IETF Logo Mail Archive

Re: [sipcore] Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13 - DISCUSS Reply

Benjamin Kaduk <kaduk@mit.edu> Mon, 27 April 2020 17:36 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D83FE3A123A; Mon, 27 Apr 2020 10:36:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id COb1GvV9SZ54; Mon, 27 Apr 2020 10:35:59 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60ABE3A1237; Mon, 27 Apr 2020 10:35:58 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 03RHZmwL015533 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 27 Apr 2020 13:35:50 -0400
Date: Mon, 27 Apr 2020 10:35:48 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Christer Holmberg <christer.holmberg@ericsson.com>
Cc: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, The IESG <iesg@ietf.org>, "draft-ietf-sipcore-sip-token-authnz@ietf.org" <draft-ietf-sipcore-sip-token-authnz@ietf.org>, "sipcore-chairs@ietf.org" <sipcore-chairs@ietf.org>, SIPCORE <sipcore@ietf.org>, Jean Mahoney <mahoney@nostrum.com>
Message-ID: <20200427173548.GB27494@kduck.mit.edu>
References: <158766991009.32224.6031347936963900326@ietfa.amsl.com> <CAGL6epJR916uMf-eeihvRyZRD3u-CR73v=C0pRGmbCi_tmbPEw@mail.gmail.com> <6EBE66ED-E26B-4B92-B776-1F799E095DB7@ericsson.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <6EBE66ED-E26B-4B92-B776-1F799E095DB7@ericsson.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/bED73Z7oYGtpInf_fRNealB-TPw>
Subject: Re: [sipcore] Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13 - DISCUSS Reply
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Apr 2020 17:36:01 -0000

On Sat, Apr 25, 2020 at 11:27:34PM +0000, Christer Holmberg wrote:
> Hi Benjamin,
>  
> >> Section 2.3 states that:
> >>
> >>   When a proxy wishes to authenticate a received request, it MUST
> >>   search the request for Proxy-Authorization header fields with 'realm'
> >>   parameters that match its realm.  It then MUST successfully validate
> >>
> >> https://tools.ietf.org/html/rfc7235#section-4.4 suggests that it is not
> >> expected to have a sequence or list of Proxy-Authorization header fields
> >> present in a single request that are intended to be interpreted by different
> > proxies.  Is this text compatible with that part of RFC 7235? 
> 
> RFC 3261 allows multiple Proxy-Authorization header fields.

Ah, thanks.

> > Furthermore, I didn't find much guidance in 7235 or 3261 about when to include the
> > "realm" parameter in Proxy-Authorization; do we want to give any guidance
> > here?  (That is to say, I almost didn't find where it was even defined as
> > possible to do so...)
> 
> I think it is clear from Section 22.3 (and the example in Section 20.28) in RFC 3261 that the "realm" is included in the Proxy-Authorization header field.

So it is, thanks for the pointer and sorry for having missed it.

> If we think 7235 and/or 3261 needs to be improved regarding that I think it is a separate task, outside the scope of this document.

Okay; in light of the above I don't see a pressing need to do anything in
this document.

Thanks,

Ben

> (The thread Rifaat mentioned is not really related to this. It is whether the UAC provides credentials for one or more schemes.)
> 
> Regards,
> 
> Christer
> 
> 
> 
>

v2.23.0 | Report a Bug | By Email