IETF Logo Mail Archive

Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt

Christer Holmberg <christer.holmberg@ericsson.com> Thu, 11 July 2019 11:25 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E02B12011A for <sipcore@ietfa.amsl.com>; Thu, 11 Jul 2019 04:25:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YKEp2ltUbOiK for <sipcore@ietfa.amsl.com>; Thu, 11 Jul 2019 04:25:35 -0700 (PDT)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-eopbgr140040.outbound.protection.outlook.com [40.107.14.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9818120099 for <sipcore@ietf.org>; Thu, 11 Jul 2019 04:25:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nDEuwx9TYIJu6Qmozi2UGnz9zXn2H6fhuy0eerzQ8cNvczc8Bw0Z+58WdRoQfeuRQn3vunlX7freGxLLWffQZ/u8+dxl8Oqchxb+q+urBJU2/V//8qfo0l8cvm0ZgDoFbi2ihaqVdcZhRw3DuR8HLg3wNcebgcHcxKAwPQg1PQw/I9a2Yq5iwTDM2vgwcyLu6jIGGAMc/hU8fmYgnqWy4PWRqiTDzWEab5jcXRbWdsP4H5CqU9RLhd+H706vC3RFP6sPPY0NBl3xk1Ju7ZlAIhElTykVozoIHYYFdNyRjfFNrNC4nrplxhVSoPoDDF6nS/5Q4SX5z42rEpqX35ak0g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=l0N+7g7M4fkqskf/l3joC2pVj/BN+zByF8+XL910HDQ=; b=nq6gEKghRjDqAq0zmmwINqBwYZUEBZ3HRolMDAKy8wxglWai8MmI0geLmqPm3skOzW6HTptkoa11sq0jdatoSYE6TMaJYf87NMJG6zH52jpfxnXXUV4ZwkYxwbei9XukwGnq+hogz98aB1VMS22qP6GK4tN+d9DTZDwWvcKY+Hl10vMM0/qEc6tQgjTUu6Cuesajjfm1SerLaDPfwov9t1S7TdKrG1e83HW68I6ukTuuQ6tYfi/hPYcPHBNyKsc8+pmrHG4eUxwZISYIuao2dVAmrqj7qJylz/Iuw03YMfZZKFAQLW6UCfucnlqO6FiqhzNm/jY+DS4tP3PXxgqYYw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=ericsson.com;dmarc=pass action=none header.from=ericsson.com;dkim=pass header.d=ericsson.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=l0N+7g7M4fkqskf/l3joC2pVj/BN+zByF8+XL910HDQ=; b=nZiDnq8J7YVBZEfRawWlw1UTpRwKshFXql+a4Pw+cK5rDMgG4h2Ox/ojZIcB1rt1iO8m06wbxZ89LJksZb08Q7u9la/+EtU4MrH6rVgE3DZtnTycHH1bVYZ2hS6XDpP1hBJ0nuGYzPju0UdN27drpUUkUOeF6f4RGVON2MzRaX4=
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com (10.170.245.23) by HE1PR07MB4393.eurprd07.prod.outlook.com (20.176.167.30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2073.8; Thu, 11 Jul 2019 11:25:32 +0000
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43]) by HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43%5]) with mapi id 15.20.2073.008; Thu, 11 Jul 2019 11:25:32 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: "Olle E. Johansson" <oej@edvina.net>
CC: "sipcore@ietf.org" <sipcore@ietf.org>
Thread-Topic: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
Thread-Index: AQHVNLWxruT/m/C2REGBvr04oIfCDqa/Al8AgAHwRACAACa0QIAAOvWAgACKbgCAAH00gIAARqSA///Z+ACAADMUgP//1TCAgABAXACAATj+gIABDXaAgAA3igD//9RDgAALc6uA///Q/4CAADuIAA==
Date: Thu, 11 Jul 2019 11:25:31 +0000
Message-ID: <C5597D63-1B58-44D0-A2CE-4170CC1BE23E@ericsson.com>
References: <156249821133.14592.1211919336596009446@ietfa.amsl.com> <CAGL6epLsP_UfZMAcFLsORrR05Enu-vp=jnkgUFuKSttQm8swAw@mail.gmail.com> <c8d5c42e-ab21-80e8-3189-c8592dd02d3a@alum.mit.edu> <HE1PR07MB3161C55955B2FCED2C0F6A9993F60@HE1PR07MB3161.eurprd07.prod.outlook.com> <68ed93ae-57df-6bc7-774b-47959417abda@alum.mit.edu> <HE1PR07MB3161D46B4A44FC7E789ADDB893F10@HE1PR07MB3161.eurprd07.prod.outlook.com> <4a9787e5-b5e2-bc08-0fa0-fae6bd44148d@alum.mit.edu> <527F4C39-F065-4335-A939-6D443F1801E7@ericsson.com> <5bb63c0c-130d-7f69-10b0-1ed1b274cc58@alum.mit.edu> <87AD4BB8-CE77-4FD7-BB72-6643DF513058@ericsson.com> <168b1354-b35b-edee-e5f9-d4ddbecfae40@alum.mit.edu> <607A513F-8616-4777-8B5E-59390E845709@ericsson.com> <b6ca4c79-5a17-10da-3882-20bc8b0e9b98@alum.mit.edu> <5ABB2F7B-8928-4581-8AAD-C8EFDBE95F7E@edvina.net> <99649808-9894-42B4-ADD1-52D0F70A3FB3@ericsson.com> <BCFE43BD-86FF-457E-9006-1DA7C8F3F6BE@edvina.net> <C3BFE2FE-0797-4E54-BAD4-B24E32CB183F@ericsson.com> <BD0B9B14-1E35-42C4-BF51-430C7E052145@edvina.net>
In-Reply-To: <BD0B9B14-1E35-42C4-BF51-430C7E052145@edvina.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1a.0.190609
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [89.166.49.243]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6b2ca1d1-395c-4d61-ac18-08d705f27c38
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:HE1PR07MB4393;
x-ms-traffictypediagnostic: HE1PR07MB4393:
x-microsoft-antispam-prvs: <HE1PR07MB439364375E0DD995441335C393F30@HE1PR07MB4393.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0095BCF226
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(979002)(4636009)(396003)(346002)(376002)(39860400002)(136003)(366004)(199004)(189003)(66066001)(6436002)(102836004)(229853002)(14454004)(8936002)(81166006)(71190400001)(26005)(186003)(6512007)(6506007)(71200400001)(3846002)(6116002)(316002)(58126008)(6486002)(486006)(2616005)(14444005)(478600001)(99286004)(256004)(8676002)(305945005)(33656002)(66476007)(66556008)(64756008)(66446008)(476003)(36756003)(7736002)(76176011)(53936002)(25786009)(86362001)(6916009)(4326008)(68736007)(446003)(2906002)(11346002)(44832011)(5660300002)(6246003)(76116006)(81156014)(66946007)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB4393; H:HE1PR07MB3161.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: gR3+AV+wSiur2ah/Jyk8JAlb30yMRPOfsb3mTD19npVeOrQwyoHx3joQZxGul+V8z9hGj6+zGEaajRO0W+R3gNQmRqk2w+QHNjlhXr5mcFYgyBe2oLLWxkELtHH0elFiUqKwYZhN1CIocU2U2jtElpWuRwgHVKqGpUNSaKQm/hGU9MHQ69NZ0GELVe+7J4RvNUQ30gKRORH5Chf8G4x4BU9dGoF7vCuE89Lf2CVsPxCGNFnSvscAQTeHI9luMVl20ReH5/1M4y50GDtDX0grmYscfxGHp1vAZd+KyykyDy6qXzWmxxH1r/jIGSFCd2ZMIUgOjb8tyq3uIyasUjsfOjtnj9ls0qd2ABY7aoslTQoPMyvnPKuPsqwv/jzueLgawu+xJbGvYTr+3HRzq/WnCP6eIJOUK35BaH61xJEihT0=
Content-Type: text/plain; charset="utf-8"
Content-ID: <80CF8AFA909A884495FD5EF1C83EE786@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6b2ca1d1-395c-4d61-ac18-08d705f27c38
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jul 2019 11:25:31.8609 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: christer.holmberg@ericsson.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB4393
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/PlLd7bd4yssrbYqTcODhVqMdSKk>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jul 2019 11:25:38 -0000

