IETF Logo Mail Archive

Re: [sipcore] Alexey Melnikov's No Objection on draft-ietf-sipcore-digest-scheme-12: (with COMMENT)

Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> Thu, 31 October 2019 21:30 UTC

Return-Path: <rifaat.ietf@gmail.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 271711208FC; Thu, 31 Oct 2019 14:30:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XcpW4z-wbcHq; Thu, 31 Oct 2019 14:30:35 -0700 (PDT)
Received: from mail-io1-xd31.google.com (mail-io1-xd31.google.com [IPv6:2607:f8b0:4864:20::d31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D019120873; Thu, 31 Oct 2019 14:30:35 -0700 (PDT)
Received: by mail-io1-xd31.google.com with SMTP id 18so8479742ion.6; Thu, 31 Oct 2019 14:30:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qEXEL3k7nKYQ0C/zIfdcYSTSweWBYdEVRGlbQMWJdIA=; b=bPEMTpF5pBeyPltOlb1FU6XS4lSbcIzO5kxCoRBQ2DVa9AQqtk9+ttfMIQh6uL5M9y uh96+mxxfKrLdFGfgVmMyQ4E1mrKmBe/fhpy3R3AlLU4FKyg9i0F2c6qBa0CfcwpqFa4 5RmC1NSZSOS4+ijjeF+1VjfL0GzNA0zTHtl0/QC7yhTkHYgLpxDq1TkN+vRsee1yjaE7 Igz4RYtaywcfAa0ZtgcUZtBuSBSaHZOx13FZKahXCZuCH4Xx/oAMdGdmhtRtxrsP65RT pA7A8tao0hxFWDKKjDVLImC+8TSBuFP7fncU8Pa6ZNk4Zg/2gPfUS8HTYH3oeqC2qvZv Kjiw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qEXEL3k7nKYQ0C/zIfdcYSTSweWBYdEVRGlbQMWJdIA=; b=EVWg8LYqYybR0tj4zeuFXII65pJvFxUZlOvPHIuR9Uqx+nJSIoDCDyTS+R1ePq99J3 KPOwVyV28f3Qt8GZl4NdSdsuZ/ahFJCecuTDvvbT+dPJCQqeHnljotgssGwnHqTyCR7y kDv9RnWzW7lgnxlR/qFhgrZLce3NBwNbtVaf6i3HPmYR6WJBJ/TX5uj++nl3qyAFjDZk 0825UKZqrWaEvbbbzXr7pa4oJzZKVmSmqkDqM14onS/GahtJwInFZ9RufPviivGptKG1 wjjSWI7OZVuvS+HVIO8KZoz3Uu5FVgOkSHIjVNWW+5Kn6kBsxF3FxU19p3YGaC/cXNsT 3LRg==
X-Gm-Message-State: APjAAAWyesyVZFA5mHgt3KTMFabwLi/E6PBFbzB35f7b8akAa2+EvgOj IuprlJdgDpkN+rZ192yn3HV50L0JfcQ0nu25LX8=
X-Google-Smtp-Source: APXvYqzmFPTbDeZV8VNBFUCUyu+vte0FRVE+YoPc4XgRbg3pOaEvs52RQbkBMjN/CXc+8TeDhffdX0JH8N7tP5Fi4d0=
X-Received: by 2002:a02:1c41:: with SMTP id c62mr4773479jac.132.1572557434692; Thu, 31 Oct 2019 14:30:34 -0700 (PDT)
MIME-Version: 1.0
References: <157245577700.32490.10990766778571550817.idtracker@ietfa.amsl.com> <CAGL6epJgyr_VUYgKCgxDcP5ObKWErtDCHxaX7JusUYPXu=a6jQ@mail.gmail.com> <a9ebadcc-36ae-4bdb-af69-05486eef2569@www.fastmail.com> <CAGL6ep+AK4BuGZ2Y1RMsomAYGLiy2NbEHgm5-941FLVKS6bY9Q@mail.gmail.com> <6ec209ae-72e9-4dd1-8d68-3ee1704f3d92@www.fastmail.com> <CAGL6epLQS9xqHybZLTk1qM4i_LaDWVk8-iF0-0e_osf271R_Rg@mail.gmail.com> <7B4921E1-66A3-4D6D-A943-8EC0F44195CC@ericsson.com> <CAGL6epLrJYPaaYwFQjP8Lk3Uc3PUogtfPyxE5FsoTMJs3GvsgA@mail.gmail.com> <4C17F34D-7046-4706-AE5C-FB7ADC4B1427@ericsson.com> <4EEBC37C-3C1B-42A9-883B-571FAE867C31@ericsson.com> <CAGL6epLp=x+Z3g+BZAYsmOob1pkchnvRObnJ7JfTSWES8xaEmA@mail.gmail.com> <2B1C666E-1718-49B2-AECA-B2759BEE6872@ericsson.com>
In-Reply-To: <2B1C666E-1718-49B2-AECA-B2759BEE6872@ericsson.com>
From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Date: Thu, 31 Oct 2019 17:30:25 -0400
Message-ID: <CAGL6epJToAGBnvxNO0kTu74AtTL7eSqvsRyemKRt4=RBgU8z8g@mail.gmail.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>
Cc: Christer Holmberg <christer.holmberg=40ericsson.com@dmarc.ietf.org>, "sipcore-chairs@ietf.org" <sipcore-chairs@ietf.org>, "draft-ietf-sipcore-digest-scheme@ietf.org" <draft-ietf-sipcore-digest-scheme@ietf.org>, The IESG <iesg@ietf.org>, SIPCORE <sipcore@ietf.org>, Alexey Melnikov <aamelnikov@fastmail.fm>
Content-Type: multipart/alternative; boundary="00000000000048a85805963b8f7d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/QzqvqTjlqoQ4CXu9xpVsDcO_GO4>
Subject: Re: [sipcore] Alexey Melnikov's No Objection on draft-ietf-sipcore-digest-scheme-12: (with COMMENT)
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Oct 2019 21:30:38 -0000

