IETF Logo Mail Archive

Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt

Christer Holmberg <christer.holmberg@ericsson.com> Tue, 09 July 2019 16:28 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13646120658 for <sipcore@ietfa.amsl.com>; Tue, 9 Jul 2019 09:28:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7LQ5-9fkNQzh for <sipcore@ietfa.amsl.com>; Tue, 9 Jul 2019 09:28:53 -0700 (PDT)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30061.outbound.protection.outlook.com [40.107.3.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 887DF12064E for <sipcore@ietf.org>; Tue, 9 Jul 2019 09:28:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Nkl8yldXPrJgPz1qh9syC3Wr8/1rYZbi6gNkU2rqNMdJb7ud0exwd90mFnUAeWaBPpuQ3LRUCm1dzL+wRwC1+AOEQYbsx+bobcwujIroT4XfjRiXJT5Zc2nA7gI1MN8iCpEfKIFrEUO6HcSZoKK0YYge6vZO7M79iYiqBzOc5EdCyiUnYXKU2CJ3EUfFYOiNpz5DW/b283gvwsXFa3HTbG9mZQbvLQ/+JegQlNFIWPeYBCuqbp2QyyIwm91TYdO9rJYA95j1gG+MoXTVLWtVK4XB6zDQLVryZCULQn0p6+hSq/6vcrr9zhMbWb6dl7BgRFEj6r1B58NhkIjNmBItbg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aOYT0YN7v8nlmslXzm1Fcc5rURhsrQedATpYcNFUh70=; b=D9+yLLDO1zpMe41ukFuGpVcKphQmhJ1OhEaMit3ZAMVXzGpH3poz+bOIMX2Wz76Qg9I/Fnbn5bole8eg7GRX709MMIk4TkosZUWro+DZNZ4sA1r8Y13//bZt68kJ3Oo92d2tTrVG/99CEsvgtKlHR30+BbvonVJuSNIEi8NCmpFE/tyMzlLGWZRbfM0MqLO4bKZ5ffZWghAqd5ZeE0JEbo6T87gpFxqM/MfWyvT+SWT25GESaRhU7ecLIlOp3BRnk5fFVpB88iu/HQvWKwguxPDy+0QN+jDVbXdDvf1phnVV7xof6Xq5D+dAPggoAvH57zKvp9fAlbXCOqc7ky7Jvg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=ericsson.com;dmarc=pass action=none header.from=ericsson.com;dkim=pass header.d=ericsson.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aOYT0YN7v8nlmslXzm1Fcc5rURhsrQedATpYcNFUh70=; b=Tu59hLy1K3FvSnazcxk7fMDYKmEqgOOJSFwRGXA2kPL760VSD2cHT+Y4WztB43Z777GxWwNMJj1+/CHm+aTErP5CfeXJ9k+EwMdH+80RSmpuKzG7Z41HGFmOBHnZejdXvGJKGDO843ZjX2krCc10OmhyFRQTYjDBPCKkof3C6qc=
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com (10.170.245.23) by HE1PR07MB4393.eurprd07.prod.outlook.com (20.176.167.30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2073.8; Tue, 9 Jul 2019 16:28:44 +0000
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43]) by HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43%5]) with mapi id 15.20.2073.008; Tue, 9 Jul 2019 16:28:43 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Paul Kyzivat <pkyzivat@alum.mit.edu>, "sipcore@ietf.org" <sipcore@ietf.org>
Thread-Topic: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
Thread-Index: AQHVNLWxruT/m/C2REGBvr04oIfCDqa/Al8AgAHwRACAACa0QIAAOvWAgACKbgCAAH00gIAARqSA///Z+ACAADMUgA==
Date: Tue, 09 Jul 2019 16:28:43 +0000
Message-ID: <87AD4BB8-CE77-4FD7-BB72-6643DF513058@ericsson.com>
References: <156249821133.14592.1211919336596009446@ietfa.amsl.com> <CAGL6epLsP_UfZMAcFLsORrR05Enu-vp=jnkgUFuKSttQm8swAw@mail.gmail.com> <c8d5c42e-ab21-80e8-3189-c8592dd02d3a@alum.mit.edu> <HE1PR07MB3161C55955B2FCED2C0F6A9993F60@HE1PR07MB3161.eurprd07.prod.outlook.com> <68ed93ae-57df-6bc7-774b-47959417abda@alum.mit.edu> <HE1PR07MB3161D46B4A44FC7E789ADDB893F10@HE1PR07MB3161.eurprd07.prod.outlook.com> <4a9787e5-b5e2-bc08-0fa0-fae6bd44148d@alum.mit.edu> <527F4C39-F065-4335-A939-6D443F1801E7@ericsson.com> <5bb63c0c-130d-7f69-10b0-1ed1b274cc58@alum.mit.edu>
In-Reply-To: <5bb63c0c-130d-7f69-10b0-1ed1b274cc58@alum.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1a.0.190609
