IETF Logo Mail Archive

Re: [sipcore] No WebSocket level authentication scenario [was RE: I-D Action: draft-ietf-sipcore-sip-websocket-09.txt]

"Parthasarathi R" <partha@parthasarathi.co.in> Tue, 25 June 2013 00:48 UTC

Return-Path: <partha@parthasarathi.co.in>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30D2321F9DEC for <sipcore@ietfa.amsl.com>; Mon, 24 Jun 2013 17:48:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.441
X-Spam-Level:
X-Spam-Status: No, score=-2.441 tagged_above=-999 required=5 tests=[AWL=0.158, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FAvJsWHwkAVX for <sipcore@ietfa.amsl.com>; Mon, 24 Jun 2013 17:48:02 -0700 (PDT)
Received: from smtp.mailhostbox.com (outbound-us3.mailhostbox.com [70.87.28.153]) by ietfa.amsl.com (Postfix) with ESMTP id CC45721F9DE8 for <sipcore@ietf.org>; Mon, 24 Jun 2013 17:48:02 -0700 (PDT)
Received: from userPC (unknown [122.179.51.111]) (Authenticated sender: partha@parthasarathi.co.in) by smtp.mailhostbox.com (Postfix) with ESMTPA id D181F868818; Tue, 25 Jun 2013 00:47:59 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parthasarathi.co.in; s=20120823; t=1372121282; bh=a1ScJH/SfytC6FwQZBUoL6AJzp0GT0L+xhksRncmZng=; h=From:To:References:In-Reply-To:Subject:Date:Message-ID: MIME-Version:Content-Type:Content-Transfer-Encoding; b=ZxCiac6/W3/R5gnLVYL/37TefEqKjxUe+NpYdptGBX4CnUtzXG6oafOJYzfUXdgzL RjNHMRkHPkWCdYef5Spm68bYS/qfGiGVwDydrua9iQ0Jpxwd9l3dhpcgB6NZqeQjsZ bmr7T5VMq4eGcwnPj60rgLc6+neoBUTBKSWJ7IEA=
From: Parthasarathi R <partha@parthasarathi.co.in>
To: 'Paul Kyzivat' <pkyzivat@alum.mit.edu>, sipcore@ietf.org
References: <20130613011708.18316.28106.idtracker@ietfa.amsl.com> <CALiegfkg-KU1bB01eLXuksZV1ehBY92uf+0+F3fQuha-WnOS1A@mail.gmail.com> <013c01ce6c4e$29e33c90$7da9b5b0$@co.in> <CALiegfnQ8=R1PRbHwPSDjJ=jH+bBeiNqjU12yr8KmJvHWQg1Mg@mail.gmail.com> <12FDD6C8-F172-4B3B-A83A-211CF553DA1A@ag-projects.com> <CALiegfneR2MwFEgGnZVtNJUXbDv0Mw0uWK2RYOGi-euWvYpR1g@mail.gmail.com> <949EF20990823C4C85C18D59AA11AD8B055194@FR712WXCHMBA10.zeu.alcatel-lucent.com> <51C328B6.20506@alum.mit.edu>
In-Reply-To: <51C328B6.20506@alum.mit.edu>
Date: Tue, 25 Jun 2013 06:17:55 +0530
Message-ID: <002501ce713d$a47221d0$ed566570$@co.in>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Ac5t0EIaQjnhKj7TRVuQDcUlUQ7CgwDbL8GA
Content-Language: en-us
X-CTCH-RefID: str=0001.0A0C0203.51C8E8C2.0062, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0
X-CTCH-VOD: Unknown
X-CTCH-Spam: Unknown
X-CTCH-Score: 0.000
X-CTCH-Rules:
X-CTCH-Flags: 0
X-CTCH-ScoreCust: 0.000
X-CTCH-SenderID: partha@parthasarathi.co.in
X-CTCH-SenderID-TotalMessages: 1
X-CTCH-SenderID-TotalSpam: 0
X-CTCH-SenderID-TotalSuspected: 0
X-CTCH-SenderID-TotalBulk: 0
X-CTCH-SenderID-TotalConfirmed: 0
X-CTCH-SenderID-TotalRecipients: 0
X-CTCH-SenderID-TotalVirus: 0
X-CTCH-SenderID-BlueWhiteFlag: 0
X-Scanned-By: MIMEDefang 2.72 on 70.87.28.156
Subject: Re: [sipcore] No WebSocket level authentication scenario [was RE: I-D Action: draft-ietf-sipcore-sip-websocket-09.txt]
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sipcore>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jun 2013 00:48:07 -0000

Paul,

In case it is not mandatory to use authentication, the following statement
in Sec 7 of the draft is not correct:

"  If no authentication is done at WebSocket level then SIP Digest
   authentication is required for every SIP request coming over the
   WebSocket connection."

