Re: [sipcore] Alexey Melnikov's No Objection on draft-ietf-sipcore-digest-scheme-12: (with COMMENT)
Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> Thu, 31 October 2019 21:30 UTC
Return-Path: <rifaat.ietf@gmail.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 271711208FC; Thu, 31 Oct 2019 14:30:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XcpW4z-wbcHq; Thu, 31 Oct 2019 14:30:35 -0700 (PDT)
Received: from mail-io1-xd31.google.com (mail-io1-xd31.google.com [IPv6:2607:f8b0:4864:20::d31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D019120873; Thu, 31 Oct 2019 14:30:35 -0700 (PDT)
Received: by mail-io1-xd31.google.com with SMTP id 18so8479742ion.6; Thu, 31 Oct 2019 14:30:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qEXEL3k7nKYQ0C/zIfdcYSTSweWBYdEVRGlbQMWJdIA=; b=bPEMTpF5pBeyPltOlb1FU6XS4lSbcIzO5kxCoRBQ2DVa9AQqtk9+ttfMIQh6uL5M9y uh96+mxxfKrLdFGfgVmMyQ4E1mrKmBe/fhpy3R3AlLU4FKyg9i0F2c6qBa0CfcwpqFa4 5RmC1NSZSOS4+ijjeF+1VjfL0GzNA0zTHtl0/QC7yhTkHYgLpxDq1TkN+vRsee1yjaE7 Igz4RYtaywcfAa0ZtgcUZtBuSBSaHZOx13FZKahXCZuCH4Xx/oAMdGdmhtRtxrsP65RT pA7A8tao0hxFWDKKjDVLImC+8TSBuFP7fncU8Pa6ZNk4Zg/2gPfUS8HTYH3oeqC2qvZv Kjiw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qEXEL3k7nKYQ0C/zIfdcYSTSweWBYdEVRGlbQMWJdIA=; b=EVWg8LYqYybR0tj4zeuFXII65pJvFxUZlOvPHIuR9Uqx+nJSIoDCDyTS+R1ePq99J3 KPOwVyV28f3Qt8GZl4NdSdsuZ/ahFJCecuTDvvbT+dPJCQqeHnljotgssGwnHqTyCR7y kDv9RnWzW7lgnxlR/qFhgrZLce3NBwNbtVaf6i3HPmYR6WJBJ/TX5uj++nl3qyAFjDZk 0825UKZqrWaEvbbbzXr7pa4oJzZKVmSmqkDqM14onS/GahtJwInFZ9RufPviivGptKG1 wjjSWI7OZVuvS+HVIO8KZoz3Uu5FVgOkSHIjVNWW+5Kn6kBsxF3FxU19p3YGaC/cXNsT 3LRg==
X-Gm-Message-State: APjAAAWyesyVZFA5mHgt3KTMFabwLi/E6PBFbzB35f7b8akAa2+EvgOj IuprlJdgDpkN+rZ192yn3HV50L0JfcQ0nu25LX8=
X-Google-Smtp-Source: APXvYqzmFPTbDeZV8VNBFUCUyu+vte0FRVE+YoPc4XgRbg3pOaEvs52RQbkBMjN/CXc+8TeDhffdX0JH8N7tP5Fi4d0=
X-Received: by 2002:a02:1c41:: with SMTP id c62mr4773479jac.132.1572557434692; Thu, 31 Oct 2019 14:30:34 -0700 (PDT)
MIME-Version: 1.0
References: <157245577700.32490.10990766778571550817.idtracker@ietfa.amsl.com> <CAGL6epJgyr_VUYgKCgxDcP5ObKWErtDCHxaX7JusUYPXu=a6jQ@mail.gmail.com> <a9ebadcc-36ae-4bdb-af69-05486eef2569@www.fastmail.com> <CAGL6ep+AK4BuGZ2Y1RMsomAYGLiy2NbEHgm5-941FLVKS6bY9Q@mail.gmail.com> <6ec209ae-72e9-4dd1-8d68-3ee1704f3d92@www.fastmail.com> <CAGL6epLQS9xqHybZLTk1qM4i_LaDWVk8-iF0-0e_osf271R_Rg@mail.gmail.com> <7B4921E1-66A3-4D6D-A943-8EC0F44195CC@ericsson.com> <CAGL6epLrJYPaaYwFQjP8Lk3Uc3PUogtfPyxE5FsoTMJs3GvsgA@mail.gmail.com> <4C17F34D-7046-4706-AE5C-FB7ADC4B1427@ericsson.com> <4EEBC37C-3C1B-42A9-883B-571FAE867C31@ericsson.com> <CAGL6epLp=x+Z3g+BZAYsmOob1pkchnvRObnJ7JfTSWES8xaEmA@mail.gmail.com> <2B1C666E-1718-49B2-AECA-B2759BEE6872@ericsson.com>
In-Reply-To: <2B1C666E-1718-49B2-AECA-B2759BEE6872@ericsson.com>
From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Date: Thu, 31 Oct 2019 17:30:25 -0400
Message-ID: <CAGL6epJToAGBnvxNO0kTu74AtTL7eSqvsRyemKRt4=RBgU8z8g@mail.gmail.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>
Cc: Christer Holmberg <christer.holmberg=40ericsson.com@dmarc.ietf.org>, "sipcore-chairs@ietf.org" <sipcore-chairs@ietf.org>, "draft-ietf-sipcore-digest-scheme@ietf.org" <draft-ietf-sipcore-digest-scheme@ietf.org>, The IESG <iesg@ietf.org>, SIPCORE <sipcore@ietf.org>, Alexey Melnikov <aamelnikov@fastmail.fm>