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [89.166.49.243]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 1b3a200d-98a4-4b37-3081-08d7048a82a2
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:HE1PR07MB4393;
x-ms-traffictypediagnostic: HE1PR07MB4393:
x-microsoft-antispam-prvs: <HE1PR07MB43938CEEC287758C11CF8F5193F10@HE1PR07MB4393.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0093C80C01
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(136003)(39860400002)(376002)(346002)(366004)(189003)(199004)(5660300002)(36756003)(33656002)(2171002)(66476007)(7736002)(66446008)(64756008)(66556008)(305945005)(73956011)(66946007)(6246003)(76116006)(14444005)(256004)(99286004)(478600001)(2906002)(446003)(11346002)(2616005)(68736007)(44832011)(476003)(86362001)(76176011)(25786009)(53936002)(81156014)(8676002)(186003)(102836004)(26005)(6506007)(6436002)(81166006)(6512007)(229853002)(8936002)(14454004)(110136005)(58126008)(316002)(6116002)(3846002)(2501003)(486006)(6486002)(71200400001)(66066001)(71190400001); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB4393; H:HE1PR07MB3161.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: wRHOLkB8yiDgx+LVU+iH06f1CNg2gJnlBdUiIe3o+vgfcqVk29IACEF/L4wVAgVasjzfxWRJ7j+PULam0lETqgNjW07A5upd3WoZJvxj9YifWh7Hi1oCVj2ygqbHQhz8ncI32tF8UxIQOGf6IqUqgNEsI6xQlxlLmHpMAbMQwTOtjz8Jro6tB/hmeeD2X7XbhQrS7348e3Im9n/x5XYo9NKNEXD/oAQemsUM9USjPuWVoNRitHzOJ3qPdi8vuMKM1/qP//sWwA4REingNdLYSvbKAbTXWFKsFXCBHaH576yCGCCQHv2FzvyCzyn8xHphIfCHK+Dppl3A4xvFDUycnfJ1RFmpSLXDV/toY++YWPJlFsixy5G1QqOkbfT/W/2jr0v2rSrGmRUw7+AmYPLBtWQFNA6cTvKMxB890UriqYQ=
Content-Type: text/plain; charset="utf-8"
Content-ID: <E81EE19E1C4D5E40AB124F528311047B@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1b3a200d-98a4-4b37-3081-08d7048a82a2
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jul 2019 16:28:43.8910 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: christer.holmberg@ericsson.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB4393
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/WaRkWwm5PYgnafM48wipdHLErvE>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jul 2019 16:28:56 -0000

Hi,

>>>> As I said in another reply, if you by default place a REGISTER token in a non-REGISTER request the token may reach the remote peer, which could be a security concern.
>>>     
>>>     I would like to hear more about this. Is there something about the token
>>>     that reveals stuff that might not be suitable to expose to everyone? I
>>>     personally don't know. This seems like something that ought to be
>>>     discussed in security considerations.
>>>    
>> The token itself does not reveal anything, but in OAuth the token is used to access the requested resource, so it is considered sensitive information.
>> 
>> As far as I know, OAuth for SIP has only been used for REGISTER requests, between the UA and the registrar. I have never heard about anyone using
>> it for non-REGISTER authentication, and I wonder whether we even need to cover it in the draft. We could limit the scope the REGISTER requests. 
>> Then, if anyone ever needs OAuth for non-REGISTER requests, a separate draft can be written.
>    
>    Yes, you can do that if you wish. But ISTM that the issues are largely 
>    the same so I don't know why you would do that.

The REGISTER request, and the token, will only reach the registrar.

Regards,

Christer
  




  
    	Thanks,
    	Paul

v2.23.0 | Report a Bug | By Email