Re: [sipcore] Magnus Westerlund's Discuss on draft-ietf-sipcore-sip-token-authnz-13: (with DISCUSS and COMMENT) - the pull request
Christer Holmberg <christer.holmberg@ericsson.com> Tue, 28 April 2020 08:52 UTC
Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 653673A10FD; Tue, 28 Apr 2020 01:52:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.92
X-Spam-Level:
X-Spam-Status: No, score=-2.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MIME_QP_LONG_LINE=0.001, RCVD_IN_MSPIKE_H2=-0.82, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uFqU03IcF7a4; Tue, 28 Apr 2020 01:51:58 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60059.outbound.protection.outlook.com [40.107.6.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06F6A3A10FC; Tue, 28 Apr 2020 01:51:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RW2n4gB2HBFjydh3roxCr49bqqV1LyT7kr2q3sxH1g+7RnJKUJPwY1EXUgk3M7DeVwQ/pI37OH0SVRk76PZ7MHN5UK4Bo3Th4wYD/rr7J67ylPFgZzmQSy2cr2RDrowq+otGl/ckdApFxV1nBFPD5X7lOP7uFhARSohqcwZG82CwcJbe4P5h0DhEsFYxo6IpaCEvXcrenOt0QCAnRlXf4/KVGgg8OgRQp1vHwPY433qyYggH56iw+1pFgiCrCUltQRZEAxFfPrHBwdYmY4bgQNmjdnJ34x3Vb0+FWZg73VfVOqsIGyvtO1KwCoPGAG+91IWq515w5X4BNq9DGUsa0A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IvNIizxbsqZGHNr1tGEIRUoxsWEiCZm/r570bQUkM4M=; b=HOtIr7gONe/ek6FUaZ5eSmdnpwj8p1jtx6Ll/lPICtxKW6SWdcz9WsddyTgOgar/Xrt4pxqDCoQucne39DpFmTE/ZCj/duCTb6rhgy/WsiragsFfJmPTA87eax2eEUJmdroCv/UX2chwxWL9tc4yK9Rqn/FMOnQC+09Mwbh/YGB6s+ktAJxJ3kHZnO2lhWr8yWFQXmUIvaIvP+0sN+GU0stUrrMpUYhfyHyz97ikLKJpVH/wQP/juqB/59z39c5E0T9KCT/3YBpU4GprjzGJVGiqLokrOvLA4tk7FY1p6xZOKXF4IpBMZWHSGnf6a8zuGh3sNzq76LfDBZXcahGBgA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IvNIizxbsqZGHNr1tGEIRUoxsWEiCZm/r570bQUkM4M=; b=jCZFv6vU8x7jLwwjcEdhNlPHY5Jzc/drQ5wmACcWzrH3C4hInCf1fpb4vYbZCTtLu7Qx9ss2bxFRzCNEFa3Ao4FX+nUTtIjahnmSAsYDoon99qH9CaSa63owLRp1nCMuo6XhNTpM6ad4LBd8NmbuRhpJoD5apJJR9KoJBc7dZ1g=
Received: from AM7PR07MB7012.eurprd07.prod.outlook.com (2603:10a6:20b:1bc::19) by AM7PR07MB6389.eurprd07.prod.outlook.com (2603:10a6:20b:134::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2958.14; Tue, 28 Apr 2020 08:51:55 +0000
Received: from AM7PR07MB7012.eurprd07.prod.outlook.com ([fe80::4c:e502:13cf:87a8]) by AM7PR07MB7012.eurprd07.prod.outlook.com ([fe80::4c:e502:13cf:87a8%4]) with mapi id 15.20.2958.014; Tue, 28 Apr 2020 08:51:55 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Magnus Westerlund <magnus.westerlund@ericsson.com>, "iesg@ietf.org" <iesg@ietf.org>, "pkyzivat@alum.mit.edu" <pkyzivat@alum.mit.edu>
CC: "sipcore-chairs@ietf.org" <sipcore-chairs@ietf.org>, "draft-ietf-sipcore-sip-token-authnz@ietf.org" <draft-ietf-sipcore-sip-token-authnz@ietf.org>, "mahoney@nostrum.com" <mahoney@nostrum.com>, "sipcore@ietf.org" <sipcore@ietf.org>
Thread-Topic: Magnus Westerlund's Discuss on draft-ietf-sipcore-sip-token-authnz-13: (with DISCUSS and COMMENT) - the pull request
Thread-Index: AQHWHM0jGFXph8PsA0+ASqfFfMQaaaiON3WAgAA1wwA=
Date: Tue, 28 Apr 2020 08:51:55 +0000
Message-ID: <07CBCA10-4499-4FD1-A75C-97440906432F@ericsson.com>
