IETF Logo Mail Archive

Re: [sipcore] WGLC draft-ietf-sipcore-sip-token-authnz

Christer Holmberg <christer.holmberg@ericsson.com> Mon, 09 December 2019 08:37 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71D53120048 for <sipcore@ietfa.amsl.com>; Mon, 9 Dec 2019 00:37:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V-Ix1qHPvnsb for <sipcore@ietfa.amsl.com>; Mon, 9 Dec 2019 00:37:46 -0800 (PST)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-ve1eur02on0616.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe06::616]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD25212001A for <sipcore@ietf.org>; Mon, 9 Dec 2019 00:37:45 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YXeZ6kmSFPMHGJ/7OxUz24sHDbZkoPDQTn8zYktaJNZvKb+exDh37ClLmuHlKhCD7r9vHXMqfU6OkCHGAyU8s/BDpw5kn9pRxTy8FeBpnZesSZuhB6t7A2S15gq4p6DvvY1zaWv6Gfs8iUOv9RMC+NFxdmtyObPryKK+LQAFJ8y7iaa1djmrJQK6eL7eZUJbZJpKGEgf+9FMGThvqg3K/x4Gor+odS2XM3/LbIpb1WReDFZqdcO3sw0Q79gIc9Zbkmkom2RpAoDKyh5p80tUfxjdFcO6kTL7kcOJIaRmjr3DvKF67S55v4J7YKeFsz801RcS3r7uz7Yi24Mri6ckjw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZK1TMTy7NRUGdXrHGPFrTg3S8itEh4fr5CystUDd49A=; b=kcGZ260gqMlqieMEXZWqc/64Y/PYV/LnoHAKI9vt+DSDZeDXaFGkLpGLRLwxY+sspAvd3IZL0ACAwbSt4WS1xC7cIshE50N4wI50LSBs159ZfLstHeB1ChUie20KB1OziOMAO6NdQ1DI3a+xWv941FzpMFofXtPs5ekVRvtGRBmqW/TKPEZHPyJSp+qSgsKBAwxMMUEgsFfr/VRUziy38OjKW/9S530ymbH5YCb4ltWsMRdzDcTGzqT+cSPLPMMCxBth5GFPK/P1G1AkL+9xDCubALV+cA9Onjj2CEpRaLuiRwpDvZWt0ZmxKvYvFbYIbhIPKWnjwO+vaISJ88C6+Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZK1TMTy7NRUGdXrHGPFrTg3S8itEh4fr5CystUDd49A=; b=r3C9vp3kLqxHO1u0H3ibXEBg4iPaGREs6W9W1IsDgsZPELPfLq35mzCQkM0ndE0SqjHPrfkqRIS5rqqIDVeVuooZc75q0Tb3wg2v4pdsmIAeGNeUbXCv2AuxFxJ5HWVcR0iw0Qqd9wtKQ4nfkOkGnqlG4fS2fOhxG3kAU7johh4=
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com (10.170.245.23) by HE1PR07MB4170.eurprd07.prod.outlook.com (20.176.164.160) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2516.7; Mon, 9 Dec 2019 08:37:43 +0000
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::4dd7:adc9:881e:69c7]) by HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::4dd7:adc9:881e:69c7%7]) with mapi id 15.20.2538.012; Mon, 9 Dec 2019 08:37:43 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Paul Kyzivat <pkyzivat@alum.mit.edu>, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
CC: "sipcore@ietf.org" <sipcore@ietf.org>
Thread-Topic: [sipcore] WGLC draft-ietf-sipcore-sip-token-authnz
Thread-Index: AQHVqRaq+n57bvgHbkmAxusa4398hqeoufCAgAEHG4CABnMOAIAApGKAgADOtgA=
Date: Mon, 09 Dec 2019 08:37:43 +0000
Message-ID: <9B7C541D-0359-4DB1-9E1C-0015BEDD1B37@ericsson.com>
References: <9b7ddc2f-d54a-bbaa-8e56-276c8bed725f@nostrum.com> <d7efa4c6-ac85-58ac-1c6c-5b09d955ab00@alum.mit.edu> <76BD0473-8921-4931-9AEE-1880C3AA6A57@ericsson.com> <CAGL6epLqymO26cY2U=NEGgMXAA6BE+NBf12UtOkkFXxKoWdp-Q@mail.gmail.com> <8bc9d0f1-2b13-6ee0-73a5-8056c186b029@alum.mit.edu>
In-Reply-To: <8bc9d0f1-2b13-6ee0-73a5-8056c186b029@alum.mit.edu>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1e.0.191013
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [89.166.49.243]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 66cc8fb5-12e0-49e5-8ad7-08d77c830f15
x-ms-traffictypediagnostic: HE1PR07MB4170:
x-microsoft-antispam-prvs: <HE1PR07MB4170D4690480B8134B952A1A93580@HE1PR07MB4170.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 02462830BE
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(366004)(376002)(39860400002)(396003)(346002)(51444003)(189003)(199004)(51914003)(91956017)(64756008)(81156014)(66446008)(76116006)(66476007)(66556008)(66946007)(81166006)(71190400001)(71200400001)(86362001)(8676002)(2906002)(229853002)(58126008)(305945005)(36756003)(99286004)(110136005)(8936002)(6486002)(316002)(966005)(478600001)(76176011)(4326008)(186003)(6512007)(102836004)(53546011)(26005)(6506007)(66574012)(2616005)(33656002)(44832011)(5660300002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB4170; H:HE1PR07MB3161.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 67bcMnS3IzXqeVTrV2bUsUpsTSDNV/I5kl/Hey+m3X+P0olTkp4F3tDPiYKHs/66jBlb0tWlZr5obz2LrfXKhJlC5y7OiFM1TYiK84/pZvc8dPtdcUzNoup/iB43Cr+/Dp23MiMI5mYEtcY4tMX7I5/k2y9xpxl/ciPuX47Anqpn0AU+Yw2MedEvDGfGKFf28pjsRnJ5aNHRlKDaTq07VtNWjkKO6ZMnOfgKZ6FKnMlbD14LkvCOE7vn1XNZpZtetme3rKMl5KsmhRLigsJZ0NNea19NULVoQfdOYBEue+w72LHK48yshN6QqfBrRxbZltzZllyMga8SJ60u6Cbtny4JsRX/fwxM6e6VQ4arRXmrKBLKMeaj7dNBri7Ej0JjTJp9kP1k57gLoUei4iJ1uYbF+2QftECvufs6OmDfQN2VBpnBnQoVeJxzKwSjRYYqsGNe0StzOrbh7WV1hpZw/w0a2kgeGQqf1XDkS2jigeo2WeTjGLa57mKprqAKx1kTl2ce1HZ+FbsZ80LFfJApDWwFpg+/w67yBN8OtDLWDAEIV2/PhXzpfw5JrxjgJFsT
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <69A320E0A0EC464AA8346FD6613C9ADA@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 66cc8fb5-12e0-49e5-8ad7-08d77c830f15
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Dec 2019 08:37:43.0295 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 9rliDpSFewS/UO90EMib2PM+S1UMwk5RP0UivTo6BRZpe2llBU8gbr2iz19Oxfc0+zw7FEb4L1TvELLPHuxABzff5KnPTMto0X82dAs9c0I=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB4170
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/Np7M9vBWU4--fbadSMrQs5dr9Ac>
Subject: Re: [sipcore] WGLC draft-ietf-sipcore-sip-token-authnz
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Dec 2019 08:37:49 -0000

