able to authenticate the user and obtain an access token, then establish an authenticated TLS channel with the server, and register the user; is there a need for further challenges from server?

Regards,
 Rifaat


On Tue, Jul 9, 2019 at 7:27 PM Roman Shpount <roman@telurix.com<mailto:roman@telurix.com>> wrote:
On Tue, Jul 9, 2019 at 7:17 PM Rifaat Shekh-Yusef <rifaat.ietf@gmail.com<mailto:rifaat.ietf@gmail.com>> wrote:
Can you provide a real life example of confidential UA using OAuth for registration only and not generating calls or sending any messages in dialog (or using different authentication method for these actions)?

What? why do you think that is the case?
How did you get to the conclusion that the UA will not be able to make a call?


Quoting Christer:

As far as I know, OAuth for SIP has only been used for REGISTER requests, between the UA and the registrar. I have never heard about anyone using it for non-REGISTER authentication, and I wonder whether we even need to cover it in the draft.

So, I am trying to understand the use case where:

1. UA is confidential
2. OAuth is used for registration only
3. Other messages are not sent or different authentication method is used for them, i.e. calls and in dialog messages are not initiated or initiated using a different authentication method.

So far, I cannot figure out what this is.

Best Regards,
_____________
Roman Shpount

v2.23.0 | Report a Bug | By Email