IETF Logo Mail Archive

Re: [sipcore] draft-ietf-sipcore-digest-scheme comments

Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> Sat, 25 May 2019 11:33 UTC

Return-Path: <rifaat.ietf@gmail.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6558A120175 for <sipcore@ietfa.amsl.com>; Sat, 25 May 2019 04:33:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ADhZGIG9YHtI for <sipcore@ietfa.amsl.com>; Sat, 25 May 2019 04:33:25 -0700 (PDT)
Received: from mail-io1-xd2c.google.com (mail-io1-xd2c.google.com [IPv6:2607:f8b0:4864:20::d2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB24112013E for <sipcore@ietf.org>; Sat, 25 May 2019 04:33:23 -0700 (PDT)
Received: by mail-io1-xd2c.google.com with SMTP id x24so9779411ion.5 for <sipcore@ietf.org>; Sat, 25 May 2019 04:33:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KhuQEeCVqLsSVuqlUoWVkqIA8ZrMzj5bbqcij1cuSew=; b=rBgT4nEjardVWN3qpMjWrNh8/gwqxi8gQEmh+65qFnscdj+ZwxmpeSOuUKH8cEtaQe 8n6tL/nGN+2sVzSOuoe/IcYK079MASJ6rFlTqTq37qYYqmjHmMSqTR7Vz8CRckqTMrml HlfWbu+7DXkfTmABN1tYS6l0PMH7qA/TBde1wpuIfCn8LAIKG/6zPHvvZd/TntCHnc1I jDMHsGUBSPGsop4uyjRWT8dMdWbfoKhW0mViMM7fGz/8kTiDa0pLNoFlUdf5HR+wtihf wKytMHwVf8NH4+wgmyNgXMgDoNrN/LJreOd5IKZE/U2+bE2pO8GOGS8R/vEqIlYx8iSW F4dg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KhuQEeCVqLsSVuqlUoWVkqIA8ZrMzj5bbqcij1cuSew=; b=SZvNm3oz10UbPKBXu4cpYZ5nHdpHBbattlT0IWqRWzDX/R55j+uUukLbTsETpV8Gz8 wUZ+wIn7uEzv3I4WpKwaUbtdPBsYYzVr1fe+voA5JDWukZijV9cl1QZgL9nRJyyKSY5B w3nHOKF9CzY/gFk9zXeGmyK6zbVAS1vugtH8yNgowxqMMKm7HBl8SkvsJBxDr5bZMhUi F1fUbZXlB5MLSQiXhj0g0Ocdfg/KAQpCrcuVgKNT0VPD7i6/kiw/Q26JUVzBTlFLqYVZ KqcYMeNREnjXKWpo0o0KE6N+RBqRk5Ed8AwcwUTgwOBrdBxWc3MXWjfANrvQTefV49I9 zHUw==
X-Gm-Message-State: APjAAAUQyPBbgqq3qQD/eoewmfjVdluBoSd4RhuU+3JP4Ncr20bN9qUe rMZ/teZv1TyVOm2EAILGF8djVMsZZHa3GqArCWQ=
X-Google-Smtp-Source: APXvYqwp/Z0HoOoJNvaO249zbSIzp7c8R3e75seNTpD9r/4OgVEKg0Wd2HVwFXjZ8jwtmtHI3Ko9tk+sjDfbwM3dAiQ=
X-Received: by 2002:a6b:7a49:: with SMTP id k9mr2539310iop.73.1558784003166; Sat, 25 May 2019 04:33:23 -0700 (PDT)
MIME-Version: 1.0
References: <DE595AFF-5DEA-4A32-8527-10B841D6C7C1@edvina.net> <CAGL6epLMHoneH6PNgeF5TgJhveh-xWeZSW6XQDBB2Gf5mS9eRQ@mail.gmail.com> <C1431DCD-C4DD-4BFA-9C5D-E4DFE7B0F2DA@edvina.net> <B4A08741-A092-480C-AE12-2DD25D7835D0@ericsson.com>
In-Reply-To: <B4A08741-A092-480C-AE12-2DD25D7835D0@ericsson.com>
From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Date: Sat, 25 May 2019 07:33:11 -0400
Message-ID: <CAGL6epJTv+Dytk_VHNi4Sk0mimVj=cMqWR4u9uSg1q+RcUQJ_Q@mail.gmail.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>
Cc: "Olle E. Johansson" <oej@edvina.net>, SIPCORE <sipcore@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ca57420589b4ae83"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/MZjK97VnR_3k2QD3bof_23qpf8U>
Subject: Re: [sipcore] draft-ietf-sipcore-digest-scheme comments
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 May 2019 11:33:29 -0000

Inline...