I do not have a strong opinion here.

Anybody has an opinion or thoughts about adding such a text?

Regards,
 Rifaat


On Thu, Oct 31, 2019 at 1:50 PM Christer Holmberg <
christer.holmberg@ericsson.com> wrote:

> Something like this:
>
>
>
> “In some cases a UAC needs to include an Authorization header field in a
> request before it has received a challenge, in order to provide user
> information (using the ‘userinfo’ header field parameter) that is needed in
> order to create the challenge. An example of such case is when the HTTP
> Digest Authentication Using AKA mechanism (RFC3310) (RFC4169) is used. In
> such case the Authorization header field would typically not contain a
> ‘response’ header field parameter before a challenge response is provided.
> However, for the IP Multimedia Subsystem (IMS) it has been specified that
> the Authorization header field in such case does contain a  ‘response’
> header field parameter, with an empty value (empty string). For that reason
> the modified request-digest ABNF allows such empty values.”
>
>
>
> Regards,
>
>
>
> Christer
>
>
>
>
>
> *From: *Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
> *Date: *Thursday, 31 October 2019 at 19.22
> *To: *Christer Holmberg <christer.holmberg@ericsson.com>
> *Cc: *Christer Holmberg <christer.holmberg=40ericsson.com@dmarc.ietf.org>,
> "sipcore-chairs@ietf.org" <sipcore-chairs@ietf.org>, "
> draft-ietf-sipcore-digest-scheme@ietf.org" <
> draft-ietf-sipcore-digest-scheme@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>,
> "sipcore@ietf.org" <sipcore@ietf.org>, Alexey Melnikov <
> aamelnikov@fastmail.fm>
> *Subject: *Re: [sipcore] Alexey Melnikov's No Objection on
> draft-ietf-sipcore-digest-scheme-12: (with COMMENT)
>
>
>
> Can you propose some text?
>
>
>
> Thanks,
>
>  Rifaat
>
>
>
>
>
> On Thu, Oct 31, 2019 at 11:44 AM Christer Holmberg <
> christer.holmberg@ericsson.com> wrote:
>
> Hi,
>
>
>
> Perhaps we could add some text about the IMS use-case, in order to explain
> the empty value?
>
>
>
> Regards,
>
>
>
> Christer
>
>
>
> *From: *sipcore <sipcore-bounces@ietf.org> on behalf of Christer Holmberg
> <christer.holmberg=40ericsson.com@dmarc.ietf.org>
> *Date: *Thursday, 31 October 2019 at 15.52
> *To: *Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
> *Cc: *"sipcore-chairs@ietf.org" <sipcore-chairs@ietf.org>, "
> draft-ietf-sipcore-digest-scheme@ietf.org" <
> draft-ietf-sipcore-digest-scheme@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>,
> "sipcore@ietf.org" <sipcore@ietf.org>, Alexey Melnikov <
> aamelnikov@fastmail.fm>
> *Subject: *Re: [sipcore] Alexey Melnikov's No Objection on
> draft-ietf-sipcore-digest-scheme-12: (with COMMENT)
>
>
>
> Hi,
>
>
>
> >This IMS behavior would have been in violation of RFC3261 which specified
> exactly 32 Hex characters.
>
> >So, this change should not make much of a difference in this case.
>
>
>
> In reality it probably doesn’t make a difference, but it would make the
> IMS procedures “aligned” with the IETF spec.
>
>
>
> Regards,
>
>
>
> Christer
>
>
>
>
>
>
>
>
>
> On Thu, Oct 31, 2019 at 9:37 AM Christer Holmberg <
> christer.holmberg@ericsson.com> wrote:
>
>
>
> Hi,
>
>
>
> The reason for the empty value comes from IMS and AKA, where you need to
> include the user id already in the initial REGISTER request (this seems to
> be missing from RFC 3310, but that’s a separate topic) in order for the
> server to create the challenge,  meaning that in the initial REGISTER
> request you include an Authorization header field with the username
> parameter carrying the IMS private user identity, the realm parameter and
> the uri parameter. At this point you obviously don’t yet have the response,
> so in IMS it is specified that the response parameter is inserted with an
> empty value.
>
>
>
> WHY it was specified that way (instead of simply not including the
> response parameter) I don’t know, but I do know that it has been
> implemented and deployed that way for many years.
>
>
>
> Regards,
>
>
>
> Christer
>
>
>
>
>
> *From: *sipcore <sipcore-bounces@ietf.org> on behalf of Rifaat
