IETF Logo Mail Archive

Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt

Christer Holmberg <christer.holmberg@ericsson.com> Tue, 09 July 2019 15:42 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D92A1206FC for <sipcore@ietfa.amsl.com>; Tue, 9 Jul 2019 08:42:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aHvQiFtakv2b for <sipcore@ietfa.amsl.com>; Tue, 9 Jul 2019 08:42:27 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50044.outbound.protection.outlook.com [40.107.5.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D0E71206EC for <sipcore@ietf.org>; Tue, 9 Jul 2019 08:42:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DPw44L0BmBqrBzbs4xN+0pDNNmZ0xWayv1J6qPAZ1OQ4fXc9kpanNA/tIHFmTpg2WdniE1m+duS5dmWHqPOjbf7usGWqiJa/rvoZxfEVwvMe79/13OKRAgKXEbncaZSLncQ16C6tYaVGN4C1HJD2R/BJw2q51psztlHSqCFuGChZKfxdVMv1v/2vdgKSXNbA1xr8OPPsej4tRhlPOv68W/groEC7Es00aZQ6MDE6CCvAIFcjIaHuTpHIrz84ZTmrjQAa/f1JjBbJPfkoMf+q1MyHwTPepiw+FeHZqwLoDnMe9hPaV5x0Y97G3lBqgtXGu1uc5U5u8g9I1o9Q+vM8TQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=F1agCYmm0Hcf4wJJfb+OvCHQy79z9rB14aYyQMYCQ4k=; b=Oy9drDNMaWIjBfTbQ/81IRzDWq5ztNBYrjcqMTOHNHA+1srRw/VGdyVjei7MPX9UUGvwcla9imvQ+oiaGSdZJgaVHe/Bt227z7OKNNH84rH5NTQAq8Fl47iJFRheUKQ0yBakj/Dn7neIomq9+1G57lIVa6/xM5r5W3PTbCPbS1mHOwrdp0KxWPJCTJxx49mnbEdILyULD9I5Ijs2cEx8Q4fLcRk1TEkyijWFaan8+KyrJ0kdSWxwfzC5bW54TDapmvktf6YOboYuhWEuKIaZ7hZuuw25PUDPv1BKIlFHdCpLrCOCwXaEbz9p7aol6yBJ63QupA0jhImJXH74LUbB8Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=ericsson.com;dmarc=pass action=none header.from=ericsson.com;dkim=pass header.d=ericsson.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=F1agCYmm0Hcf4wJJfb+OvCHQy79z9rB14aYyQMYCQ4k=; b=jRKchSo+ZtXCQJqcyvt0Fnj3yAeMhiSRva5LxC/YwGRB4fb5ohnQxpddwoAx8pfxMsbbOD+3ar/usRBAWe2sap9BASDUviqFpBolz8MW09mOd+5UJm8Ny8i2IUJ54alXeSq3RX6naygZM9gn4EtvJYJeAD4pCxY0mgSj804+9IM=
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com (10.170.245.23) by HE1PR07MB4411.eurprd07.prod.outlook.com (20.176.167.140) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2073.10; Tue, 9 Jul 2019 15:42:02 +0000
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43]) by HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43%5]) with mapi id 15.20.2073.008; Tue, 9 Jul 2019 15:42:02 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Paul Kyzivat <pkyzivat@alum.mit.edu>, "sipcore@ietf.org" <sipcore@ietf.org>
Thread-Topic: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
Thread-Index: AQHVNLWxruT/m/C2REGBvr04oIfCDqa/Al8AgAHwRACAACa0QIAAOvWAgACKbgCAAH00gIAARqSA
Date: Tue, 09 Jul 2019 15:42:02 +0000
Message-ID: <527F4C39-F065-4335-A939-6D443F1801E7@ericsson.com>
References: <156249821133.14592.1211919336596009446@ietfa.amsl.com> <CAGL6epLsP_UfZMAcFLsORrR05Enu-vp=jnkgUFuKSttQm8swAw@mail.gmail.com> <c8d5c42e-ab21-80e8-3189-c8592dd02d3a@alum.mit.edu> <HE1PR07MB3161C55955B2FCED2C0F6A9993F60@HE1PR07MB3161.eurprd07.prod.outlook.com> <68ed93ae-57df-6bc7-774b-47959417abda@alum.mit.edu> <HE1PR07MB3161D46B4A44FC7E789ADDB893F10@HE1PR07MB3161.eurprd07.prod.outlook.com> <4a9787e5-b5e2-bc08-0fa0-fae6bd44148d@alum.mit.edu>
In-Reply-To: <4a9787e5-b5e2-bc08-0fa0-fae6bd44148d@alum.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1a.0.190609