Hi Paul,

I replied to your other points last week.

Regards,

Christer

On 09/12/2019, 0.18, "Paul Kyzivat" <pkyzivat@alum.mit.edu> wrote:

    Hi Rifaat,
    
    On 12/8/19 7:29 AM, Rifaat Shekh-Yusef wrote:
    > Hi Paul,
    > 
    > Thanks for the detailed review.
    > 
    > Regarding the
    > 
    >     My problem with this is: the challenge gives the UAC an HTTPS URL of an
    >     AS. It does not normatively state how the UAC is to use this, or what
    >     usage(s) the AS MUST support. Hence there is no assurance that the UAC
    >     will be able to successfully access the AS.
    > 
    >     This could be resolved by requiring that the UAC and AS MUST support
    >     RFC8252. Or perhaps there is some more expansive RFC that can be
    >     referenced. In the end there needs to be something MTI. 
    > 
    > 
    > I think that MUST is too strong in this case. I would be fine with a 
    > SHOULD, as there are different ways to achieve this based on the type of 
    > UAC, e.g. a browser-based UAC application.
    > Thoughts?
    
    I agree there can be variation based on type of UAC. E.g., actually 
    using a browser and having the end user interact with it, vs. a UAC that 
    is an automaton and doesn't have a user.
    
    But in the end whatever it is must use the URI as the starting point for 
    the interaction. With a browser interface presumably the URI is used to 
    fetch a page that is presented to the user. And the user then can 
    determine in a human intuitive way how to interact with that page to 
    complete the authentication. If it is an automaton then that won't work. 
    It must have *some* way of determining how to interact with the web 
    server and present what facts it has (e.g. user id and pw) to that 
    server in order to complete authentication. And in either case, there 
    must be a well defined way of learning if it succeeded and conveying the 
    resulting token back to the sip server.
    
    RFC8252 seems to try to specify this at least in some cases, though it 
    is still fuzzy to me. This should be deterministic - it shouldn't be 
    neccessary for an automaton to be specially programmed for how to 
    interact with the particular AS and how to convey the result back to the 
    sip server.
    
