IETF Logo Mail Archive

Re: [sipcore] WGLC draft-ietf-sipcore-sip-token-authnz

Paul Kyzivat <pkyzivat@alum.mit.edu> Sun, 08 December 2019 22:18 UTC

Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E67451200F8 for <sipcore@ietfa.amsl.com>; Sun, 8 Dec 2019 14:18:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alum.mit.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xx0qiX0uRE_4 for <sipcore@ietfa.amsl.com>; Sun, 8 Dec 2019 14:17:59 -0800 (PST)
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12on2059.outbound.protection.outlook.com [40.107.237.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E79971200E9 for <sipcore@ietf.org>; Sun, 8 Dec 2019 14:17:57 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RqtToU+wU36J9iw/9dr8dSFNjCjUxIVF9tQg/dD0Hne5zdMsM7rrjPgmp6YnSO9SyMWghhAqufiag+ZVXj2j07dEzK+ApqL+aGdBDdKl/FctvfMShaJJxxJDKALwJgN1VFrzxPnx8f6TIgecRcXSqKDg0gR+kYGhDep3jSO/qknnO2qMn9LfLZZenfqvHwuzK9ANdwWax4gawHlv8NgbGpGYbu9S5WC35QRKi2kI5c7qC230hpxbMiuQJocgkU1H6LC6hI+M8wfi6Q9zJHQnDBG5q6OTVl1uSvVTYZukDmk4Nc9ek51Po2osKatdHKmakn9Wuo7bp4j1kZEXpqBGrA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1WJmUbgx5gGKdteCW/5m9yfqKLnUYDfYB0VZ43Iu22k=; b=AzRfgqFHp7d/RIudlSQFiqXXOnzbjynYvIGciy1z29nw3WGIc/KizzIWk1yv/yg72n/JWHjq2hxu0t+gXeQSc/YR9+5B2+znYvuTAd/reIRUL9Wc7H4uBQ6iDy/nF5w0AJcdLrJZNJ5niMs9KsNRVo8JCMvc0UKZvdSfVyefpIyYJ2LPq0uGZz/xME4uraFxGnIoIsWcGCfVCTHkfPdGYGpP4piryddcEKWW40WAQX31FdTYHjtn8NGHH4JbroFHUEc1MT8/KBn5X7+ywuGClOZxkrDsryO3shV2AmmNBn8O2CzuwmUuudTjXDsEGDd1+C1M1i7pQ60uUaY/H/W+5g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 18.7.68.33) smtp.rcpttodomain=gmail.com smtp.mailfrom=alum.mit.edu; dmarc=bestguesspass action=none header.from=alum.mit.edu; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alum.mit.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1WJmUbgx5gGKdteCW/5m9yfqKLnUYDfYB0VZ43Iu22k=; b=Xm7DwBX1Ok/sWwAh30rq3xCqQSW/XpHgu3YSXWfC4VudZlc5oaSbHaulMTN7UE12EPDKrcoKPRgSfkY7Ph6dx+419kBi13hGJPOpJktC888hKya6HSvr4ii9YcImQ6usKxQHrAdEcyecfW6TAC66SP4vgB7IftfPppfAOyN9NJw=
Received: from DM3PR12CA0138.namprd12.prod.outlook.com (2603:10b6:0:51::34) by BN6PR12MB1940.namprd12.prod.outlook.com (2603:10b6:404:fd::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2516.14; Sun, 8 Dec 2019 22:17:54 +0000
Received: from CY1NAM02FT038.eop-nam02.prod.protection.outlook.com (2a01:111:f400:7e45::200) by DM3PR12CA0138.outlook.office365.com (2603:10b6:0:51::34) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2516.12 via Frontend Transport; Sun, 8 Dec 2019 22:17:54 +0000
Authentication-Results: spf=pass (sender IP is 18.7.68.33) smtp.mailfrom=alum.mit.edu; gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=bestguesspass action=none header.from=alum.mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of alum.mit.edu designates 18.7.68.33 as permitted sender) receiver=protection.outlook.com; client-ip=18.7.68.33; helo=outgoing-alum.mit.edu;
Received: from outgoing-alum.mit.edu (18.7.68.33) by CY1NAM02FT038.mail.protection.outlook.com (10.152.74.217) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2495.26 via Frontend Transport; Sun, 8 Dec 2019 22:17:53 +0000
