IETF Logo Mail Archive

Re: [sipcore] Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13: (with DISCUSS and COMMENT)

Paul Kyzivat <pkyzivat@alum.mit.edu> Sat, 25 April 2020 18:43 UTC

Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D071A3A12F7; Sat, 25 Apr 2020 11:43:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alum.mit.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XfbTiYrgriSe; Sat, 25 Apr 2020 11:43:12 -0700 (PDT)
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on2058.outbound.protection.outlook.com [40.107.92.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B1233A12F6; Sat, 25 Apr 2020 11:43:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=liJZxWprXmZHw7/sBE96fYJtDvQIe2uwBDH7iy45JHvw9fFZX9WrgevS+NT4U6vpPGQEdHVGoJ/tvk3IwDoBRyOxj7mTXzwROjuZXS37AtdMYyoNpvkNr4Hr/EmuMSbOeJ61ENDg3ukRVE+5wQKc/RJH2bVZDOMRIDjh+QMHkd1J2Ik+eUgTC/HOmH6LwOGlonhxQ8Q0s3u2QVnmZCXEHXMdDOa9UZAjmo4jyDkrWJwSlvtz4IhtRq7gWRRN/HJNjbFEmMXWzlGV7VEvv9OocaCOMGF4DNARcbMurdps5yoQiJERmzpas+rNA2qmojuQ2N2m70rSZ2DMRJwDAT9x6A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vIbEhKHDX4CEpCbbJA486RL2sv6ffwme2EmQ6hFf7/8=; b=F+xDgHSUlN0DBLXIj1RBh5gLH+HubCGS1JyJ61xE2Haibs2bje1p7QzDplkLb29U8iYPgSUYEM1NpceMVFqb+LHob8Y48IHPB15C6Yr1aT2GtNiiA3NBN+I/pskDIpAfUXNQVyKk7j1GXT/vdbSI+Du4koOyo0DJTCAdY415DhYgfBD0VU4Z71EtFilhlrE2S/aqr9PlRrQALozpMaNzYgozb1tCwLjK9Pgrtzi83THJSSeUs4x3Vd+sknukvIN33o5axJg7X9MY3avUx5gH5NlBfXZVF5R7LSQE5BTq4WtyEr22jkyfgPUWKCxNZmT9n6xr+NkND3rD/VJk+ERFEw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 18.7.68.33) smtp.rcpttodomain=edvina.net smtp.mailfrom=alum.mit.edu; dmarc=bestguesspass action=none header.from=alum.mit.edu; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alum.mit.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vIbEhKHDX4CEpCbbJA486RL2sv6ffwme2EmQ6hFf7/8=; b=ILwXFB8wzwNhetCo0A5bbiTSWEIIWqkIgNbTOzya3zZ6F7v3opnfKN70y451fQ/3j2cMRB+74J9pMFOXMfLUhzfYNwFugzqqtu1YIPzI0itedtwoJLPAQeY0q0jodL7rEzsX/zxbGob2OPthK1gfTmCkjKhh4G8nq8JUTkzdZPI=
Received: from DM5PR18CA0056.namprd18.prod.outlook.com (2603:10b6:3:22::18) by DM5PR12MB1706.namprd12.prod.outlook.com (2603:10b6:3:10f::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.22; Sat, 25 Apr 2020 18:43:09 +0000
Received: from CY1NAM02FT011.eop-nam02.prod.protection.outlook.com (2603:10b6:3:22:cafe::38) by DM5PR18CA0056.outlook.office365.com (2603:10b6:3:22::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.13 via Frontend Transport; Sat, 25 Apr 2020 18:43:09 +0000
Authentication-Results: spf=pass (sender IP is 18.7.68.33) smtp.mailfrom=alum.mit.edu; edvina.net; dkim=none (message not signed) header.d=none;edvina.net; dmarc=bestguesspass action=none header.from=alum.mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of alum.mit.edu designates 18.7.68.33 as permitted sender) receiver=protection.outlook.com; client-ip=18.7.68.33; helo=outgoing-alum.mit.edu;
Received: from outgoing-alum.mit.edu (18.7.68.33) by CY1NAM02FT011.mail.protection.outlook.com (10.152.75.156) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.19 via Frontend Transport; Sat, 25 Apr 2020 18:43:07 +0000
Received: from Kokiri.localdomain (c-24-62-227-142.hsd1.ma.comcast.net [24.62.227.142]) (authenticated bits=0) (User authenticated as pkyzivat@ALUM.MIT.EDU) by outgoing-alum.mit.edu (8.14.7/8.12.4) with ESMTP id 03PIh46W029266 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sat, 25 Apr 2020 14:43:05 -0400
To: "Olle E. Johansson" <oej@edvina.net>, Christer Holmberg <christer.holmberg@ericsson.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, The IESG <iesg@ietf.org>, "draft-ietf-sipcore-sip-token-authnz@ietf.org" <draft-ietf-sipcore-sip-token-authnz@ietf.org>, "sipcore@ietf.org" <sipcore@ietf.org>, "sipcore-chairs@ietf.org" <sipcore-chairs@ietf.org>