> Shekh-Yusef <rifaat.ietf@gmail.com>
> *Date: *Thursday, 31 October 2019 at 15.20
> *To: *Alexey Melnikov <aamelnikov@fastmail.fm>
> *Cc: *"sipcore-chairs@ietf.org" <sipcore-chairs@ietf.org>, "
> draft-ietf-sipcore-digest-scheme@ietf.org" <
> draft-ietf-sipcore-digest-scheme@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>,
> "sipcore@ietf.org" <sipcore@ietf.org>
> *Subject: *Re: [sipcore] Alexey Melnikov's No Objection on
> draft-ietf-sipcore-digest-scheme-12: (with COMMENT)
>
>
>
> Done.
>
>
>
> On Thu, Oct 31, 2019 at 9:13 AM Alexey Melnikov <aamelnikov@fastmail.fm>
> wrote:
>
> On Thu, Oct 31, 2019, at 1:11 PM, Rifaat Shekh-Yusef wrote:
>
> Hi Alexey,
>
>
>
> I am fine with Paul's suggestion.
>
> Are you ok with "32*LHEX"?
>
> Yes!
>
>
>
> Thank you,
>
> Alexey
>
>
>
> Regards,
>
>  Rfaat
>
>
>
>
>
> On Thu, Oct 31, 2019 at 7:22 AM Alexey Melnikov <aamelnikov@fastmail.fm>
> wrote:
>
>
>
> Hi Rifaat,
>
>
>
> On Wed, Oct 30, 2019, at 9:50 PM, Rifaat Shekh-Yusef wrote:
>
> Thanks Alexey!
>
>
>
> I am fine with the first two comments, and will fix these in the coming
> version of the document.
>
>
>
> I am not sure I follow the 3rd one. Why do you see the need for a minimum
> number of hex digits?
>
> You do say that the number of hex digits match the hash lenght, so it is
> probably Ok. However empty value is never valid (and I am worried it might
> hit some boundary condition bug in implementations), so prohibiting it in
> ABNF would be the best.
>
>
>
> Best Regards,
>
> Alexey
>
>
>
> Regards,
>
>  Rifaat
>
>
>
>
>
>
>
> On Wed, Oct 30, 2019 at 1:16 PM Alexey Melnikov via Datatracker <
> noreply@ietf.org> wrote:
>
> Alexey Melnikov has entered the following ballot position for
>
> draft-ietf-sipcore-digest-scheme-12: No Objection
>
>
>
> When responding, please keep the subject line intact and reply to all
>
> email addresses included in the To and CC lines. (Feel free to cut this
>
> introductory paragraph, however.)
>
>
>
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
>
> for more information about IESG DISCUSS and COMMENT positions.
>
>
>
>
>
> The document, along with other ballot positions, can be found here:
>
> https://datatracker.ietf.org/doc/draft-ietf-sipcore-digest-scheme/
>
>
>
>
>
>
>
> ----------------------------------------------------------------------
>
> COMMENT:
>
> ----------------------------------------------------------------------
>
>
>
> I am agreeing with Alissa's DISCUSS.
>
>
>
> Also, I have a few comments of my own:
>
>
>
> 1) Last para of Section 2.1:
>
>
>
> 2.1.  Hash Algorithms
>
>
>
>    A UAS prioritizes which algorithm to use based on the ordering of the
>
>    challenge header fields in the response it is preparing.
>
>
>
> This looks either wrong or confusing to me. I think you are just saying
> here
>
> that the order is decided by the server at this point.
>
>
>
>    That
>
>    process is specified in section 2.3 and parallels the process used in
>
>    HTTP specified by [RFC7616].
>
>
>
> So based on the above, my suggested replacement for both sentences:
>
>
>
>    A UAS prioritizes which algorithm to use based on its policy,
>
>    which is specified in section 2.3 and parallels the process used in
>
>    HTTP specified by [RFC7616].
>
>
>
> 2) Last para of Section 2.4:
>
>
>
>    If the UAC cannot respond to any of the challenges in the response,
>
>    then it SHOULD abandon attempts to send the request unless a local
>
>    policy dictates otherwise.
>
>
>
> Is trying other non Digest algorithms covered by "SHOULD abandon"?
>
> If yes, maybe you should make this clearer.
>
>
>
>    For example, if the UAC does not have
>
>    credentials or has stale credentials for any of the realms, the UAC
>
>    will abandon the request.
>
>
>
> 3) In Section 2.7:
>
>
>
>       request-digest = LDQUOT *LHEX RDQUOT
>
>
>
> This now allows empty value. I suggest you specify a minimum number of hex
>
> digits allowed in the ABNF. Or at least change "*LHEX" to "2*LHEX".
>
>
>
>
>
>
>
>
>
>

v2.23.0 | Report a Bug | By Email