Received: from Kokiri.localdomain (c-24-62-227-142.hsd1.ma.comcast.net [24.62.227.142]) (authenticated bits=0) (User authenticated as pkyzivat@ALUM.MIT.EDU) by outgoing-alum.mit.edu (8.14.7/8.12.4) with ESMTP id xB8MHp9C007544 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Sun, 8 Dec 2019 17:17:52 -0500
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, Christer Holmberg <christer.holmberg=40ericsson.com@dmarc.ietf.org>
Cc: "sipcore@ietf.org" <sipcore@ietf.org>
References: <9b7ddc2f-d54a-bbaa-8e56-276c8bed725f@nostrum.com> <d7efa4c6-ac85-58ac-1c6c-5b09d955ab00@alum.mit.edu> <76BD0473-8921-4931-9AEE-1880C3AA6A57@ericsson.com> <CAGL6epLqymO26cY2U=NEGgMXAA6BE+NBf12UtOkkFXxKoWdp-Q@mail.gmail.com>
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
Message-ID: <8bc9d0f1-2b13-6ee0-73a5-8056c186b029@alum.mit.edu>
Date: Sun, 08 Dec 2019 17:17:51 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <CAGL6epLqymO26cY2U=NEGgMXAA6BE+NBf12UtOkkFXxKoWdp-Q@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:18.7.68.33; IPV:CAL; SCL:-1; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10009020)(376002)(136003)(39860400002)(346002)(396003)(51914003)(51444003)(189003)(199004)(65956001)(316002)(31696002)(2870700001)(58126008)(786003)(75432002)(88552002)(50466002)(8676002)(2906002)(110136005)(86362001)(70206006)(246002)(356004)(30864003)(5660300002)(229853002)(66574012)(956004)(26005)(478600001)(31686004)(966005)(2616005)(4326008)(7596002)(336012)(186003)(305945005)(26826003)(8936002)(36906005)(76130400001)(70586007)(76176011)(53546011); DIR:OUT; SFP:1101; SCL:1; SRVR:BN6PR12MB1940; H:outgoing-alum.mit.edu; FPR:; SPF:Pass; LANG:en; PTR:outgoing-alum.mit.edu; MX:1; A:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 382607e2-bfde-4b0a-118c-08d77c2c7896
X-MS-TrafficTypeDiagnostic: BN6PR12MB1940:
X-Microsoft-Antispam-PRVS: <BN6PR12MB19400AA0C1069F3727EB4A01F9590@BN6PR12MB1940.namprd12.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-Forefront-PRVS: 0245702D7B
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 5xQDr+MUOPmTlOzMcS1LkRynyFNWO/KkTmIiQMH9AFF0ZhRtzeJ7Kz5YZvTmv40Mon9HIyFscEAAKKd5Xpz2BVO2WBDmj+bvhr8YpwW8LC7m9DFooIw4slbv4QOiW1Gfq0X3mVilNhmxZE5oXtSO1affw19uIp3RqiCCe7roX5naCowtto5TMfOVmCgK+wett2Xg6VSD/4XIzGKrSLSfjShbj7LwAVIFPd96C6NUeVMA7gAuSV9t7CJdhiu9mHvKtuEC+qDfWxF0Cw9i61g3vTbj7WgPtSk8i6Q6JMc16p0NE+/+zVGChdicuye/Vp/JXL/q8UqzWiAp2B0Ogx3jbZ1kDtIOZiP5t2n0O6mqsyit5P9UltSydf+EdpSjaIrLan/I8S/GMfYjd/IIuus2l6vJIkX2SnxNQJy86/XliWtg+WOHXscPsox76TSX5+g8RS6INiYDO5ig/4M8Rj3h+RBysfbzixLX3SE7cJOLIRsRybhSugIZWQ45VpiNTrFWTsFaPBGcTzqY5uQZ9ue/IAKmG74FA645sp+8WaQzI13t46LT3IC3eH2HpshcL7Mx
X-OriginatorOrg: alum.mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Dec 2019 22:17:53.7829 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 382607e2-bfde-4b0a-118c-08d77c2c7896
X-MS-Exchange-CrossTenant-Id: 3326b102-c043-408b-a990-b89e477d582f
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3326b102-c043-408b-a990-b89e477d582f; Ip=[18.7.68.33]; Helo=[outgoing-alum.mit.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR12MB1940
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/f2Jc54f8EJW2c7OUIxZbgUPaqko>
Subject: Re: [sipcore] WGLC draft-ietf-sipcore-sip-token-authnz
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Dec 2019 22:18:03 -0000