References: <158766991009.32224.6031347936963900326@ietfa.amsl.com> <60a98de4-a8cd-5910-17f9-6849d71f4d8e@alum.mit.edu> <B61DF7BD-C304-47AA-AB10-2095CC621E5A@edvina.net> <79245079-4BE2-4CA1-9B8F-E7E71AD38458@ericsson.com> <20200424201316.GX27494@kduck.mit.edu> <34A7E724-6E92-4C66-95B5-22F3A22F8CE3@ericsson.com> <F656768B-546F-4FA9-861C-671A2C8286EA@edvina.net>
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
Message-ID: <f118fa74-1387-659f-9875-b35ce46caca1@alum.mit.edu>
Date: Sat, 25 Apr 2020 14:43:04 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <F656768B-546F-4FA9-861C-671A2C8286EA@edvina.net>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:18.7.68.33; CTRY:US; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:outgoing-alum.mit.edu; PTR:outgoing-alum.mit.edu; CAT:NONE; SFTY:; SFS:(396003)(39860400002)(346002)(136003)(376002)(46966005)(356005)(47076004)(478600001)(186003)(4326008)(82740400003)(2906002)(336012)(75432002)(86362001)(31696002)(31686004)(246002)(8676002)(8936002)(7596003)(110136005)(54906003)(70586007)(316002)(786003)(70206006)(36906005)(2616005)(956004)(5660300002)(82310400002)(53546011)(26005); DIR:OUT; SFP:1101;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: bb84e561-0605-4b18-c82b-08d7e9487f4d
X-MS-TrafficTypeDiagnostic: DM5PR12MB1706:
X-Microsoft-Antispam-PRVS: <DM5PR12MB1706F01C419D6A2ED873955EF9D10@DM5PR12MB1706.namprd12.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:7691;
X-Forefront-PRVS: 0384275935
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: nagbpeRAc5U6ggUpw0eP0BXetdcuP2SwNLYuQh+hfFmt1cnJLFUJsypTJM/1K3XFmZ/glQcjV5IVx+x1EXkQmJjo/uwveJJmUchI4opM/WvhttJ0Ur1o6W6uMtR0dM6A8YZfeaq0ZM2hOm6v7qMsyLU9MZRjyML6/P8t8W2PyTMz5Qya1axo21a18hVKvd11XxawPsPCPvPA+GK/b1dj8sRGs+AH+ui6jtltwzZ1tXvewRxU/xV57dUEEjfIw4AO9PdwoSVMG/DlNtkrg7mUyPxI8O1oI4stcSpewOZrH7NCMPCojKSObTCqSzV/0ccKTqoeWD3waavbsanogOkQoi1baHWos6cBFEXR1Sg14Jdpa7sTpgwNbYisMOPchouiz0Umh2j0Epo6Whlq9EnzQ/P1EZ+5AP7RJTQCHHht2VKMJlBDpBNYnvv+oqG+bM7AS1tcUPzNYsdo3i6ykDYfgPRBhbbOsrsxGVyEKFmcAE0S/tRowVQKQiFgIxgvRlahDPRo9Q4W3PUwzeSdWVv93w==
X-OriginatorOrg: alum.mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Apr 2020 18:43:07.6166 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: bb84e561-0605-4b18-c82b-08d7e9487f4d
X-MS-Exchange-CrossTenant-Id: 3326b102-c043-408b-a990-b89e477d582f
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3326b102-c043-408b-a990-b89e477d582f; Ip=[18.7.68.33]; Helo=[outgoing-alum.mit.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR12MB1706
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/atDfNNJHRFnYFQOgbAUPH0PGnys>
Subject: Re: [sipcore] Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13: (with DISCUSS and COMMENT)
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Apr 2020 18:43:14 -0000

On 4/25/20 2:42 AM, Olle E. Johansson wrote:

>>    NOTE: At the time of writing this specification, detailed procedures for the cases where a UAC receives multiple
>>    different authentication schemes had not been defined. A future specification might define such procedures.
>>
> Until we have a point where we know we can securely handle multiple authentication schemes from the same UAS,
> I think we should recommend one policy per realm and/or domain.
> 
> That will mean that until we have the BCP we determine method per device - new devices gets the challenge
> that they support and we limit the possibilities of downgrade attacks.

I don't understand what you are suggesting here.

Is it that the UAS should only challenge with one scheme? That could be 
problematic, since it means either only use Digest, or else use Bearer 
and fail to work with any device that doesn't support it. (Can you say 
"flag day"?)

Or do you mean that the UAC should only respond with credentials for one 
of the schemes it receives challenges for?

	Thanks,
	Paul

v2.23.0 | Report a Bug | By Email