Content-Type: multipart/alternative; boundary="00000000000048a85805963b8f7d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/QzqvqTjlqoQ4CXu9xpVsDcO_GO4>
Subject: Re: [sipcore] Alexey Melnikov's No Objection on draft-ietf-sipcore-digest-scheme-12: (with COMMENT)
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Oct 2019 21:30:38 -0000
I do not have a strong opinion here. Anybody has an opinion or thoughts about adding such a text? Regards, Rifaat On Thu, Oct 31, 2019 at 1:50 PM Christer Holmberg < christer.holmberg@ericsson.com> wrote: > Something like this: > > > > “In some cases a UAC needs to include an Authorization header field in a > request before it has received a challenge, in order to provide user > information (using the ‘userinfo’ header field parameter) that is needed in > order to create the challenge. An example of such case is when the HTTP > Digest Authentication Using AKA mechanism (RFC3310) (RFC4169) is used. In > such case the Authorization header field would typically not contain a > ‘response’ header field parameter before a challenge response is provided. > However, for the IP Multimedia Subsystem (IMS) it has been specified that > the Authorization header field in such case does contain a ‘response’ > header field parameter, with an empty value (empty string). For that reason > the modified request-digest ABNF allows such empty values.” > > > > Regards, > > > > Christer > > > > > > *From: *Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> > *Date: *Thursday, 31 October 2019 at 19.22 > *To: *Christer Holmberg <christer.holmberg@ericsson.com> > *Cc: *Christer Holmberg <christer.holmberg=40ericsson.com@dmarc.ietf.org>, > "sipcore-chairs@ietf.org" <sipcore-chairs@ietf.org>, " > draft-ietf-sipcore-digest-scheme@ietf.org" < > draft-ietf-sipcore-digest-scheme@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, > "sipcore@ietf.org" <sipcore@ietf.org>, Alexey Melnikov < > aamelnikov@fastmail.fm> > *Subject: *Re: [sipcore] Alexey Melnikov's No Objection on > draft-ietf-sipcore-digest-scheme-12: (with COMMENT) > > > > Can you propose some text? > > > > Thanks, > > Rifaat > > > > > > On Thu, Oct 31, 2019 at 11:44 AM Christer Holmberg < > christer.holmberg@ericsson.com> wrote: > > Hi, > > > > Perhaps we could add some text about the IMS use-case, in order to explain > the empty value? > > > > Regards, > > > > Christer > > > > *From: *sipcore <sipcore-bounces@ietf.org> on behalf of Christer Holmberg > <christer.holmberg=40ericsson.com@dmarc.ietf.org> > *Date: *Thursday, 31 October 2019 at 15.52 > *To: *Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> > *Cc: *"sipcore-chairs@ietf.org" <sipcore-chairs@ietf.org>, " > draft-ietf-sipcore-digest-scheme@ietf.org" < > draft-ietf-sipcore-digest-scheme@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, > "sipcore@ietf.org" <sipcore@ietf.org>, Alexey Melnikov < > aamelnikov@fastmail.fm> > *Subject: *Re: [sipcore] Alexey Melnikov's No Objection on > draft-ietf-sipcore-digest-scheme-12: (with COMMENT) > > > > Hi, > > > > >This IMS behavior would have been in violation of RFC3261 which specified > exactly 32 Hex characters. > > >So, this change should not make much of a difference in this case. > > > > In reality it probably doesn’t make a difference, but it would