Hi Rifaat,

On 12/8/19 7:29 AM, Rifaat Shekh-Yusef wrote:
> Hi Paul,
> 
> Thanks for the detailed review.
> 
> Regarding the
> 
>     My problem with this is: the challenge gives the UAC an HTTPS URL of an
>     AS. It does not normatively state how the UAC is to use this, or what
>     usage(s) the AS MUST support. Hence there is no assurance that the UAC
>     will be able to successfully access the AS.
> 
>     This could be resolved by requiring that the UAC and AS MUST support
>     RFC8252. Or perhaps there is some more expansive RFC that can be
>     referenced. In the end there needs to be something MTI. 
> 
> 
> I think that MUST is too strong in this case. I would be fine with a 
> SHOULD, as there are different ways to achieve this based on the type of 
> UAC, e.g. a browser-based UAC application.
> Thoughts?

I agree there can be variation based on type of UAC. E.g., actually 
using a browser and having the end user interact with it, vs. a UAC that 
is an automaton and doesn't have a user.

But in the end whatever it is must use the URI as the starting point for 
the interaction. With a browser interface presumably the URI is used to 
fetch a page that is presented to the user. And the user then can 
determine in a human intuitive way how to interact with that page to 
complete the authentication. If it is an automaton then that won't work. 
It must have *some* way of determining how to interact with the web 
server and present what facts it has (e.g. user id and pw) to that 
server in order to complete authentication. And in either case, there 
must be a well defined way of learning if it succeeded and conveying the 
resulting token back to the sip server.

RFC8252 seems to try to specify this at least in some cases, though it 
is still fuzzy to me. This should be deterministic - it shouldn't be 
neccessary for an automaton to be specially programmed for how to 
interact with the particular AS and how to convey the result back to the 
sip server.

> Regarding your comment about section 2.1.2, I agree with you; I will 
> move it to its own section.

Moving it to a separate section isn't necessary or sufficient. It needs 
to be clarified.

I'm assuming responses to my other points will be coming later.

