Re: [sipcore] No WebSocket level authentication scenario [was RE: I-D Action: draft-ietf-sipcore-sip-websocket-09.txt]
Paul Kyzivat <pkyzivat@alum.mit.edu> Wed, 26 June 2013 15:16 UTC
Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6DE421F9A71 for <sipcore@ietfa.amsl.com>; Wed, 26 Jun 2013 08:16:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.145
X-Spam-Level:
X-Spam-Status: No, score=-0.145 tagged_above=-999 required=5 tests=[AWL=0.292, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id safwwFoZ8hbg for <sipcore@ietfa.amsl.com>; Wed, 26 Jun 2013 08:16:19 -0700 (PDT)
Received: from qmta15.westchester.pa.mail.comcast.net (qmta15.westchester.pa.mail.comcast.net [IPv6:2001:558:fe14:44:76:96:59:228]) by ietfa.amsl.com (Postfix) with ESMTP id A494021F92D3 for <sipcore@ietf.org>; Wed, 26 Jun 2013 08:16:19 -0700 (PDT)
Received: from omta15.westchester.pa.mail.comcast.net ([76.96.62.87]) by qmta15.westchester.pa.mail.comcast.net with comcast id szxo1l0011swQuc5F3G5xC; Wed, 26 Jun 2013 15:16:05 +0000
Received: from Paul-Kyzivats-MacBook-Pro.local ([50.138.229.164]) by omta15.westchester.pa.mail.comcast.net with comcast id t3G51l00C3ZTu2S3b3G51q; Wed, 26 Jun 2013 15:16:05 +0000
Message-ID: <51CB05B5.10204@alum.mit.edu>
Date: Wed, 26 Jun 2013 11:16:05 -0400
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: Parthasarathi R <partha@parthasarathi.co.in>
References: <20130613011708.18316.28106.idtracker@ietfa.amsl.com> <CALiegfkg-KU1bB01eLXuksZV1ehBY92uf+0+F3fQuha-WnOS1A@mail.gmail.com> <013c01ce6c4e$29e33c90$7da9b5b0$@co.in> <CALiegfnQ8=R1PRbHwPSDjJ=jH+bBeiNqjU12yr8KmJvHWQg1Mg@mail.gmail.com> <12FDD6C8-F172-4B3B-A83A-211CF553DA1A@ag-projects.com> <CALiegfneR2MwFEgGnZVtNJUXbDv0Mw0uWK2RYOGi-euWvYpR1g@mail.gmail.com> <949EF20990823C4C85C18D59AA11AD8B055194@FR712WXCHMBA10.zeu.alcatel-lucent.com> <51C328B6.20506@alum.mit.edu> <002501ce713d$a47221d0$ed566570$@co.in>
In-Reply-To: <002501ce713d$a47221d0$ed566570$@co.in>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20121106; t=1372259765; bh=pRmEURGuXJEi/jYZZ0Ox+UKgjOUDOwHbJskGkKpZSnU=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=D72fKgR/5px2C7RR1eSf2A462P7vcSZaPCgLHH8DnJFWOKZONZqxpcrMZbCUHWbqD +vOk+ajgagayaNTHomo2WtvF0mleXQ2+LtsxhwMLNohltp4lalUKNnN+UY5MNedSLM ruZyxL9lv0FJ4amHjcUzkMf+3uZV2j/Fuf+EYJxDoOcJS3rUp+jXPVivO4OuQXmXR/ volXvcXokWKXC+yltpdYeDh1alcSBTA9EsS02NJs3I3pJlMOmUrKJZ2V8JwU5UNCTs UKGUkHgf4sSwOKDAQsDdp62ZLvdpHM0fUp+u9It66I+0TfNcGh0TGF0S7y+zaf9Z+D xE02jLODq7eKA==
Cc: sipcore@ietf.org
Subject: Re: [sipcore] No WebSocket level authentication scenario [was RE: I-D Action: draft-ietf-sipcore-sip-websocket-09.txt]
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sipcore>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jun 2013 15:16:25 -0000
Partha, Again, I'm not the one to answer. I'm just the chair, not the author. Thanks, Paul On 6/24/13 8:47 PM, Parthasarathi R wrote: > Paul, > > In case it is not mandatory to use authentication, the following statement > in Sec 7 of the draft is not correct: > > " If no authentication is done at WebSocket level then SIP Digest > authentication is required for every SIP request coming over the > WebSocket connection." > > Please let me know your comment on the same. > > Thanks > Partha > >> -----Original Message----- >> From: sipcore-bounces@ietf.org [mailto:sipcore-bounces@ietf.org] On >> Behalf Of Paul Kyzivat >> Sent: Thursday, June 20, 2013 9:37 PM >> To: sipcore@ietf.org >> Subject: Re: [sipcore] No WebSocket level authentication scenario [was >> RE: I-D Action: draft-ietf-sipcore-sip-websocket-09.txt] >> >> On 6/19/13 8:06 AM, DRAGE, Keith (Keith) wrote: >>> I would not use RFC 3261 as justification for what should, or should >> not, be said about authentication. The current RFC 3261 would probably >> fail a security directorate review if it was attempted to be approved >> as an RFC now. >>> >>> (I'd also point out that for any security consideration of RFC 3261, >> one should also read RFC 5630.) >>> >>> So I would suggest you conduct an independent security evaluation of >> what is needed. >> >> I think we