make the > IMS procedures “aligned” with the IETF spec. > > > > Regards, > > > > Christer > > > > > > > > > > On Thu, Oct 31, 2019 at 9:37 AM Christer Holmberg < > christer.holmberg@ericsson.com> wrote: > > > > Hi, > > > > The reason for the empty value comes from IMS and AKA, where you need to > include the user id already in the initial REGISTER request (this seems to > be missing from RFC 3310, but that’s a separate topic) in order for the > server to create the challenge, meaning that in the initial REGISTER > request you include an Authorization header field with the username > parameter carrying the IMS private user identity, the realm parameter and > the uri parameter. At this point you obviously don’t yet have the response, > so in IMS it is specified that the response parameter is inserted with an > empty value. > > > > WHY it was specified that way (instead of simply not including the > response parameter) I don’t know, but I do know that it has been > implemented and deployed that way for many years. > > > > Regards, > > > > Christer > > > > > > *From: *sipcore <sipcore-bounces@ietf.org> on behalf of Rifaat > Shekh-Yusef <rifaat.ietf@gmail.com> > *Date: *Thursday, 31 October 2019 at 15.20 > *To: *Alexey Melnikov <aamelnikov@fastmail.fm> > *Cc: *"sipcore-chairs@ietf.org" <sipcore-chairs@ietf.org>, " > draft-ietf-sipcore-digest-scheme@ietf.org" < > draft-ietf-sipcore-digest-scheme@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, > "sipcore@ietf.org" <sipcore@ietf.org> > *Subject: *Re: [sipcore] Alexey Melnikov's No Objection on > draft-ietf-sipcore-digest-scheme-12: (with COMMENT) > > > > Done. > > > > On Thu, Oct 31, 2019 at 9:13 AM Alexey Melnikov <aamelnikov@fastmail.fm> > wrote: > > On Thu, Oct 31, 2019, at 1:11 PM, Rifaat Shekh-Yusef wrote: > > Hi Alexey, > > > > I am fine with Paul's suggestion. > > Are you ok with "32*LHEX"? > > Yes! > > > > Thank you, > > Alexey > > > > Regards, > > Rfaat > > > > > > On Thu, Oct 31, 2019 at 7:22 AM Alexey Melnikov <aamelnikov@fastmail.fm> > wrote: > > > > Hi Rifaat, > > > > On Wed, Oct 30, 2019, at 9:50 PM, Rifaat Shekh-Yusef wrote: > > Thanks Alexey! > > > > I am fine with the first two comments, and will fix these in the coming > version of the document. > > > > I am not sure I follow the 3rd one. Why do you see the need for a minimum > number of hex digits? > > You do say that the number of hex digits match the hash lenght, so it is > probably Ok. However empty value is never valid (and I am worried it might > hit some boundary condition bug in implementations), so prohibiting it in > ABNF would be the best. > > > > Best Regards, > > Alexey > > > > Regards, > > Rifaat > > > > > > > > On Wed, Oct 30, 2019 at 1:16 PM Alexey Melnikov via Datatracker < > noreply@ietf.org> wrote: > > Alexey Melnikov has entered the following ballot position for > > draft-ietf-sipcore-digest-scheme-12: No Objection > > > > When responding, please keep the subject line intact and reply to all > > email addresses included in the To and CC lines. (Feel free to cut this > > introductory paragraph, however.) > > > > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > The document, along with other ballot positions, can be found here: > > https://datatracker.ietf.org/doc/draft-ietf-sipcore-digest-scheme/ > > > > > > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > I am agreeing with Alissa's DISCUSS. > > > > Also, I have a few comments of my own: > > > > 1) Last para of Section 2.1: > > > > 2.1. Hash Algorithms > > > > A UAS prioritizes which algorithm to use based on the ordering of the > > challenge header fields in the response it is preparing. > > > > This looks either wrong or confusing to me. I think you are just saying > here > > that the order is decided by the server at this point. > > > > That > > process is specified in section 2.3 and parallels the process used in > > HTTP specified by [RFC7616]. > > > > So based on the above, my suggested replacement for both sentences: > > > > A UAS prioritizes which algorithm to use based on its policy, > > which is specified in section 2.3 and parallels the process used in > > HTTP specified by [RFC7616]. > > > > 2) Last para of Section 2.4: > > > > If the UAC cannot respond to any of the challenges in the response, > > then it SHOULD abandon attempts to send the request unless a local > > policy dictates otherwise. > > > > Is trying other non Digest algorithms covered by "SHOULD abandon"? > > If yes, maybe you should make this clearer. > > > > For example, if the UAC does not have > > credentials or has stale credentials for any of the realms, the UAC > > will abandon the request. > > > > 3) In Section 2.7: > > > > request-digest = LDQUOT *LHEX RDQUOT > > > > This now allows empty value. I suggest you specify a minimum number of hex > > digits allowed in the ABNF. Or at least change "*LHEX" to "2*LHEX". > > > > > > > > > >
- [sipcore] Alexey Melnikov's No Objection on draft… Alexey Melnikov via Datatracker
- Re: [sipcore] Alexey Melnikov's No Objection on d… Rifaat Shekh-Yusef
- Re: [sipcore] Alexey Melnikov's No Objection on d… Paul Kyzivat
- Re: [sipcore] Alexey Melnikov's No Objection on d… Alexey Melnikov
- Re: [sipcore] Alexey Melnikov's No Objection on d… Rifaat Shekh-Yusef
- Re: [sipcore] Alexey Melnikov's No Objection on d… Alexey Melnikov
- Re: [sipcore] Alexey Melnikov's No Objection on d… Rifaat Shekh-Yusef
- Re: [sipcore] Alexey Melnikov's No Objection on d… Christer Holmberg
- Re: [sipcore] Alexey Melnikov's No Objection on d… Rifaat Shekh-Yusef
- Re: [sipcore] Alexey Melnikov's No Objection on d… Christer Holmberg
- Re: [sipcore] Alexey Melnikov's No Objection on d… Christer Holmberg
- Re: [sipcore] Alexey Melnikov's No Objection on d… Rifaat Shekh-Yusef
- Re: [sipcore] Alexey Melnikov's No Objection on d… Christer Holmberg
- Re: [sipcore] Alexey Melnikov's No Objection on d… Rifaat Shekh-Yusef
- Re: [sipcore] Alexey Melnikov's No Objection on d… Christer Holmberg
- Re: [sipcore] Alexey Melnikov's No Objection on d… Alexey Melnikov
- Re: [sipcore] Alexey Melnikov's No Objection on d… Christer Holmberg
- Re: [sipcore] Alexey Melnikov's No Objection on d… Rifaat Shekh-Yusef
- Re: [sipcore] Alexey Melnikov's No Objection on d… Christer Holmberg
- Re: [sipcore] Alexey Melnikov's No Objection on d… Rifaat Shekh-Yusef
- Re: [sipcore] Alexey Melnikov's No Objection on d… Christer Holmberg
- Re: [sipcore] Alexey Melnikov's No Objection on d… Rifaat Shekh-Yusef
- Re: [sipcore] Alexey Melnikov's No Objection on d… Paul Kyzivat
- Re: [sipcore] Alexey Melnikov's No Objection on d… Christer Holmberg