IETF Logo Mail Archive

Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt

Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> Tue, 09 July 2019 16:24 UTC

Return-Path: <rifaat.ietf@gmail.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE4B4120295 for <sipcore@ietfa.amsl.com>; Tue, 9 Jul 2019 09:24:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.702
X-Spam-Level:
X-Spam-Status: No, score=-0.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, PDS_NO_HELO_DNS=1.295, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9FPXqQ-ao7Dv for <sipcore@ietfa.amsl.com>; Tue, 9 Jul 2019 09:24:35 -0700 (PDT)
Received: from mail-io1-xd36.google.com (mail-io1-xd36.google.com [IPv6:2607:f8b0:4864:20::d36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 042131201D4 for <sipcore@ietf.org>; Tue, 9 Jul 2019 09:24:35 -0700 (PDT)
Received: by mail-io1-xd36.google.com with SMTP id o9so28863128iom.3 for <sipcore@ietf.org>; Tue, 09 Jul 2019 09:24:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5II7BG+e8MDf+Rko+PSXmiT3nXj/zNiF+WCGP4EAxy4=; b=Ji0vdF/Q1QJaHJGSMMXKTHob0YBLSVIRDex61JM0zpeTXCirynVacGNuAz253vLiQN LozkbHq/FzHV8qsMFFVL/uapogmu0U58pDA7xRpgvUhkigYlIUroVCNlWIiCskUFZzrf 7OFXaXQwFMGSoNI4kg2Ve8sf61e4Z3oFFRjaqc7d7IIRUCh7K8pX7BXqeEp9FQvHkDGz Wy6SaKMDbpE35W+SUAT4H0OdBzDd9VHI/CBdeYcO7XWgy4N257JkePEfETVbPk4gl44z JHslEl6eWuNAzgOh8zVrcn52bfiSVPYohRucdyJhM4BkExxXWmUoNySZRg70QQWC/XvP x74w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5II7BG+e8MDf+Rko+PSXmiT3nXj/zNiF+WCGP4EAxy4=; b=W5RdSLhUtN2IvAoXVIHNjBta8HGaZUIqCamOzF8yAEd8hCZnBNQdSZrfzA/tVMQ9/y zVUpAbHErdA7Qa7PtB7jO9ThSpnDt9uWNK7W1QxI0tEMrODhsCJsqFP880QryJbDOXOP +xUmvQarck4diAlmedVIKxBmYMv5P8kokYX0qEGd4XssmsTImxOgszW8ey/zuaY+dTyq xlI/Ox1+h8Ltx8E2BeEQOJEdCAB27XnjOBnmry4N/rqsGECupbg4ZTg5+HnoDL8aztBv YbmdcVm7IbOJreuYtKt4Ei2zXyVq5RXSpel5CDrzroGUahyQa7FE2ydr0DMf0GaqAg+g jVqA==
X-Gm-Message-State: APjAAAXxFqzcN8+sxYsQLMou6dduarZiad122zvFxte5HPXWbzY2TltY 5+b1ia7yc6cZkg84NvLc0Y925SeW00kkuAlC/KE=
X-Google-Smtp-Source: APXvYqxVAIcbCzaG8DRdOWSgrgm/fCov5dJnXx2VDh2/nLcd7F/oYV5MKUZ/zfCabdAlZ1w6IaeIdPelAVQODyqXRkw=
X-Received: by 2002:a5d:9282:: with SMTP id s2mr440245iom.36.1562689474299; Tue, 09 Jul 2019 09:24:34 -0700 (PDT)
MIME-Version: 1.0
References: <156249821133.14592.1211919336596009446@ietfa.amsl.com> <CAGL6epLsP_UfZMAcFLsORrR05Enu-vp=jnkgUFuKSttQm8swAw@mail.gmail.com> <c8d5c42e-ab21-80e8-3189-c8592dd02d3a@alum.mit.edu> <HE1PR07MB3161C55955B2FCED2C0F6A9993F60@HE1PR07MB3161.eurprd07.prod.outlook.com> <68ed93ae-57df-6bc7-774b-47959417abda@alum.mit.edu> <HE1PR07MB3161D46B4A44FC7E789ADDB893F10@HE1PR07MB3161.eurprd07.prod.outlook.com> <4a9787e5-b5e2-bc08-0fa0-fae6bd44148d@alum.mit.edu> <527F4C39-F065-4335-A939-6D443F1801E7@ericsson.com>
In-Reply-To: <527F4C39-F065-4335-A939-6D443F1801E7@ericsson.com>
From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Date: Tue, 09 Jul 2019 12:24:23 -0400
Message-ID: <CAGL6epJH_YHXKA_EMXm008Bfu6KOfyTRY7a5D7s1C+_hywXYzQ@mail.gmail.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>
Cc: Paul Kyzivat <pkyzivat@alum.mit.edu>, "sipcore@ietf.org" <sipcore@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000028fda058d41fffc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/UAOl9fpR6fBIdLqJvC5B361xv1s>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jul 2019 16:24:37 -0000

On Tue, Jul 9, 2019 at 11:43 AM Christer Holmberg <
christer.holmberg@ericsson.com> wrote:

> Hi,
>
> >> As I said in another reply, if you by default place a REGISTER token in
> a non-REGISTER request the token may reach the remote peer, which could be
> a security concern.
> >
> >    I would like to hear more about this. Is there something about the
> token
> >    that reveals stuff that might not be suitable to expose to everyone?
> I
> >    personally don't know. This seems like something that ought to be
> >    discussed in security considerations.
>
> The token itself does not reveal anything,


That depends on the type of token.
A JWT might contain data that must be protected for privacy reasons.


but in OAuth the token is used to access the requested resource, so it is
> considered sensitive information.
>
>
Yeah, because these are *bearer *tokens it means that they are not bind to
a specific UA.
There are ways to bind a token to a specific UA (see RFC7800), but this is
out of scope for this document

Regards,
 Rifaat




> As far as I know, OAuth for SIP has only been used for REGISTER requests,
> between the UA and the registrar. I have never heard about anyone using it
> for non-REGISTER authentication, and I wonder whether we even need to cover
> it in the draft. We could limit the scope the REGISTER requests. Then, if
> anyone ever needs OAuth for non-REGISTER requests, a separate draft can be
> written.
>
> Regards,
>
> Christer
>
>
>
> _______________________________________________
> sipcore mailing list
> sipcore@ietf.org
> https://www.ietf.org/mailman/listinfo/sipcore
>

v2.23.0 | Report a Bug | By Email