	Thanks,
	Paul

> Regards,
>   Rifaat
> 
> 
> 
> On Wed, Dec 4, 2019 at 3:00 AM Christer Holmberg 
> <christer.holmberg=40ericsson.com@dmarc.ietf.org 
> <mailto:40ericsson.com@dmarc.ietf.org>> wrote:
> 
>     Hi Paul,
> 
>     My comments on some of your SIP-related issues (I am not addressing
>     your issues on Sections 2.1.1 and 2.1.2 in this reply).
> 
>      >    * Section 2.1.4:
>      >
>      >    This section says that the UAC MUST include an Authorization
>     header
>      >    field with the Bearer scheme. This is overly strong.
>      >
>      >    This should be an explanation that *if* it has received a
>     challenge
>      >    containing the Bearer scheme then to resolve that particular
>     challenge
>      >    it needs to send a request with an Authorization header field
>     containing
>      >    the response to that challenge, including the Bearer scheme.
> 
>     I suggest that we expand the first paragraph in the section.
>     Something like:
> 
>     "The procedures in this section apply when the UAC has received a
>     challenge that contains a Bearer scheme,
>     and the UAC has obtained a token as specified in section Section 2.1.1."
> 
>      >    (But note that if there were multiple challenges with
>     different schemes
>      >    then it maybe able to successfully retry the request using
>     non-Bearer
>      >    credentials.)
>      >
>      >    I don't understand what distinction you are trying to draw by
>      >    distinguishing the behavior for creating a binding from that for
>      >    refreshing a binding. AFAIK there should be no difference. And
>     in fact
>      >    the UAC in general cannot know whether the request being send
>     will
>      >    establish or refresh a binding.
> 
>     It is important to point out that the same access token might not
>     necessarily be used throughout the lifetime of the registration, if
>     the previously included access token has expired.
> 
>     ---
> 
>      >    * Section 2.1.5:
>      >
>      >    This section has similar issues to section 2.1.4: The MUST is too
>      >    strong, and the reason for distinguishing between in-dialog
>     requests
>      >    from others is unclear.
> 
>     See my comments for 2.1.4.
> 
>     ---
> 
>      >    * Section 2.2:
>      >
>      >    Again is overly strong in its use of MUST. I think it is
>     evident that
>      >    the point being made is that a challenge containing Bearer
>     scheme is the
>      >    way to indicate that is with a challenge with Bearer scheme,
>     but the
>      >    text is at least awkward.
>      >
>      >    How about:
>      >
>      >        When a UAS or Registrar receives a request that fails to
>     contain
>      >        authorization credentials acceptable to it, it SHOULD
>     challenge the
>      >        request by sending a 401 (Unauthorized) response. To
>     indicate that
>      >        it is willing to accept an OAuth2 token as a credential the
>      >        UAS/Registrar MUST include a Proxy-Authentication header
>     field in the
>      >        response, indicate "Bearer" scheme and include an address
>     of an
>      >        Authorization Server from which the originator can obtain
>     an access
>      >        token.
> 
>     WFM.
> 
>      >    In the second paragraph, please provide a reference:
>      >
>      >        ... using the procedures from [RFC???] associated with the
>     type of
>      >        access token used.
> 
>     Ok.
> 
>     ---
> 
>      >    * Section 2.3:
>      >
>      >    Similar comment to section 2.2. How about the following for
>     the first
>      >    paragraph:
>      >
>      >        When a proxy receives a request that fails to contain
>      >        authorization credentials acceptable to it, it SHOULD
>     challenge the
>      >        request by sending a 407 (Proxy Authentication Required)
>     response.
>      >        To indicate that it is willing to accept an OAuth2 token as a
>      >        credential the proxy MUST include a Proxy-Authentication
>      >        header field in the response, indicating "Bearer" scheme and
>      >        including an address to an Authorization Server from which the
>      >        originator can obtain an access token.
> 
>     WFM.
> 
>      >    I don't think the second paragraph should condition any
>     behavior on
>      >    whether it has previously challenged. That requires that the
>     proxy be
>      >    stateful, and it isn't a necessary condition. Instead, how about:
>      >
>      >        When a proxy wishes to authenticate a received request, it
>     MUST
>      >        search the request for Proxy-Authorization header fields
