Re: [sipcore] Magnus Westerlund's Discuss on draft-ietf-sipcore-sip-token-authnz-13: (with DISCUSS and COMMENT) - the pull request

Magnus Westerlund <magnus.westerlund@ericsson.com> Tue, 28 April 2020 08:39 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A06F83A107B; Tue, 28 Apr 2020 01:39:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.921
X-Spam-Level:
X-Spam-Status: No, score=-2.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.82, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w2OriCsbNHkK; Tue, 28 Apr 2020 01:39:22 -0700 (PDT)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10042.outbound.protection.outlook.com [40.107.1.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 184FB3A1071; Tue, 28 Apr 2020 01:39:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Qmt4+Vm1SqBmmt0o835vebGzP3RMukrGwUhc/EUfnSbzYQv30tWoEPG9nBifbFgEHs4XRo64HNJHzUsS735pzJvgIKQhv0cj3X1PlvMd3J0o15KflnzwDMm9Y8MooOtI17DeptOQt2nu2B3fmy/e4GGEJJ+XC94JAwbFrd7BoOtWpOPDPhCs7sJW0Ys7Sp09cmwii6/p9UnAWm/8g1xI1k+uKDZq5Z1I36PSJ+QPsKS3Axif/GCxT/I10oAEZ2jvhJHnqNkSzaw2t/yJigWqA1Xes5d/zEao07HR3OWQ+ShLoGuaXzSm/flr5mLFj9Dr6TXKMNGG8DLYT4lt3t1fCQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rwxZvQwtFHRGcsY6lIcQMYjzxxkdRi5iNtODLibFDPc=; b=XA5Utf+lWFlWs6tdhpHDIOlOVkSeo5BpMGTtMQic/v+xHLujCidLg3EKCYo4kURbx/h6rK9tdo6pgW63tqtIejGwhsQ04gzK6mr1/qRXSF0c8vt/fLqeaPtex3ZKQ/EatNkFOsLbR1Bvir/s0Ld8QUEWAZ76OxPqPMcL0RsWe2qIM2xIKQJy+0UcJp6WuNuGkoqYBRRYP0x54XjbfZ6gXqyTLqgFvfUwmmUYuz3PdBaVoC3gCAoAJWrdtgViYzPWkGM/QiX8nFHi9V6cddift0nu6zfeHTFCxhCPYTlJlKCQYeuw5IViSxvw0Yif6i8gCBj5xSxYXuG8+dcNfESzaA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rwxZvQwtFHRGcsY6lIcQMYjzxxkdRi5iNtODLibFDPc=; b=Kfd7MnLwLADN5E8tQE0/EGJFSwr/QIic84lJTc4QjE9VYL3QQr3t+ifFSmP12xIOsGPwJnqIv1mRZl4N8DDqmFlflFq62aYW1byiTVwh/GDcjwMhp8+VShY75mihhcuPgitzvKuNnHd3x9OyErcliHQobVjQeYRWfpcOwDRePNo=
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com (2603:10a6:7:8e::14) by HE1PR0702MB3754.eurprd07.prod.outlook.com (2603:10a6:7:7e::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2958.14; Tue, 28 Apr 2020 08:39:18 +0000
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::ec28:2c21:6d78:917a]) by HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::ec28:2c21:6d78:917a%2]) with mapi id 15.20.2958.014; Tue, 28 Apr 2020 08:39:18 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>, "iesg@ietf.org" <iesg@ietf.org>, "pkyzivat@alum.mit.edu" <pkyzivat@alum.mit.edu>
CC: "sipcore-chairs@ietf.org" <sipcore-chairs@ietf.org>, "draft-ietf-sipcore-sip-token-authnz@ietf.org" <draft-ietf-sipcore-sip-token-authnz@ietf.org>, "mahoney@nostrum.com" <mahoney@nostrum.com>, "sipcore@ietf.org" <sipcore@ietf.org>
Thread-Topic: Magnus Westerlund's Discuss on draft-ietf-sipcore-sip-token-authnz-13: (with DISCUSS and COMMENT) - the pull request
Thread-Index: AQHWHM0jGFXph8PsA0+ASqfFfMQaaaiON3WA
Date: Tue, 28 Apr 2020 08:39:18 +0000
Message-ID: <c674c66606c0c5c080ae749bb1e2c19324009894.camel@ericsson.com>
References: <6BA45301-2E1D-4050-9C13-6B8BA7094B79@ericsson.com>
In-Reply-To: <6BA45301-2E1D-4050-9C13-6B8BA7094B79@ericsson.com>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.2
