IETF Logo Mail Archive

Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt

Paul Kyzivat <pkyzivat@alum.mit.edu> Wed, 10 July 2019 23:00 UTC

Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A78501200C7 for <sipcore@ietfa.amsl.com>; Wed, 10 Jul 2019 16:00:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iaY-HHunsP1K for <sipcore@ietfa.amsl.com>; Wed, 10 Jul 2019 16:00:24 -0700 (PDT)
Received: from outgoing-alum.mit.edu (outgoing-alum.mit.edu [18.7.68.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 820211200B9 for <sipcore@ietf.org>; Wed, 10 Jul 2019 16:00:24 -0700 (PDT)
Received: from PaulKyzivatsMBP.localdomain (c-24-62-227-142.hsd1.ma.comcast.net [24.62.227.142]) (authenticated bits=0) (User authenticated as pkyzivat@ALUM.MIT.EDU) by outgoing-alum.mit.edu (8.14.7/8.12.4) with ESMTP id x6AN02vA000796 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Wed, 10 Jul 2019 19:00:03 -0400
To: Christer Holmberg <christer.holmberg@ericsson.com>, "sipcore@ietf.org" <sipcore@ietf.org>
References: <156249821133.14592.1211919336596009446@ietfa.amsl.com> <CAGL6epLsP_UfZMAcFLsORrR05Enu-vp=jnkgUFuKSttQm8swAw@mail.gmail.com> <c8d5c42e-ab21-80e8-3189-c8592dd02d3a@alum.mit.edu> <HE1PR07MB3161C55955B2FCED2C0F6A9993F60@HE1PR07MB3161.eurprd07.prod.outlook.com> <68ed93ae-57df-6bc7-774b-47959417abda@alum.mit.edu> <HE1PR07MB3161D46B4A44FC7E789ADDB893F10@HE1PR07MB3161.eurprd07.prod.outlook.com> <4a9787e5-b5e2-bc08-0fa0-fae6bd44148d@alum.mit.edu> <527F4C39-F065-4335-A939-6D443F1801E7@ericsson.com> <5bb63c0c-130d-7f69-10b0-1ed1b274cc58@alum.mit.edu> <87AD4BB8-CE77-4FD7-BB72-6643DF513058@ericsson.com> <168b1354-b35b-edee-e5f9-d4ddbecfae40@alum.mit.edu> <607A513F-8616-4777-8B5E-59390E845709@ericsson.com> <b6ca4c79-5a17-10da-3882-20bc8b0e9b98@alum.mit.edu> <89A28FAE-A25A-4AFF-9A94-91E09FDD6C3B@ericsson.com>
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
Message-ID: <2aa8cb91-aac6-b66e-e54a-b9f6c650ce02@alum.mit.edu>
Date: Wed, 10 Jul 2019 19:00:02 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:60.0) Gecko/20100101 Thunderbird/60.7.2
MIME-Version: 1.0
In-Reply-To: <89A28FAE-A25A-4AFF-9A94-91E09FDD6C3B@ericsson.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/VdGxv4s6fRmbALw_vlaQefdHDPQ>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jul 2019 23:00:26 -0000

On 7/10/19 11:53 AM, Christer Holmberg wrote:
> Hi,
> 
>>> OAuth allows you to re-use the token as many times as you want (until it expires) for the same service. So, for SIP, re-using the token in binding refresh REGISTER requests is fine.
>>>
>>> But, you should not re-use a token you got for one "service" (e.g., your registration authentication) with another "service" (e.g., user-to-user authentication for a SIP call). It most likely wouldn't even work.
>>     
>>     Is the token somehow bound to the "registration service"? (Whatever that is.)
>>   
>>     ISTM that the token is bound to the parameters from www-authenticate
>>     were used in the process of obtaining the token. And so presumably the
>>     token should be applicable to any other use that provokes a
>>     www-authenticate with the same values of those parameters.
> 
> Yes.
> 
>>     So, if I use a token in REGISTER, and then I do a SUBSCRIBE and get
>>     challenged the same way I would expect to use the same token for that.
>>     And I might decide to preemptively use the same token in the SUBSCRIBE
>>     if it is being sent to the same target.
> 
> Yes.
> 
>>     Based on analogies to Digest, I would expect that after receiving a
>>     Bearer challenge and fetching a matching token I would then add that
>>     token to a key ring, indexed by some (which?) of the parameters from the
>>     www-authenticate. And then in the future for new requests I would look
>>     on the key ring for keys (credentials/tokens) suitable for use on this
>>     request. (When doing this I might find either Digest or Bearer
>>     credentials, or maybe both.)
>>     
>>     Am I missing something?
>    
> No __
> 
> In the case you describe, you should be able to use the same token.
> 
> All I am saying is that one should not send a token to someone that it has NOT been issued for.

Then you are saying that a token should *never* be included in a request 
to a target for which you have not received a challenge some time in the 
past.

That is a bit extreme, but I guess you can specify that if you think it 
is the right thing to do.

But note that this logic won't always work for Proxy-Authenticate. You 
*might* know that a particular proxy will be visited (if it is mentioned 
on a Route header), but it is pretty common for the request to visit 
proxies unknown (at least in advance) to the UAC.

	Thanks,
	Paul

v2.23.0 | Report a Bug | By Email