References: <6BA45301-2E1D-4050-9C13-6B8BA7094B79@ericsson.com> <c674c66606c0c5c080ae749bb1e2c19324009894.camel@ericsson.com>
In-Reply-To: <c674c66606c0c5c080ae749bb1e2c19324009894.camel@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1e.0.191013
authentication-results: ericsson.com; dkim=none (message not signed) header.d=none;ericsson.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [178.55.150.213]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 61bb7570-482c-424d-1592-08d7eb516762
x-ms-traffictypediagnostic: AM7PR07MB6389:|AM7PR07MB6389:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <AM7PR07MB63894AC797760737D3A3D39593AC0@AM7PR07MB6389.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0387D64A71
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR07MB7012.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(136003)(396003)(366004)(376002)(39860400002)(346002)(4326008)(99936003)(316002)(6512007)(71200400001)(478600001)(2616005)(110136005)(966005)(44832011)(81156014)(6486002)(36756003)(8936002)(2906002)(66446008)(64756008)(54906003)(186003)(86362001)(5660300002)(66556008)(66946007)(33656002)(8676002)(6506007)(26005)(66616009)(66476007)(76116006)(21314003); DIR:OUT; SFP:1101;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: M22pCpU6m+2lFnMlHV7nDiaL2b5ASHlNkglNtK5NGBqWt3n1jkwv8vaErw2VcjN7Uptyvk8xt88ZFEWGg51s1ZVvCZIgBcafCqx7GvwB8a6Lx++rdVRnY2qvAy8HA0LIB9RTjoLMzU6OO0Rpm9QDzS3JIUG07VG5zUgIF9SlaWwQFH+c3vP3zA9A0b6WNelLzfT1CWZoVD5L4+4MgNVW0nMaIFC3Mslg8c4EBGQYH//4zKYTqlamxIa/9uxY9Ygw0N+3BpsHF5+/KoUGzYXfIV4n85SKB68WTkxECHM/fPeUe7S3o24OI7h0bA+JJxF1qSxxo+S2EIDObD0CztDn+/iB/dIIoJt+VR6IK91DKWnGbwAVuPExD5J0/TR03S3D5x5dI+c2W7JIaWTCRhbVQhEwcZftx6j6IQ3GbrhaP3jrT9q3mk9HDXhNW6uRFwdUkaHdEKoMOlK5GQbhjU2JkWQS66EaV8fI3ZBHOFoF1GiEFmg1PqHtpDf51tsczScGdA+kBtCnTiRkk0W9+yEKCRRfwhsbon74sO2S3N3qC6tenCMHOxvlGKg2/CPoybY5
x-ms-exchange-antispam-messagedata: e26tS309ryCZq/swk3NiCrULl5JByZ/DW1tTYZWNXimdIMvEzlWuZIgIlUVgSR10BHcKQGO5V6E6+0PWscBp5+QdZ87tvtBBGBZudToJDnZMQnDjIdMR101nfBZdiEPfvXzTCGNaAymP/3pckOnv4KbxeLyHAB02YmNKkKIVsqyCZGFiYKUBkdERK/DanuLg9rZq3opdAQ0TDC3XjYn9fuh66PxXfFR0p1WT8Kvgj18K8y58eztt5zy6Ibzv9i2joMFiljBj/pcNpIn95Eg6Phardlucaf0UjDgarrvb49zWYMoCiWgKVsgFJUj/QMEhbvHC+GmfKfAyVu47a1JmC60+/dP4AxaiDeQ0aQ2FoZ3SkyvRg5peuucRVUH+Xl8+fX4JixssvhvNDqtxFzMfOir6B0CTOgA7P4Q4i0HgXm8JoO2ULfv6hG6yNTHYjzTcXaUQ72L5eCXT5x7TRrGqpodpISNGkhQee3Ii5tiemENyoGJHHXgGFdRA6Db5+ZIj99U+xgmjW3+eefzcT1dXuw86vmT2Rf9SjjZO36rhoIllZ6Vs65L4QMlFBS598qAVv35T83TqXE2VSK1r4Q6zvy/ilziIgSKHp3eXGipz2u+0uR9u5UmiWpLLbv1W+ikCTQRieV6mwwSiLlvMV07VycXyVEVv+M+k/zCO7PONk0fYpcvu+lcUokRj2wLOPTQ7HRk9ioSM0AIdUFfw/u9Nz5eY1dotBV65l3upu6n0nZX5+Onm48u5wpT8uMJPoWpp2QLl+yUPSY8NdWPQFUr9jdGP8EUe7mt6EEWbp8P8a/0=
Content-type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3670919514_1073972943"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 61bb7570-482c-424d-1592-08d7eb516762
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Apr 2020 08:51:55.5006 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ixBKhklsHXsb7TwqZ77JNpLE3LvpboyKT73H3FBoSJ04GKhW6S62dmrkJE+MMMnKv4FUbrp2FOTCYb6LC4ZUxypS4fq9wPfN6Slf9Z/XvvY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR07MB6389