Hi,

    >>>>> The tokens generally, but if I understand it right not always, are JWT structures that contain various data. In 
    >>>>> OpenID connect both the access and identity token are JWTs.
    >>>>> We can either specify specific claims that  are standardised for various SIP functions or let that be open for 
    >>>>> the SIP implementors to specify or a combination. 
    >>>> 
    >>>> For backward compatibility, we should at least let SIP implementors specify
    >>> Maybe, but at least we should write something about the usage of claims and scopes.
    >>> I think a base level for this draft is specifying a way to say “this access token is valid for SIP usage” or
    >>> “this is also a SIP identity"
    >> 
    >>    Perhaps we can add some text about scope and claims, but I don't want to mandate usage of specific values, because that 
    >>    may not be backward compatible with existing implementations using JWT. 
    >
    > We can mandate *if* the access token is a jwt (and there’s an identity token like OpenID Connect). 
    
    It may not work with existing implementations that DO use JWT access tokens (not sure whether they use OpenID Connect, though).

    >> I see interoperability problems if every implementation is using different data structures for stuff like SIP AOR, SIP usage claim 
    >> and maybe a few more that we will come up with as we continue working. Standardizing some of these basic data points in tokens will help interoperability. 
    >
    > If the access token is a random blob we don’t require any change.
    >
    > In addition I think we should change the “sip.token” label to something more specific like “sip.oauth2”. 
    
    I think it was me who suggested to use sip.token, but I don't have a strong opinion about it. It was added recently, so existing implementations currently don't use it anyway.
 
    Regards,

    Christer

v2.23.0 | Report a Bug | By Email