Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-01.txt
Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> Wed, 26 June 2019 19:26 UTC
Return-Path: <rifaat.ietf@gmail.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D75A01202B4 for <sipcore@ietfa.amsl.com>; Wed, 26 Jun 2019 12:26:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YNrizx4YGPpD for <sipcore@ietfa.amsl.com>; Wed, 26 Jun 2019 12:26:25 -0700 (PDT)
Received: from mail-io1-xd34.google.com (mail-io1-xd34.google.com [IPv6:2607:f8b0:4864:20::d34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09A3A12060C for <sipcore@ietf.org>; Wed, 26 Jun 2019 12:26:25 -0700 (PDT)
Received: by mail-io1-xd34.google.com with SMTP id j6so5927285ioa.5 for <sipcore@ietf.org>; Wed, 26 Jun 2019 12:26:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HxK4N32/2SiSWpRUFfDDqdzmgZm8tysL560buruSvT0=; b=Sj0jNH8ZZo7meNXO79kQFR/SBAILuoHBxtRaKqa5pedCB0sS3BA8d+TYIyqiw4dD1Z m9dVmdIKcIqH/wAMr/O6Ce8qqEdhof93tKyL+u3mBcxrsbn2SJxxwO3FffvUiyRqLvZ5 9YWtV7QDHS2XOlBpMJY0Hz54OKZ8IKGptZUCZ051Bd5kG3NnbB3qotKlFqviJg1OCeUJ UNwfqUmr14ABqUbqU7ogXIZt/OvgSpjlf/c8IlOVzHPafKXQ9ft7a9W5jXs1Xm+vXZv2 O1PMCLMRIqHHgFRCo29G3k0cbTMzOZfZ/+CQVBmreJlBHXA23bFfCxT36ss//nZX04RZ CcSw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HxK4N32/2SiSWpRUFfDDqdzmgZm8tysL560buruSvT0=; b=DmNXUKeSJM8a3J0yFf+AM1kCNUXH1P+8uGyf5CeHssJEFiAPdD8+dvnomwLqIKnHki jBSfg30vFI141q+8IOHVL7LqzOphOm7Zfg8AoIULMjrlY3J55/67SOLoZVsDpDGFRtUI MIM8XrJ8NyjXPd7e5KxZVCV05xD6y4w34REIE+eZW2yJMuyekzWvsQ+tLb2B+sT+1J/M gEQnDXuRqlkzwU4Cu1J69zsE77ZXLkP+SCUaxKYb6rf42sE4V/TRnppI+PCgGg4Hs+FP r7zeIX6RaeMLji+ZTVmi7FQqOcY+plCVA59omH34+J17GLDjzXkjziqxVs0UP7DRy/UE bfeg==
X-Gm-Message-State: APjAAAUDqbGFib3D7L5kVq87WlXJ6stCYQJ3U6/9Xbh2tcCx915pLGkE QY4rRMsh8YsjXF/o9/Cuumo9YuhQ6jSsJYy21hv3ph3hbZQ=
X-Google-Smtp-Source: APXvYqw8xqfRa0ErvTNWDGOup+VLTRMTN4LAlb67/UB5/mBh4tmP3dqWlsbDB7n5VjlxpozQQLSDKooDU/koO9QlJlI=
X-Received: by 2002:a6b:ed01:: with SMTP id n1mr3504378iog.255.1561577184336; Wed, 26 Jun 2019 12:26:24 -0700 (PDT)
MIME-Version: 1.0
References: <156139527419.17457.15161486253539766732@ietfa.amsl.com> <CAGL6ep+xZaRX7vFDJxV4qrv57OF2QKbUEMgdW52Hf-RUySSDjQ@mail.gmail.com> <52296dbb-f1b6-f34f-9c43-70add154562e@alum.mit.edu> <CAGL6ep+RiBWLC_NNHdb2Fai=8sbeMiTD+8vQfknyUiTn4r1wRw@mail.gmail.com> <00c02b2f-1515-d0df-edc8-4d2c7ca63655@alum.mit.edu> <CAGL6epKpPQ8CD09RUry-Mj+ZyhKXCupumYbXddaLamux0TM1aA@mail.gmail.com> <d032df76-2b3e-194e-7bda-7d29b5ecf674@alum.mit.edu>
In-Reply-To: <d032df76-2b3e-194e-7bda-7d29b5ecf674@alum.mit.edu>
From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Date: Wed, 26 Jun 2019 15:26:13 -0400
Message-ID: <CAGL6epKebTeca3xFX6wBErTPdnS5SzCED9bfjmQOwji0Q77XXA@mail.gmail.com>
To: Paul Kyzivat <pkyzivat@alum.mit.edu>
Cc: SIPCORE <sipcore@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005c9e83058c3f0540"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/TCTw7qibsSKj87fPD6ilxHe3s2o>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-01.txt
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jun 2019 19:26:33 -0000
On Tue, Jun 25, 2019 at 5:01 PM Paul Kyzivat <pkyzivat@alum.mit.edu> wrote: > Inline... > > On 6/25/19 1:32 PM, Rifaat Shekh-Yusef wrote: > > > > > > On Tue, Jun 25, 2019 at 10:47 AM Paul Kyzivat <pkyzivat@alum.mit.edu > > <mailto:pkyzivat@alum.mit.edu>> wrote: > > > > On 6/25/19 9:05 AM, Rifaat Shekh-Yusef wrote: > > > Thanks Paul! > > > > > > Please, see my replies inline. > > > > > > Regards, > > > Rifaat > > > > > > > > > On Mon, Jun 24, 2019 at 4:37 PM Paul Kyzivat > > <pkyzivat@alum.mit.edu <mailto:pkyzivat@alum.mit.edu> > > > <mailto:pkyzivat@alum.mit.edu <mailto:pkyzivat@alum.mit.edu>>> > wrote: > > > > > > On 6/24/19 12:58 PM, Rifaat