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [89.166.49.243]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: da435cc9-ad07-4de4-fdc8-08d70483fcf9
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:HE1PR07MB4411;
x-ms-traffictypediagnostic: HE1PR07MB4411:
x-microsoft-antispam-prvs: <HE1PR07MB44113038FE83948B7BE78AA893F10@HE1PR07MB4411.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0093C80C01
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(396003)(136003)(366004)(376002)(346002)(199004)(189003)(8936002)(53936002)(36756003)(8676002)(58126008)(33656002)(11346002)(229853002)(81166006)(110136005)(2906002)(6512007)(316002)(81156014)(7736002)(478600001)(2171002)(6246003)(2501003)(14444005)(2616005)(476003)(256004)(486006)(446003)(14454004)(6436002)(6486002)(305945005)(44832011)(68736007)(76116006)(71190400001)(86362001)(5660300002)(102836004)(66946007)(4744005)(99286004)(71200400001)(66066001)(3846002)(6116002)(186003)(66476007)(66556008)(6506007)(25786009)(76176011)(26005)(64756008)(66446008)(73956011); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB4411; H:HE1PR07MB3161.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: HefMG15e6Q5Z17wRKzBPbrNH+FAeUvYagygS0p4NGcEm3ORF0yECIgQwRDLzKyGTxTbbrso/p5zrRR/JCagM6not+xSydwhdKnA7foDUwU1sQRphdlalygA8vF0NhhKbLBl+JdvklVXyoRHLIuDbocXZUZuwNfrHq1TjeRVaeEpu2Sub7ZDnioKAbmyigSoO4iM3TOsKPJ/pyRr+7lCaFFMgzXoq6eG5nPGk3EWof/ffE9YDiPsirSLrIu+XdeKwbUpM09jIRdD+3Gq2QuCMg5YCPPdGMmA5/8PHdDkuiu0J8sJRDjvRo4DeslW+Lj2+6Jqcr/KUwkZkCykrMXiH0ru9eKGIXhbLviveZWPYAhq+T9YktTsleOuI8zgTVuEotqEycHONdlaiIz40DH2+7JxbRKHdODhV8EheOBq4bmU=
Content-Type: text/plain; charset="utf-8"
Content-ID: <F4574DE6012F554F8C0A9AD52E149A25@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: da435cc9-ad07-4de4-fdc8-08d70483fcf9
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jul 2019 15:42:02.6513 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: christer.holmberg@ericsson.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB4411
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/Tutkv1jDCUhStvy_AkHbWr00Ue8>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jul 2019 15:42:37 -0000

Hi,
    
>> As I said in another reply, if you by default place a REGISTER token in a non-REGISTER request the token may reach the remote peer, which could be a security concern.
>    
>    I would like to hear more about this. Is there something about the token 
>    that reveals stuff that might not be suitable to expose to everyone? I 
>    personally don't know. This seems like something that ought to be 
>    discussed in security considerations.
  
The token itself does not reveal anything, but in OAuth the token is used to access the requested resource, so it is considered sensitive information.

As far as I know, OAuth for SIP has only been used for REGISTER requests, between the UA and the registrar. I have never heard about anyone using it for non-REGISTER authentication, and I wonder whether we even need to cover it in the draft. We could limit the scope the REGISTER requests. Then, if anyone ever needs OAuth for non-REGISTER requests, a separate draft can be written.

Regards,

Christer

v2.23.0 | Report a Bug | By Email