Please let me know your comment on the same.

Thanks
Partha

> -----Original Message-----
> From: sipcore-bounces@ietf.org [mailto:sipcore-bounces@ietf.org] On
> Behalf Of Paul Kyzivat
> Sent: Thursday, June 20, 2013 9:37 PM
> To: sipcore@ietf.org
> Subject: Re: [sipcore] No WebSocket level authentication scenario [was
> RE: I-D Action: draft-ietf-sipcore-sip-websocket-09.txt]
> 
> On 6/19/13 8:06 AM, DRAGE, Keith (Keith) wrote:
> > I would not use RFC 3261 as justification for what should, or should
> not, be said about authentication. The current RFC 3261 would probably
> fail a security directorate review if it was attempted to be approved
> as an RFC now.
> >
> > (I'd also point out that for any security consideration of RFC 3261,
> one should also read RFC 5630.)
> >
> > So I would suggest you conduct an independent security evaluation of
> what is needed.
> 
> I think we are in the midst of one with Stephen Farrell.
> 
> > For the use case you give:
> >
> >> A website (a shop) offers a widget in which the visitor can click
> and
> >> made a SIP call (+WebRTC) that will end in the callcenter of the
> >> company, answered by an agent that will inform the user about the
> >> product he is interested in. Why do we require WWW or SIP
> >> authentication in this scenario?
> >
> > I'd suggest that the issue to be discussed is what happens when the
> action described results in a transaction of some form to a third party
> (in the SIP case a call). The visitor then includes information that
> will be relayed to the third party. Who does the third party rely on to
> ensure that information is authentically given by the visitor.
> 
> I'm inclined to support Iñaki, that authentication of any sort
> shouldn't
> be Mandatory to *Use*.  Individual applications can decide when they
> have uses that require authentication and when they don't.
> 
> 	Thanks,
> 	Paul
> 
> > Regards
> >
> > Keith
> >
> >
> >
> >> -----Original Message-----
> >> From: sipcore-bounces@ietf.org [mailto:sipcore-bounces@ietf.org] On
> Behalf
> >> Of Iñaki Baz Castillo
> >> Sent: 19 June 2013 12:32
> >> To: Saúl Ibarra Corretgé
> >> Cc: SIPCORE (Session Initiation Protocol Core) WG; Parthasarathi R
> >> Subject: Re: [sipcore] No WebSocket level authentication scenario
> [was RE:
> >> I-D Action: draft-ietf-sipcore-sip-websocket-09.txt]
> >>
> >> 2013/6/19 Saúl Ibarra Corretgé <saul@ag-projects.com>:
> >>> Why is authentication a MUST? Lets assume that I'm using UDP and my
> >> proxy establishes a WS connection with a foreign domain's proxy
> because of
> >> NAPTR and my proxy supports acting as a WS client. It obviously
> won't be
> >> able to authenticate. If this scenario supposed to be covered?
> >>
> >> Honestly I agree. I cannot find in RFC 3261 (or other RFCs) a
> >> normative statement mandating authentication, regardless the request
> >> comes from a UA.
> >>
> >> In another thread we are discussing about MTI authentication
> >> mechanisms that must be implemented by SIP WS Clients and Servers.
> >> IMHO that is correct, but mandating SIP authentication or WWW
> >> authentication for ALL the scenarios seem innapropriate for me. I
> come
> >> back to an use case:
> >>
> >> A website (a shop) offers a widget in which the visitor can click
> and
> >> made a SIP call (+WebRTC) that will end in the callcenter of the
> >> company, answered by an agent that will inform the user about the
> >> product he is interested in. Why do we require WWW or SIP
> >> authentication in this scenario?
> >>
> >> If WG agrees with this, I will remove the normative statements in
> >> "Authentication" section, and instead address the MTI authentication
> >> mechanisms.
> >>
> >>
> >> --
> >> Iñaki Baz Castillo
> >> <ibc@aliax.net>
> >> _______________________________________________
> >> sipcore mailing list
> >> sipcore@ietf.org
> >> https://www.ietf.org/mailman/listinfo/sipcore
> > _______________________________________________
> > sipcore mailing list
> > sipcore@ietf.org
> > https://www.ietf.org/mailman/listinfo/sipcore
> >
> 
> _______________________________________________
> sipcore mailing list
> sipcore@ietf.org
> https://www.ietf.org/mailman/listinfo/sipcore

v2.23.0 | Report a Bug | By Email