Re: [sipcore] Draft new version: draft-ietf-sipcore-sip-token-authnz-14 (was: Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13)

Paul Kyzivat <pkyzivat@alum.mit.edu> Sat, 02 May 2020 13:33 UTC

Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B0253A1293 for <sipcore@ietfa.amsl.com>; Sat, 2 May 2020 06:33:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.809
X-Spam-Level:
X-Spam-Status: No, score=-2.809 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_MSPIKE_H2=-0.82, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alum.mit.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jiGJitBobGKX for <sipcore@ietfa.amsl.com>; Sat, 2 May 2020 06:33:04 -0700 (PDT)
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11on2068.outbound.protection.outlook.com [40.107.236.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86C263A123E for <sipcore@ietf.org>; Sat, 2 May 2020 06:32:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IQ6GdKRzp00HMwQ9NPBhrAkQtzq+S4F/6oolqt58quN7zBrXAlsl3s6pUnMZEhQJdGA2Ycl0y4tys95xJt3g56qmLZTsgoVmrUw3i9Y+omnE3vctYAhjDoH+qWM5kcqr7JHHEjlboEBEWT8Vkg5o6d3jPdkE8Cl6ScIPj/LRcdx3c93zOvJ21bZ9Vr4sNMti9gC/vMogPtfQV4IFgjNFKG1n+m5Mnxp5I69w9br3q7a4U1mb/COf0ItUyYjhdAYk/VauS+IMJdnB4pvWjpOJoRy4xlDr6RnRWyJxNY2jRQ51Jgqg08QvOGxVRBZsV/9UxSju17s8yk3mfv+qDBGgmQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3A6WznA7nE2JQrH9plxlYuBKX1ZLGaUPuwfRBWD82Ww=; b=GI1zlbp3FwJYdQjmv7iuNpOUKnmJdWlth51jJ/mK1QKZcqpFVP+jI89di9hpCT3jZJJFx4twIobmlEs9t84NVks4QdF1hm8OwtCEayV0X7RjMK5BseLqqF+QNbBrsZFvZOL+CP5+WcfMrkc+qqlZVOSMT4L9e6dsSVybUpJKIzk0Lhgl6SzzPW2v5gxhNm7o6qbpCXdcoh+c3iGbva8tvQHcEyaJug1equltlSR0hhYVq70KFj4P3g4HEL336d2QKAFDWr3e3C068cXsb4uR5U25+iWIgzoC6T1XlyzWk23tP/X+HerfAdkzBE2X3xWva96RoKEjg9ajJYUfiwu5cg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=permerror (sender ip is 18.7.68.33) smtp.rcpttodomain=ietf.org smtp.mailfrom=alum.mit.edu; dmarc=none action=none header.from=alum.mit.edu; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alum.mit.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3A6WznA7nE2JQrH9plxlYuBKX1ZLGaUPuwfRBWD82Ww=; b=Lri509J/Ld0ApZldMwoMF7AyimlcaABCV+HxWVKXCnQzV+QerURxeztV1skhR121vuAVBcz5sW+nnkVXQTWEtSHHYIfVrvStkugnIeLMIW6AdpzewOqiUUngZbwzvsCdFF2dvMWWsA8e9u/dEVsVtX1Jl8sy6YY0WZLn4buM5ds=
Received: from SN4PR0801CA0004.namprd08.prod.outlook.com (2603:10b6:803:29::14) by CY4PR12MB1272.namprd12.prod.outlook.com (2603:10b6:903:3e::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2958.27; Sat, 2 May 2020 13:32:53 +0000
Received: from SN1NAM02FT008.eop-nam02.prod.protection.outlook.com (2603:10b6:803:29:cafe::dd) by SN4PR0801CA0004.outlook.office365.com (2603:10b6:803:29::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2958.20 via Frontend Transport; Sat, 2 May 2020 13:32:53 +0000
Authentication-Results: spf=permerror (sender IP is 18.7.68.33) smtp.mailfrom=alum.mit.edu; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=alum.mit.edu;
Received-SPF: PermError (protection.outlook.com: domain of alum.mit.edu used an invalid SPF mechanism)
Received: from outgoing-alum.mit.edu (18.7.68.33) by SN1NAM02FT008.mail.protection.outlook.com (10.152.72.119) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2958.27 via Frontend Transport; Sat, 2 May 2020 13:32:52 +0000
Received: from Kokiri.localdomain (c-24-62-227-142.hsd1.ma.comcast.net [24.62.227.142]) (authenticated bits=0) (User authenticated as pkyzivat@ALUM.MIT.EDU) by outgoing-alum.mit.edu (8.14.7/8.12.4) with ESMTP id 042DWoee016270 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sat, 2 May 2020 09:32:50 -0400
To: sipcore@ietf.org
References: <27C3E7FD-D540-4846-9805-08358F39713A@ericsson.com>
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
Message-ID: <b7c1300a-7e1e-8f9b-88fa-83fadd5cd406@alum.mit.edu>
Date: Sat, 02 May 2020 09:32:49 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <27C3E7FD-D540-4846-9805-08358F39713A@ericsson.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:18.7.68.33; CTRY:US; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:outgoing-alum.mit.edu; PTR:outgoing-alum.mit.edu; CAT:NONE; SFTY:; SFS:(396003)(346002)(376002)(136003)(39860400002)(46966005)(6916009)(75432002)(966005)(478600001)(53546011)(70206006)(82740400003)(7596003)(2906002)(356005)(26005)(5660300002)(47076004)(70586007)(186003)(31686004)(36906005)(8936002)(786003)(8676002)(316002)(336012)(82310400002)(956004)(86362001)(31696002)(2616005); DIR:OUT; SFP:1101;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 1dc95562-88dc-49cd-f473-08d7ee9d50ac
X-MS-TrafficTypeDiagnostic: CY4PR12MB1272:
X-LD-Processed: 3326b102-c043-408b-a990-b89e477d582f,ExtAddr,ExtFwd
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: <CY4PR12MB12726C8F74E458D43EE7D543F9A80@CY4PR12MB1272.namprd12.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:5797;
X-Forefront-PRVS: 039178EF4A
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: rrpAAk+GBrf2+hZts5g1/rcwfzt9zXWcGNK6jfZnW1JISysbvtI/KY+wadLKtYu5YfArDrXfXXUTYwA7cC9yMmcBGJiioax+lOUdnvvsWQnyC+Njkm5Deews980BHdTsHmlMC9lakM4GvXw1LESDY+EjLt44Dii7RMNJf7zLV8/rh95wHnzua4Vyh3psGGyKwUWswYcNf58aswRnYPF8Ju9Ew6LCy/57e511Cc6PaWJ0ZRZkh598dyfIGYJtPHXlWDDCCI+tjcWoADt/WmDfpM/XJUreWd+hL4Q0IgMuRvRNN3zUycxbwRSYRbjiyjszD8FwHPdmJSr+2cVBzbGEM34MFTbXCCEgxpm9WVRl82+kqccn4iy9W7GOucy+022Rg+3Mak1PlHzW/jND6Oq1/OsasIf6Z2FdrFse9t/JCyEWmYyy5WoY6HU/AW6N0j3USeoCg1GBV4zQlZ0WzEoxguVY9OU4zoqgYRRSwG63YLvU+C6q7ojOFpnNc2SsgvGHLYuXviAdGdh8L88xBvpeiwsxKicCe6UUIPma+uRf8D1kK2Tu8MNqdAy8gvbwpQjej2Ri+HaUbBtAX4a9fKBDqA==
X-OriginatorOrg: alum.mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 May 2020 13:32:52.4294 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 1dc95562-88dc-49cd-f473-08d7ee9d50ac
X-MS-Exchange-CrossTenant-Id: 3326b102-c043-408b-a990-b89e477d582f
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3326b102-c043-408b-a990-b89e477d582f; Ip=[18.7.68.33]; Helo=[outgoing-alum.mit.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR12MB1272
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/XmMRMYrzVmie_DkajctT17ryjQs>
Subject: Re: [sipcore] Draft new version: draft-ietf-sipcore-sip-token-authnz-14 (was: Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13)
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 May 2020 13:33:13 -0000