authentication-results: ericsson.com; dkim=none (message not signed) header.d=none;ericsson.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [98.128.243.138]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b81ba8c3-2700-4277-2412-08d7eb4fa3ef
x-ms-traffictypediagnostic: HE1PR0702MB3754:|HE1PR0702MB3754:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <HE1PR0702MB375423E48CFD91B2737186EF95AC0@HE1PR0702MB3754.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0387D64A71
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3772.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(396003)(346002)(136003)(39860400002)(366004)(376002)(6512007)(86362001)(6506007)(36756003)(186003)(44832011)(478600001)(6486002)(5660300002)(99936003)(26005)(316002)(2906002)(966005)(66946007)(66556008)(110136005)(66446008)(81156014)(8676002)(8936002)(54906003)(66476007)(4326008)(66616009)(76116006)(64756008)(71200400001)(2616005)(99106002)(21314003); DIR:OUT; SFP:1101;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: LzYguFeZoTXW8LSa006xWyXi+c81cTyEezasaorNEsJmRGWakUP+46blUzFjgN9NzNAM0TUAx1Kjn2tNDxC6hxfWK4zvA0Ua8qnM3OEbBlBbp7rLi4s+nvFHbBgvEeWE5INUdsPyWNoz8NgNMCSI4Gv/9cyxXZReZ712aqILMpjQYxgTRXMgDycKJTo0AjtrbWNk64Vb714ZYI7y7R3C7CLoR9hWCONuj8viMkeFDCrsl2i9syemUi5G7SsjZ/MfDFicl/K7s+yWwQ+usIydvqPBPprux6BNym9H7tDGtnofz7X6if/gCtPofJ54s3dFejpcQxzH3Fj68bTxhPJNX7+VS/4yD1BYtu6f1XnI08plMXR/u26VFZ8yCm7zS+/IBYp6/xzgwSvTifbUgOtNF5QXX6gnelNby95/kYv26gFp3d0kH4f77Pc/Tf335ZjnI3GT1/CZkTce1Bed5MaSvqNOL0zDqhmHkO0qr9gh+op3gfC1/gc83m8af5ygSGspANg2kvG00z3zuoP2B4eqxeYgaCjdXZOSoTfEdy6UlBxw2ZSeQySPhdK7US58MQo5M3VcD1q6/zXULou9in1Eeg==
x-ms-exchange-antispam-messagedata: dqxUVL5GU4SLD1uRk8mQEp8HRt7hYq7vpW7tMLQqOyuuAUibnlz6cU4WLt3oaGT+15lbFdDk7y+zKjCq3iqCK5qk7Za5lVmudp0hC6MfFbLzn4xmYe5Lu0Xzo+SNRQdkGJg3dYg05sKBDmZaKeypeueGTUwha0b/o/2owHGwddAiOOTUhVvXl0tplA7BwFe8RZaS3IL9lKNU/Ov3kkGdVi6Q6XZ68l7hi67KR23s2+zX6JNXqBYiafXYiynCbQOcBwRF0Lmf7Eygt64MHTbmXzjDMJvQknTvbC57elo7wAFkFdYGvdXXyMMYnreizeh04xiuT7YwRldC1iXz/D5FhsrIWSmfdZh1atzuMizDR1ZS1nsI9wxG58HMUEfJMvbZGDNjFfZ5Swm9SujrdGSvIW4fpwOyTWEd/fq33XbT/W+ipZNOQ0YM1nUBgP/U3H8ajvXdVH26nycFnmPtz0G3ndqw8ZMaPJiegJ42DKwiW8v/ibHuN5pXwz2tygk13cdAlaJmNAkxbvtancfuV/kAFvYp5t6JDG+oiaLj8IvOMf3Mfeg0J2038tB18Gb4Ml9erUGFiJ/p04OJrWZyP61degTqYwOm0Os764x429B/ca4psXpAwSWjLzIVuH9KWW4wtRPd81ID4UQGYVJimTbbGybVQGxnbOi19hR8O79VsZc7HOX9p+2OTGmezlw7L8ONv9PLHWJ8QFG90H5Ez5aVjY468enn2febhnJutggFf+chlVV50hutcveKjQpXop7Wd973/HbxdKf93nIbIkRmtYuI4fcJaPaqVvoSTMfVk7o=
Content-Type: multipart/signed; micalg="sha-256"; protocol="application/x-pkcs7-signature"; boundary="=-qr7jcuXfYDEicS2SMl0f"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b81ba8c3-2700-4277-2412-08d7eb4fa3ef
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Apr 2020 08:39:18.0667 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: VYjpu5VNByaGOjmceDHaRbWNiRugLifOkabol5N5Kpoo6yVJ0alMebNq2kckoH8CFfwa1GBy+Dfsp1sjhpjjQPjBIMoxv8QVxWJXyfxjyeo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3754
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/dbplBJ71RBXgFsH4LRQSSLwR0M8>
Subject: Re: [sipcore] Magnus Westerlund's Discuss on draft-ietf-sipcore-sip-token-authnz-13: (with DISCUSS and COMMENT) - the pull request
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2020 08:39:24 -0000