Shekh-Yusef wrote: > > > > All, > > > > > > > > We have submitted a new version of the draft that adds more > > > details and > > > > we believe address the comments provided so far. > > > > Please, take a look and let us know what you think. > > > > > > I think this still has things a bit backwards. Step [07] in > > 2.1.2 seems > > > out of place. Why would the UA know to prompt the user at > > this point, > > > and if it did, how would the user know *which* credentials to > > provide. > > > > > > Yeah, this was a copy and paste from the previous flow. > > > I agree that the prompt should happen after the 401 response. I > > will fix > > > that. > > > > Thx > > > > > With Digest, you would never prompt for credentials until you > > have > > > received a 401 with WWW-Authenticate. The Realm in that is > then > > > displayed to the user as indication of which credentials he > > should > > > supply. > > > > > > I would expect something similar with Bearer. Presumably this > > will tell > > > me "Google", or "Facebook", or whatever. In your case these > > may be > > > alternatives that the user can choose among. So I think you > > need more > > > explanation about how the alternatives are presented. Don't > > just pass > > > the buck to 3261 on the WWW-Authenticate parameters. You have > > ones that > > > aren't mentioned there, and the usage is probably somewhat > > different. > > > > > > > > > The UA gets redirected to an *Authorization Server (AS)*, which > > could in > > > theory redirect the UA to an *IdP *server to authenticate the > user. > > > But, this is completely out of scope for this document, as this > > follows > > > a well-defined HTTP-based OAuth mechanism. > > > > OK, as long as it somehow takes account of the server that requires > > authentication and the type(s) of authentication it is willing to > > accept. You can't rely on the UAC being psychic about what > credentials > > are required. > > > > > > Notice that the challenge provided in the WWW-Authenticate response, > > defined in section 3, includes many details that could be used by the > > UAC to prompt the user for the right credentials. > > Is there anything missing that should be added to help the UAC? > > Yes, there is quite a bit, and scant information about what the > significance is of each bit of it. IMO some explanation is needed of > these items and how they are expected to be used. Sure > And a more fleshed out > example that shows who puts up the UI to gather the needed info, what is > included in the prompt, what comes back, and what is done with it then. > Enough to relate it to real world experience. > > (AFAIK most real world experience is with web interfaces. For instance > when hitting restricted web sites that require a login from Google, > Facebook, Discus, etc. IIUC this could be much like that, including the > choice of which of those to use. So a use case like that would be great. > > I think UI related issues and authentication using 3rd party IdPs are really out of scope of this document. > > > After this has been done once, the UA can then cache the > > credentials > > > for > > > while and preemptively supply them in future registration > > requests. > > > With > > > Digest there are some guidelines on when to preemptively try > > them and > > > when not. I would expect something similar for Bearer. There > are > > > probably some security reasons not to preemptively send the > > credentials > > > to every server the UA attempts to connect to. As long as > > credentials > > > are only being used for REGISTER this probably isn't a > > problem. But it > > > certainly is possible for server to request credentials for > > requests > > > other than REGISTER. I'd