    > Regarding your comment about section 2.1.2, I agree with you; I will 
    > move it to its own section.
    
    Moving it to a separate section isn't necessary or sufficient. It needs 
    to be clarified.
    
    I'm assuming responses to my other points will be coming later.
    
    	Thanks,
    	Paul
    
    > Regards,
    >   Rifaat
    > 
    > 
    > 
    > On Wed, Dec 4, 2019 at 3:00 AM Christer Holmberg 
    > <christer.holmberg=40ericsson.com@dmarc.ietf.org 
    > <mailto:40ericsson.com@dmarc.ietf.org>> wrote:
    > 
    >     Hi Paul,
    > 
    >     My comments on some of your SIP-related issues (I am not addressing
    >     your issues on Sections 2.1.1 and 2.1.2 in this reply).
    > 
    >      >    * Section 2.1.4:
    >      >
    >      >    This section says that the UAC MUST include an Authorization
    >     header
    >      >    field with the Bearer scheme. This is overly strong.
    >      >
    >      >    This should be an explanation that *if* it has received a
    >     challenge
    >      >    containing the Bearer scheme then to resolve that particular
    >     challenge
    >      >    it needs to send a request with an Authorization header field
    >     containing
    >      >    the response to that challenge, including the Bearer scheme.
    > 
    >     I suggest that we expand the first paragraph in the section.
    >     Something like:
    > 
    >     "The procedures in this section apply when the UAC has received a
    >     challenge that contains a Bearer scheme,
    >     and the UAC has obtained a token as specified in section Section 2.1.1."
    > 
    >      >    (But note that if there were multiple challenges with
    >     different schemes
    >      >    then it maybe able to successfully retry the request using
    >     non-Bearer
    >      >    credentials.)
    >      >
    >      >    I don't understand what distinction you are trying to draw by
    >      >    distinguishing the behavior for creating a binding from that for
    >      >    refreshing a binding. AFAIK there should be no difference. And
    >     in fact
    >      >    the UAC in general cannot know whether the request being send
    >     will
    >      >    establish or refresh a binding.
    > 
    >     It is important to point out that the same access token might not
    >     necessarily be used throughout the lifetime of the registration, if
    >     the previously included access token has expired.
    > 
    >     ---
    > 
    >      >    * Section 2.1.5:
    >      >
    >      >    This section has similar issues to section 2.1.4: The MUST is too
    >      >    strong, and the reason for distinguishing between in-dialog
    >     requests
    >      >    from others is unclear.
    > 
    >     See my comments for 2.1.4.
    > 
    >     ---
    > 
    >      >    * Section 2.2:
    >      >
    >      >    Again is overly strong in its use of MUST. I think it is
    >     evident that
    >      >    the point being made is that a challenge containing Bearer
    >     scheme is the
    >      >    way to indicate that is with a challenge with Bearer scheme,
    >     but the
    >      >    text is at least awkward.
    >      >
    >      >    How about:
    >      >
    >      >        When a UAS or Registrar receives a request that fails to
    >     contain
    >      >        authorization credentials acceptable to it, it SHOULD
    >     challenge the
    >      >        request by sending a 401 (Unauthorized) response. To
    >     indicate that
    >      >        it is willing to accept an OAuth2 token as a credential the
    >      >        UAS/Registrar MUST include a Proxy-Authentication header
    >     field in the
    >      >        response, indicate "Bearer" scheme and include an address
    >     of an
    >      >        Authorization Server from which the originator can obtain
    >     an access
    >      >        token.
    > 
    >     WFM.
    > 
    >      >    In the second paragraph, please provide a reference:
    >      >
    >      >        ... using the procedures from [RFC???] associated with the
    >     type of
    >      >        access token used.
    > 
    >     Ok.
    > 
    >     ---
    > 
    >      >    * Section 2.3:
    >      >
    >      >    Similar comment to section 2.2. How about the following for
    >     the first
    >      >    paragraph:
    >      >
    >      >        When a proxy receives a request that fails to contain
    >      >        authorization credentials acceptable to it, it SHOULD
    >     challenge the
    >      >        request by sending a 407 (Proxy Authentication Required)
    >     response.
    >      >        To indicate that it is willing to accept an OAuth2 token as a
    >      >        credential the proxy MUST include a Proxy-Authentication
    >      >        header field in the response, indicating "Bearer" scheme and
    >      >        including an address to an Authorization Server from which the
    >      >        originator can obtain an access token.
    > 
    >     WFM.
    > 
    >      >    I don't think the second paragraph should condition any
    >     behavior on
    >      >    whether it has previously challenged. That requires that the
    >     proxy be
    >      >    stateful, and it isn't a necessary condition. Instead, how about:
    >      >