>     with 'realm'
>      >        parameters that match its realm. It then MUST successfully
>     validate
>      >        the credentials from at least one Proxy-Authorization
>     header field
>      >        for its realm. When the scheme is Bearer the proxy MUST
>     validate the
>      >        access token, using the procedures from [RFC???]
>     associated with the
>      >        type of access token used.
> 
>     WFM.
> 
>     ---
> 
>      >    * Section 3:
>      >
>      >    The following:
>      >
>      >        The realm and auth-param parameters are defined in [RFC3261].
>      >
>      >    is incomplete, because it is missing 'challenge', 'realm', and
>      >    'https-URI. (Where is https-URI defined?)
>      >
>      > Another way to do this is by  adding the following to the syntax:
>      >
>      >            challenge = <defined in RFC3261>
>      >            realm = <defined in RFC3261>
>      >            auth-param = <defined in RFC3261>
>      >            scope = <defined in RFC6749>
>      >            error = <defined in RFC6749>
>      >            https-URI = <where???>
>      >
>      >    (This helps those who might try to formally validate the
>     syntax because
>      >    it removes undefined parameters.)
> 
>     The section does enhance 'challenge', so I guess we can add text
>     saying that 'challenge' is defined in RFC 3261.
> 
>     Regarding the other parameters, the text already says where they are
>     defined.
> 
>     Or, are you saying that you want the references in the syntax,
>     rather than in the normative text?
> 
>      >    Also, 'scope' and 'error' are very generic rule names being
>     used in a
>      >    very restricted context. While these are not defined in
>     RFC3261, there
>      >    is the potential conflict with other extensions. I'd recommend
>     using
>      >    more specific terms. E.g.,
>      >
>      >            challenge  =/  ("Bearer" LWS bearer-cln *(COMMA
>     bearer-cln))
>      >            bearer-cln = realm / bearer-scope / authz-server /
>     bearer-error /
>      >                         auth-param
>      >            authz-server = "authz_server" EQUAL authz-server-value
>      >            authz-server-value = https-URI
>      >
>      >            challenge = <defined in RFC3261>
>      >            realm = <defined in RFC3261>
>      >            auth-param = <defined in RFC3261>
>      >            bearer-scope = <defined as scope in RFC6749>
>      >            bearer-error = <defined as error in RFC6749>
>      >            https-URI = <where???>
> 
>     The HTTP WWW-Authenticate header field uses 'error' and 'scope', and
>     I think it would be good to be aligned.
> 
>      >    Regarding the scope parameter:
>      >
>      >    This parameter is conveyed from the registrar to the UAC. But
>     what is
>      >    the UAC to do with it? How does it have any control over the
>     scope of
>      >    the token it gets from the AS? Is the UAC supposed to convey
>     this to the
>      >    AS? If so, how?
> 
>     The UAC will get the scope from the AS, and will forward it towards
>     the UAS/registrar.
> 
>      >    Regarding the error parameter:
>      >
>      >    Is this just intended to be of help in debugging the UAC? Or
>     is it
>      >    expected that the UAC might take some sort of pre-programmed
>     action in
>      >    response? If the latter, how might that work? Is this information
>      >    suitable for presentation to the user?
> 
>     I see no reason why it can't be presented to the user, and I guess
>     the UAC actions depend on what the error code is.
> 
>     However, as the parameter is described in RFC 6749, I don't think we
>     need to repeat that in this draft.
> 
>     ---
> 
>      >    * Section 4:
>      >
>      >    I agree with Dale - I don't see any value in this tag. I tried
>     to search
>      >    for all discussion on the point. The discussion attributes me
>     with
>      >    requesting it, but I don't think I did.
> 
>     It was Olle who requested it.
> 
>     However, I don't see any harm in having it. It allows the UAC to
>     inform proxies/UAS/Registrar whether it supports the bearer scheme.
> 
>     ---
> 
>      >    * Missing:
>      >
>      >    I find no syntax extensions for Authorization and
>     Proxy-Authorization.
>      >    These need to be added.
> 
>     Ok.
> 
>     Regards,
> 
>     Christer
> 
> 
> 
>     _______________________________________________
>     sipcore mailing list
>     sipcore@ietf.org <mailto:sipcore@ietf.org>
>     https://www.ietf.org/mailman/listinfo/sipcore
>

v2.23.0 | Report a Bug | By Email