Hi,

I think keeping _ in authz is okay to do, and allowed by the syntax. So if the
WG want to correct this to have it align with the norm or leave it as it is is
up to the WG. 

However, the changes did may wonder one thing about the the inclusion of scope
and error. The ABNF constructs defined in RFC 6749 are only including the value
part. So to my understanding they really should have an parameter-name = value
construct defined. Like this. 

scope-param = "scope" EQUAL DQUOTE scope DQUTE
scope = <defined in RFC6749>
error-
param = "error" EQUAL DQUOTE error DQUOTE
error = <defined in RFC6749>

The IANA section looks good. 

Cheers

Magnus


On Mon, 2020-04-27 at 19:50 +0000, Christer Holmberg wrote:
> Hi,
> 
> The following pull request commits contains the syntax and IANA changes based
> on Magnus DISCUSS:
> 
> 
https://github.com/rifaat-ietf/draft-ietf-sipcore-sip-token-authnz/pull/7/commits/168086b4f1220620d063af07a3292b667e30ef37
>  (Syntax)
> 
https://github.com/rifaat-ietf/draft-ietf-sipcore-sip-token-authnz/pull/7/commits/22f810025d1bf8df45875e92e4d4c11d0f574693
>  (IANA Considerations)
> 
> Please note the parameter name "authz_server". Following the naming style of
> other header field parameters it should perhaps be "authz-server". However,
> for backward compatibility I would prefer to not change it at this point.
> 
> Paul, I would appreciate if you could also take a look at these. Thanks!
> 
> Regards,
> 
> Christer
> 
> 
> 
> On 23/04/2020, 22.51, "Christer Holmberg" <christer.holmberg@ericsson.com>
> wrote:
> 
>     Hi Magnus,
>     
>     Thank You for the review! Please see inline.
>         
>         ----------------------------------------------------------------------
>         DISCUSS:
>         ----------------------------------------------------------------------
>         
>         > I think these resolution for this is rather straight forward,
> however the
>         > implications of one is going to break deployed implementations.
>         >
>         > 1. Section 4:
>         >
>         > This is rather straight forward to resolve but you do have a SIP
> syntax
>         > violation in these rules.
>         >
>         >       challenge  =/  ("Bearer" LWS bearer-cln *(COMMA bearer-cln))
>         >       bearer-cln = realm / scope / authz-server / error / auth-param
>         >       authz-server = "authz_server" EQUAL authz-server-value
>         >       authz-server-value = https-URI
>         >       realm = <defined in RFC3261>
>         >       auth-param = <defined in RFC3261>
>         >       scope = <defined in RFC6749>
>         >       error = <defined in RFC6749>
>         >       https-URI = <defined in RFC7230>
>         >
>         > So RFC 3261 defines the Challenge construct as:
>         >
>         > challenge           =  ("Digest" LWS digest-cln *(COMMA digest-
> cln))  / other-challenge
>         >
>         > Where this extension needs to match the syntax of the other-
> challenge:
>         >
>         > other-challenge     =  auth-scheme LWS auth-param  *(COMMA auth-
> param)
>         >
>         > Where we need to look at:
>         > auth-param        =  auth-param-name EQUAL  ( token / quoted-string
> )
>         >
>         > Please note what is included in the "token" rule.
>         >      token       =  1*(alphanum / "-" / "." / "!" / "%" / "*"
>         >                     / "_" / "+" / "`" / "'" / "~" )
>         >
>         > the allowed syntax for https-URI in RFC 7230 is:
>         >
>         >    https-URI = "https:" "//" authority path-abempty [ "?" query ]  [
> "#" fragment ]
>         >
>         > Which include both "/", "?" and "#" that are not allowed in token.
> Thus, the
>         > URI included in the authz-server-value  MUST be converted into a
> quoted-string
>         > matching syntax rule.
>         
>         You are correct. We currently reference https-URI in RFC 7230, but the
> definition in 7230 does not place quotes around it.
>     
>         The same applies to scope and error.
>     
>         So, we need to fix:
>     
>     OLD:
>     
>          authz-server = "authz_server" EQUAL authz-server-value
>     
>          scope = <defined in RFC6749>
>           error = <defined in RFC6749>
>     
>     NEW:
>     
>          authz-server = "authz_server" EQUAL DQUOTE authz-server-value DQUOTE
>     
>          scope-cln = DQUOTE scope DQUOTE
>          scope = <defined in RFC6749>
>          error-cln = DQUPTE error DQUOTE
>          error = <defined in RFC6749>
>     
>     
>     (I noted that that Benjamin has some comments regarding the referenced
> RFCs for the parameter values, but I will address that in the reply to his
> review.)
>     
>     
>     -----
>     
>         > 2. In addition should not the "authz_server" be registered in the
>         > 
> https://www.iana.org/assignments/sip-parameters/sip-parameters.xhtml#sip-parameters-12
>         > registry?
>         
>         I guess so. And, then I guess we also need to register "scope" and
> "error".
>     
>         ----------------------------------------------------------------------
>         COMMENT:
>         ----------------------------------------------------------------------
>         
>         > An additional thing.
>         >
>         > Is SIP directly using the HTTP Authentication Schemes IANA registry
>         > (
> https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml#authschemes
> )
>         > or does it have its own tucked away somewhere? And if it is the
> former, should
>         > its references for the "bearer" add this RFC as a reference?
>         
>         SIP uses the HTTP registry.
>     
>        (The SIP registry does register a "digest" value, but that is for the
> Security-XXX headers defined in RFC 3329)
>     
>     Regards,
>     
>     Christer          
>         
>         
>     
>     
> 
-- 
Cheers

Magnus Westerlund 


----------------------------------------------------------------------
Networks, Ericsson Research
----------------------------------------------------------------------
Ericsson AB                 | Phone  +46 10 7148287
Torshamnsgatan 23           | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com
----------------------------------------------------------------------