Christer,

I scanned the diff for this and noted a few things:

* In section 2.1.1 the edit to the 3rd paragraph has some mis-edits:

In "the UAC uses it to to request", s/to to/to/

In "before the currently used access token expires token", s/expires 
token/expires/

* In section 2.1.2 some more mis-editing: s/makes have use of/makes use of/

* Section 2.1.2 also says "TLS can still be used for protecting traffic 
between SIP endpoints and the AS." This is only true if there is a 
direct TLS connection between the endpoint and the AS.  How can that be 
assured?

Isn't the general point that TLS can be used to secure the content if 
the connection is direct between the UAC and the UAS? (But I don't know 
how you can assure that other than by knowledge about the network 
architecture in which the UAC is operating.

I didn't notice any other issues.

	Thanks,
	Paul

On 4/30/20 8:08 AM, Christer Holmberg wrote:
> Hi,
> 
> Based on the IESG reviews, we have submitted a new version (-14) of draft-ietf-sipcore-sip-token-authnz.
> 
> We believe and hope that all issues raised in the IESG reviews have been addressed, but please take a look.
> 
> A big Thank You for all the comments and suggestions! :)
> 
> Regards,
> 
> Christer
> 
> _______________________________________________
> sipcore mailing list
> sipcore@ietf.org
> https://www.ietf.org/mailman/listinfo/sipcore
>