like to see a discussion of that too. > > > > > > > > > The UA never sends any credentials to the registrar, only to the > > AS/IdP. > > > The UA will only send the *Access Token *to the registrar which > > will be > > > able to validate that the token was issued by a trusted AS. > > > > That is details. What the UA provides to the registrar are > credentials > > in a functional sense, even if they are passed in an indirect way. > > > > > > Fair enough > > > > It still requires a security analysis, though the conclusions might > be > > somewhat different. I *guess* that it is still a bad idea to hand out > > the access token indiscriminately to everyone you connect to. > > > > Yeah, this will be covered by the security consideration section. > > In general, the UAC must always make sure that it is communicating with > > the right registrar using TLS and proper validation of the server > > certificate and the identity in that certificate. > > Again, while it is probably true that SIP authentication is mostly used > with registrars, it is also possible for other servers to require > authentication, for SUBSCRIBE, NOTIFY, or even INVITE. Any server can > send a challenge. So the UA needs to be prepared for this and do the > right thing. > > Doing that right includes caching credentials and providing them > appropriately to avoid unnecessarily prompting the user too often. And > then preemptively sending credentials becomes an optimization to avoid > extra round trips. This of course is very important for REGISTER since > it at times is used very frequently as a keep-alive. But at the same > time one needs to have some security guidance on when it is appropriate > to send preemptively and when not. > > I will add text around this to indicate that non-REGISTER requests should always include the Access Token in the request. One answer might be that you should only preemptively send this stuff > when you have previously (and recently?) been challenged by the "same" > server, and then send only the credentials that resulted from that > challenge. But even then there is a question of what "same" means. So > this needs some explanatory text. The writeup for Digest give some of > this, though it could probably stand to be improved. > > This gets more complex if you consider use with Proxy-Authenticate. This > mostly gets into the theoretical since I have never heard of it being > used in practice. It makes things complicated since in theory there > could be multiple proxies on the path, and they of necessity challenge > one at a time. To complete the request you then must supply a suitable > credential for each of the proxies on the path. AFAIK that has never > been satisfactorily explained. So I guess I would give you a pass if you > put in a disclaimer that using this for Proxy-Authenticate is outside > the scope of this document. > Ok. Regards, Rifaat > > Thanks, > Paul >
- [sipcore] I-D Action: draft-ietf-sipcore-sip-toke… internet-drafts
- Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-… Rifaat Shekh-Yusef
- Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-… Paul Kyzivat
- Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-… Rifaat Shekh-Yusef
- Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-… Paul Kyzivat
- Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-… Rifaat Shekh-Yusef
- Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-… Christer Holmberg
- Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-… Paul Kyzivat
- Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-… Rifaat Shekh-Yusef
- Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-… Christer Holmberg
- Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-… Paul Kyzivat