    >      >        When a proxy wishes to authenticate a received request, it
    >     MUST
    >      >        search the request for Proxy-Authorization header fields
    >     with 'realm'
    >      >        parameters that match its realm. It then MUST successfully
    >     validate
    >      >        the credentials from at least one Proxy-Authorization
    >     header field
    >      >        for its realm. When the scheme is Bearer the proxy MUST
    >     validate the
    >      >        access token, using the procedures from [RFC???]
    >     associated with the
    >      >        type of access token used.
    > 
    >     WFM.
    > 
    >     ---
    > 
    >      >    * Section 3:
    >      >
    >      >    The following:
    >      >
    >      >        The realm and auth-param parameters are defined in [RFC3261].
    >      >
    >      >    is incomplete, because it is missing 'challenge', 'realm', and
    >      >    'https-URI. (Where is https-URI defined?)
    >      >
    >      > Another way to do this is by  adding the following to the syntax:
    >      >
    >      >            challenge = <defined in RFC3261>
    >      >            realm = <defined in RFC3261>
    >      >            auth-param = <defined in RFC3261>
    >      >            scope = <defined in RFC6749>
    >      >            error = <defined in RFC6749>
    >      >            https-URI = <where???>
    >      >
    >      >    (This helps those who might try to formally validate the
    >     syntax because
    >      >    it removes undefined parameters.)
    > 
    >     The section does enhance 'challenge', so I guess we can add text
    >     saying that 'challenge' is defined in RFC 3261.
    > 
    >     Regarding the other parameters, the text already says where they are
    >     defined.
    > 
    >     Or, are you saying that you want the references in the syntax,
    >     rather than in the normative text?
    > 
    >      >    Also, 'scope' and 'error' are very generic rule names being
    >     used in a
    >      >    very restricted context. While these are not defined in
    >     RFC3261, there
    >      >    is the potential conflict with other extensions. I'd recommend
    >     using
    >      >    more specific terms. E.g.,
    >      >
    >      >            challenge  =/  ("Bearer" LWS bearer-cln *(COMMA
    >     bearer-cln))
    >      >            bearer-cln = realm / bearer-scope / authz-server /
    >     bearer-error /
    >      >                         auth-param
    >      >            authz-server = "authz_server" EQUAL authz-server-value
    >      >            authz-server-value = https-URI
    >      >
    >      >            challenge = <defined in RFC3261>
    >      >            realm = <defined in RFC3261>
    >      >            auth-param = <defined in RFC3261>
    >      >            bearer-scope = <defined as scope in RFC6749>
    >      >            bearer-error = <defined as error in RFC6749>
    >      >            https-URI = <where???>
    > 
    >     The HTTP WWW-Authenticate header field uses 'error' and 'scope', and
    >     I think it would be good to be aligned.
    > 
    >      >    Regarding the scope parameter:
    >      >
    >      >    This parameter is conveyed from the registrar to the UAC. But
    >     what is
    >      >    the UAC to do with it? How does it have any control over the
    >     scope of
    >      >    the token it gets from the AS? Is the UAC supposed to convey
    >     this to the
    >      >    AS? If so, how?
    > 
    >     The UAC will get the scope from the AS, and will forward it towards
    >     the UAS/registrar.
    > 
    >      >    Regarding the error parameter:
    >      >
    >      >    Is this just intended to be of help in debugging the UAC? Or
    >     is it
    >      >    expected that the UAC might take some sort of pre-programmed
    >     action in
    >      >    response? If the latter, how might that work? Is this information
    >      >    suitable for presentation to the user?
    > 
    >     I see no reason why it can't be presented to the user, and I guess
    >     the UAC actions depend on what the error code is.
    > 
    >     However, as the parameter is described in RFC 6749, I don't think we
    >     need to repeat that in this draft.
    > 
    >     ---
    > 
    >      >    * Section 4:
    >      >
    >      >    I agree with Dale - I don't see any value in this tag. I tried
    >     to search
    >      >    for all discussion on the point. The discussion attributes me
    >     with
    >      >    requesting it, but I don't think I did.
    > 
    >     It was Olle who requested it.
    > 
    >     However, I don't see any harm in having it. It allows the UAC to
    >     inform proxies/UAS/Registrar whether it supports the bearer scheme.
    > 
    >     ---
    > 
    >      >    * Missing:
    >      >
    >      >    I find no syntax extensions for Authorization and
    >     Proxy-Authorization.
    >      >    These need to be added.
    > 
    >     Ok.
    > 
    >     Regards,
    > 
    >     Christer
    > 
    > 
    > 
    >     _______________________________________________
    >     sipcore mailing list
    >     sipcore@ietf.org <mailto:sipcore@ietf.org>
    >     https://www.ietf.org/mailman/listinfo/sipcore
    >

v2.23.0 | Report a Bug | By Email