Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt

I am fine with referring to the OAuth definition.
Anybody has an issue with this?

Regards,
 Rifaat

On Wed, Jul 10, 2019 at 8:02 AM Olle E. Johansson <oej@edvina.net> wrote:

>
>
> On 10 Jul 2019, at 13:51, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
> wrote:
>
>
>
> On Wed, Jul 10, 2019 at 3:08 AM Olle E. Johansson <oej@edvina.net> wrote:
>
>>
>>
>> On 9 Jul 2019, at 23:16, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
>> wrote:
>>
>> This document is specifically focused on *confidential *UAs.
>> UAs running in the browser, public UAs, will be addressed in a separate
>> document.
>>
>> Maybe you should make that more clear, as it is very confusing
>> terminology… I see that section 1..2 in your draft defines theses
>> types, based on RFC 6749. You apply it to the term “UA” which I think
>> confuses things. A “public UA” may have support
>> for confidentiality, but not from an Oauth point of view. I think we
>> should look for other terms for this.
>>
>>
> Any suggested text?
>
> I carefully avoided any suggestions… Was hoping someone on the mailling
> list would step forward with
> some brilliant new terminology. :-)
>
> Maybe just reverting to OAuth terminology with “public clients and
> confidential clients” to avoid setting our own terms
> and directly refer terminology to Oauth specs. I still don’t like
> “confidential client” when they really mean “something
> that at least doesn’t show what they do in source code but may still be
> totally insecure”...
>
> Yeah, I know that’s a boring suggestion.
>
> /O :-)
>
>
>
>
>> In addition, I don’t find any text in your draft indicating that “Public
>> UAs” is out of scope.
>>
>>
> I will fix that.
>
> Thanks,
>  Rifaat
>
>
>
>> /O
>>
>>
>> Regards,
>>  Rifaat
>>
>>
>> On Tue, Jul 9, 2019 at 3:29 PM Roman Shpount <roman@telurix.com> wrote:
>>
>>> On Tue, Jul 9, 2019 at 3:11 PM Christer Holmberg <
>>> christer.holmberg@ericsson.com> wrote:
>>>
>>>> >> As far as I know, OAuth for SIP has only been used for REGISTER
>>>> requests, between the UA and the registrar.
>>>> >> I have never heard about anyone using it for non-REGISTER
>>>> authentication, and I wonder whether we even need
>>>> >> to cover it in the draft. We could limit the scope the REGISTER
>>>> requests. Then, if anyone ever needs OAuth for non-REGISTER requests, a
>>>> separate draft can be written.
>>>> >
>>>> > Really? Normally, for a secure solution, every SIP request, including
>>>> requests sent by UA in dialog established from the
>>>> > server to the registered end point must be authenticated. OAuth for
>>>> REGISTRER requests only is kind of useless since it
>>>> > does not allow UA to send any messages to the server without some
>>>> additional authentication mechanism.
>>>>
>>>> Not sure what you mean by "secure solution", but UAs can still use SIP
>>>> Digest authentication.
>>>>
>>>> What I am saying is that only use-case for SIP OAuth I am aware of is
>>>> for REGISTER.
>>>>
>>>> How do they get these SIP Digest credentials?
>>>
>>> I am looking at a very simple SIP-Over-Websockets client scenario:
>>>
>>> User logs into the web site which uses OAuth. UA, running in the browser
>>> gets a token which is used to Register UA with a SIP proxy.
>>>
>>> What credentials is UA using to place a call (send INVITE to the proxy)?
>>> If a call comes in from the proxy to UA, what credentials is UA using to
>>> hang up the call (send BYE message)?
>>>
>>> Best Regards,
>>> _____________
>>> Roman Shpount
>>>
>>> _______________________________________________
>>> sipcore mailing list
>>> sipcore@ietf.org
>>> https://www.ietf.org/mailman/listinfo/sipcore
>>>
>> _______________________________________________
>> sipcore mailing list
>> sipcore@ietf.org
>> https://www.ietf.org/mailman/listinfo/sipcore
>>
>>
>> _______________________________________________
> sipcore mailing list
> sipcore@ietf.org
> https://www.ietf.org/mailman/listinfo/sipcore
>
>
>