are in the midst of one with Stephen Farrell. >> >>> For the use case you give: >>> >>>> A website (a shop) offers a widget in which the visitor can click >> and >>>> made a SIP call (+WebRTC) that will end in the callcenter of the >>>> company, answered by an agent that will inform the user about the >>>> product he is interested in. Why do we require WWW or SIP >>>> authentication in this scenario? >>> >>> I'd suggest that the issue to be discussed is what happens when the >> action described results in a transaction of some form to a third party >> (in the SIP case a call). The visitor then includes information that >> will be relayed to the third party. Who does the third party rely on to >> ensure that information is authentically given by the visitor. >> >> I'm inclined to support Iñaki, that authentication of any sort >> shouldn't >> be Mandatory to *Use*. Individual applications can decide when they >> have uses that require authentication and when they don't. >> >> Thanks, >> Paul >> >>> Regards >>> >>> Keith >>> >>> >>> >>>> -----Original Message----- >>>> From: sipcore-bounces@ietf.org [mailto:sipcore-bounces@ietf.org] On >> Behalf >>>> Of Iñaki Baz Castillo >>>> Sent: 19 June 2013 12:32 >>>> To: Saúl Ibarra Corretgé >>>> Cc: SIPCORE (Session Initiation Protocol Core) WG; Parthasarathi R >>>> Subject: Re: [sipcore] No WebSocket level authentication scenario >> [was RE: >>>> I-D Action: draft-ietf-sipcore-sip-websocket-09.txt] >>>> >>>> 2013/6/19 Saúl Ibarra Corretgé <saul@ag-projects.com>: >>>>> Why is authentication a MUST? Lets assume that I'm using UDP and my >>>> proxy establishes a WS connection with a foreign domain's proxy >> because of >>>> NAPTR and my proxy supports acting as a WS client. It obviously >> won't be >>>> able to authenticate. If this scenario supposed to be covered? >>>> >>>> Honestly I agree. I cannot find in RFC 3261 (or other RFCs) a >>>> normative statement mandating authentication, regardless the request >>>> comes from a UA. >>>> >>>> In another thread we are discussing about MTI authentication >>>> mechanisms that must be implemented by SIP WS Clients and Servers. >>>> IMHO that is correct, but mandating SIP authentication or WWW >>>> authentication for ALL the scenarios seem innapropriate for me. I >> come >>>> back to an use case: >>>> >>>> A website (a shop) offers a widget in which the visitor can click >> and >>>> made a SIP call (+WebRTC) that will end in the callcenter of the >>>> company, answered by an agent that will inform the user about the >>>> product he is interested in. Why do we require WWW or SIP >>>> authentication in this scenario? >>>> >>>> If WG agrees with this, I will remove the normative statements in >>>> "Authentication" section, and instead address the MTI authentication >>>> mechanisms. >>>> >>>> >>>> -- >>>> Iñaki Baz Castillo >>>> <ibc@aliax.net> >>>> _______________________________________________ >>>> sipcore mailing list >>>> sipcore@ietf.org >>>> https://www.ietf.org/mailman/listinfo/sipcore >>> _______________________________________________ >>> sipcore mailing list >>> sipcore@ietf.org >>> https://www.ietf.org/mailman/listinfo/sipcore >>> >> >> _______________________________________________ >> sipcore mailing list >> sipcore@ietf.org >> https://www.ietf.org/mailman/listinfo/sipcore > >
- [sipcore] I-D Action: draft-ietf-sipcore-sip-webs… internet-drafts
- Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-… Iñaki Baz Castillo
- [sipcore] No WebSocket level authentication scena… Parthasarathi R
- Re: [sipcore] No WebSocket level authentication s… Iñaki Baz Castillo
- Re: [sipcore] No WebSocket level authentication s… Saúl Ibarra Corretgé
- Re: [sipcore] No WebSocket level authentication s… Iñaki Baz Castillo
- Re: [sipcore] No WebSocket level authentication s… DRAGE, Keith (Keith)
- Re: [sipcore] No WebSocket level authentication s… Iñaki Baz Castillo
- Re: [sipcore] No WebSocket level authentication s… Paul Kyzivat
- Re: [sipcore] No WebSocket level authentication s… Parthasarathi R
- Re: [sipcore] No WebSocket level authentication s… Paul Kyzivat