On Tue, May 21, 2019 at 4:57 PM Christer Holmberg <
christer.holmberg@ericsson.com> wrote:

> Hi,
>
> ...
>
> >> Section 2.1:
> >>
> >> "Note that [RFC7616] defines a -sess variant for each algorithm; the
> >>   -sess variants are not used with SIP.”
> >>
> >> Is this already forbidden in 3261 or is this new proposed language? If
> so, “are not” should propably
> >> be something like “MUST not”
> >
> > I do not think that 3261 forbids the -sess variant, and I do not see the
> need to forbid it here either
> > So then I suggest we remove the statement that the -sess variants are
> not used with SIP.
>
> If -sess variant was defined in RFC 7616, it was obviously not mentioned
> in RFC 3261 __
>
> What is the difference between the session variant and the non-session
> variant? What is meant by "session"? RFC 7616 doesn't give any explanation,
> and I couldn't find anything by googling either.
>
>
See RFC 7616, section 3.4.2 for more details.



> I do think we need to say *something*.
>

Any suggestion?



>
> ...
>
> >> Section 2.4:
> >>
> >> "When the UAC receives a response with multiple header fields with the
> >>   same realm it SHOULD use the topmost header field that it supports,
> >>   unless a local policy dictates otherwise.”
> >>
> >> Why a SHOULD? I would prefer a MUST.
> >
> > I can do that, but the last part of this paragraph states that local
> policy can override this recommendations anyway.
> > So, does it make any difference?
> > Should we allow that? Why would local policy enforce a downgrade?
> >
> >> “When the UAC receives a 401 response with multiple WWW-Authenticate
> >>   header fields with different realms it SHOULD retry and include an
> >>   Authorization header field containing credentials that match the
> >>   topmost header field of any one of the realms.”
> >>
> >> If you are disallowing multiple Authorization headers for the same
> realm,
> >> but with different algorithms I think this should be clearly written.
> In my
> >> view, that would be a good thing.
> >
> > This is allowed.
>
> RFC 3261 does not say anything about using the topmost header, does it?
>

I was referring to this document.



>
> >> "8.  Servers MUST be able to properly handle "qop" parameter received
> >>   in an authorization header field, and clients MUST be able to
> >>   properly handle "qop" parameter received in WWW-Authenticate and
> >>   Proxy-Authenticate header fields.  Servers MUST always send a "qop"
> >>   parameter in WWW-Authenticate and Proxy-Authenticate header field
> >>   values, and clients MUST send the "qop" parameter in any resulting
> >>   authorization header field.”
> >>
> >> This is not clear. If the servers MUST always send “qop” then we
> >> add that to SIP 2.0 with no backwards options or compatibility.
> >> Since you write “clients MUST be able to”… it seems like you
> >> assume that clients have a choise of whether they use it. I think
> >> one has to be a bit more clear so developers understands how
> >> to modify their implementations.
> >> In addition:
> >> Are we ready to require that all SIP 2.0 compliant software support QOP?
> >>
> >> Here is a quote form RFC3261:
> >> "Use of the "qop" parameter is optional in RFC 2617 for the purposes
> >> of backwards compatibility with RFC 2069; since RFC 2543 was
> >> based on RFC 2069, the "qop" parameter must unfortunately
> >> remain optional for clients and servers to receive."
> >>
> >> That is no longer the case with RFC7616.
> >> Since this is a change from RFC 3261 we propably want clarify that for
> developers.
> >> I think that if we want to modify RFC7616 for SIP, we can. The question
> still
> >> stands - are we ready to change the way current auth works today in
> SIP/2.0. There’s
> >> a lot of implementations out there that will suddenly not be
> standard-following.
> >>
> >> I’m not saying it’s a bad thing, just that we have to understand the
> implication.
>
> The typical way to solve this is to say that endpoints compliant with this
> specification must do this and that, but for backward compatibility also
> needs to be able to not do it.
>
> Regards,
>
> Christer
>
>
>

v2.23.0 | Report a Bug | By Email