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/eGtIRAGve1vro8UvBuL8L7ZVeng>
Subject: Re: [sipcore] Magnus Westerlund's Discuss on draft-ietf-sipcore-sip-token-authnz-13: (with DISCUSS and COMMENT) - the pull request
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2020 08:52:01 -0000
Hi Magnus, > I think keeping _ in authz is okay to do, and allowed by the syntax. So if the > WG want to correct this to have it align with the norm or leave it as it is is > up to the WG. > > However, the changes did may wonder one thing about the the inclusion of scope > and error. The ABNF constructs defined in RFC 6749 are only including the value > part. So to my understanding they really should have an parameter-name = value > construct defined. Like this. > > scope-param = "scope" EQUAL DQUOTE scope DQUTE > scope = <defined in RFC6749> > error- > param = "error" EQUAL DQUOTE error DQUOTE > error = <defined in RFC6749> You are right. Good catch! :) > The IANA section looks good. Good :) Fixed in this commit: https://github.com/rifaat-ietf/draft-ietf-sipcore-sip-token-authnz/pull/7/commits/fb8a94084c5ef3490f3e6c2ba2f00550d79fbb2b Regards, Christer On Mon, 2020-04-27 at 19:50 +0000, Christer Holmberg wrote: > Hi, > > The following pull request commits contains the syntax and IANA changes based > on Magnus DISCUSS: > > https://github.com/rifaat-ietf/draft-ietf-sipcore-sip-token-authnz/pull/7/commits/168086b4f1220620d063af07a3292b667e30ef37 > (Syntax) > https://github.com/rifaat-ietf/draft-ietf-sipcore-sip-token-authnz/pull/7/commits/22f810025d1bf8df45875e92e4d4c11d0f574693 > (IANA Considerations) > > Please note the parameter name "authz_server". Following the naming style of > other header field parameters it should perhaps be "authz-server". However, > for backward compatibility I would prefer to not change it at this point. > > Paul, I would appreciate if you could also take a look at these. Thanks! > > Regards, > > Christer > > > > On 23/04/2020, 22.51, "Christer Holmberg" <christer.holmberg@ericsson.com> > wrote: > > Hi Magnus, > > Thank You for the review! Please see inline. > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > > I think these resolution for this is rather straight forward, > however the > > implications of one is going to break deployed implementations. > > > > 1. Section 4: > > > > This is rather straight forward to resolve but you do have a SIP > syntax > > violation in these rules. > > > > challenge =/ ("Bearer" LWS bearer-cln *(COMMA bearer-cln)) > > bearer-cln = realm / scope / authz-server / error / auth-param > > authz-server = "authz_server" EQUAL authz-server-value > > authz-server-value = https-URI > > realm = <defined in RFC3261> > > auth-param = <defined in RFC3261> > > scope = <defined in RFC6749> > > error = <defined in RFC6749> > > https-URI = <defined in RFC7230> > > > > So RFC 3261 defines the Challenge construct as: > > > > challenge = ("Digest" LWS digest-cln *(COMMA digest- > cln)) / other-challenge > > > > Where this extension needs to match the syntax of the other- > challenge: > > > > other-challenge = auth-scheme LWS auth-param *(COMMA auth- > param) > > > > Where we need to look at: > > auth-param = auth-param-name EQUAL ( token / quoted-string > ) > > > > Please note what is included in the "token" rule. > > token = 1*(alphanum / "-" / "." / "!" / "%" / "*" > > / "_" / "+" / "`" / "'" / "~" ) > > > > the allowed syntax for https-URI in RFC 7230 is: > > > > https-URI = "https:" "//" authority path-abempty [ "?" query ] [ > "#" fragment ] > > > > Which include both "/", "?" and "#" that are not allowed in token. > Thus, the > > URI included in the authz-server-value MUST be converted into a > quoted-string > > matching syntax rule. > > You are correct. We currently reference https-URI in RFC 7230, but the > definition in 7230 does not place quotes around it. > > The same applies to scope and error. > > So, we need to fix: > > OLD: > > authz-server = "authz_server" EQUAL authz-server-value > > scope = <defined in RFC6749> > error = <defined in RFC6749> > > NEW: > > authz-server = "authz_server" EQUAL DQUOTE authz-server-value DQUOTE > > scope-cln = DQUOTE scope DQUOTE > scope = <defined in RFC6749> > error-cln = DQUPTE error DQUOTE > error = <defined in RFC6749> > > > (I noted that that Benjamin has some comments regarding the referenced > RFCs for the parameter values, but I will address that in the reply to his > review.) > > > ----- > > > 2. In addition should not the "authz_server" be registered in the > > > https://www.iana.org/assignments/sip-parameters/sip-parameters.xhtml#sip-parameters-12 > > registry? > > I guess so. And, then I guess we also need to register "scope" and > "error". > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > > An additional thing. > > > > Is SIP directly using the HTTP Authentication Schemes IANA registry > > ( > https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml#authschemes > ) > > or does it have its own tucked away somewhere? And if it is the > former, should > > its references for the "bearer" add this RFC as a reference? > > SIP uses the HTTP registry. > > (The SIP registry does register a "digest" value, but that is for the > Security-XXX headers defined in RFC 3329) > > Regards, > > Christer > > > > > -- Cheers Magnus Westerlund ---------------------------------------------------------------------- Networks, Ericsson Research ---------------------------------------------------------------------- Ericsson AB | Phone +46 10 7148287 Torshamnsgatan 23 | Mobile +46 73 0949079 SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com ----------------------------------------------------------------------
- Re: [sipcore] Magnus Westerlund's Discuss on draf… Christer Holmberg
- Re: [sipcore] Magnus Westerlund's Discuss on draf… Magnus Westerlund
- Re: [sipcore] Magnus Westerlund's Discuss on draf… Christer Holmberg
- Re: [sipcore] Magnus Westerlund's Discuss on draf… Magnus Westerlund
- Re: [sipcore] Magnus Westerlund's Discuss on draf… Christer Holmberg