IETF Logo Mail Archive

Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt

Christer Holmberg <christer.holmberg@ericsson.com> Wed, 10 July 2019 15:53 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 128C4120241 for <sipcore@ietfa.amsl.com>; Wed, 10 Jul 2019 08:53:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NFsWnG3NlCe6 for <sipcore@ietfa.amsl.com>; Wed, 10 Jul 2019 08:53:20 -0700 (PDT)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30089.outbound.protection.outlook.com [40.107.3.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 572CC12023E for <sipcore@ietf.org>; Wed, 10 Jul 2019 08:53:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mkUQtUdvXwmnUWONSLLeK093EZcFxRu39ukPSGTupON7LEjicS/J+ncQ+wtPTbIoqvgURNAPrHZOYLidcn/wuDf+hzHbHnYNdqggVMfjs6Rvpkf7aNK2e4TTx7Wx8OQKTou8K+JaNURoYxDntprixXoCqtXzyMUL5AvUb2PEy8wYsukUVgNmmQIXTcn+EeFyNjbTpMonR/UEzWdp+XDCUPzEVFRhvhmS28OKkAHGe6p4FyYUCszGICKiZa9YRjXvXbj/8M4TOeUlmfo26OLubU/0lRYVTzPqpI5+2ie4CRmLC+My0kzTmn0ZHUDJPWa21AT+lcgCPOxPO0j1m3+Naw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xEHloMTsz/6Edmomg1qZyomczErdL/9Ljxf6DPzrygA=; b=KOF9WsrWGqs++IsjVZpdBY8h+7GJn8vQqGcEFAVqoc92uXP18vpwp22qkgMoeCAZ0byoCNWe+bptiaqP2l/I9WAnqqWUAKUREPS7CEifF8xT0zbaMSqUN77vJd+w4K4thSxkrG7bF1qiN7YIVLyy8Kp9DX/sXoRafKDn8Rib5I5eFyKvmbI481CYCldgxL35/MFuQMoC0Q6qtj7ABDwk4xTK/SQnYb656F03f/no9viebKWgZEHQdhfyV8R1aOpUdP/ZbS9VQEyYFMJVR/lH+vUZXSQyGs5za7mYVOBRR2FuoO4YB01MmuI6S8ptjLDgqUbuB/ntMEP2fcN2xzt0qg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=ericsson.com;dmarc=pass action=none header.from=ericsson.com;dkim=pass header.d=ericsson.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xEHloMTsz/6Edmomg1qZyomczErdL/9Ljxf6DPzrygA=; b=gA3bXlOirGJKIe/qMClztwZDhCBMXfI87kliRloWKOZ0ZMBqmlyghmHa133gc1Mj2dZJWel3p6gbDhGOxGMFMkbvShbNzHu0EegnmFkNtoPdxvKMhZDbLulElTgPhgDJR+Vq6q8GkDTOQpB0vb3mKTp43jEDsxR0+1WS1I9yh2c=
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com (10.170.245.23) by HE1PR07MB0955.eurprd07.prod.outlook.com (10.162.27.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2073.10; Wed, 10 Jul 2019 15:53:17 +0000
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43]) by HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43%5]) with mapi id 15.20.2073.008; Wed, 10 Jul 2019 15:53:17 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Paul Kyzivat <pkyzivat@alum.mit.edu>, "sipcore@ietf.org" <sipcore@ietf.org>
Thread-Topic: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
Thread-Index: AQHVNLWxruT/m/C2REGBvr04oIfCDqa/Al8AgAHwRACAACa0QIAAOvWAgACKbgCAAH00gIAARqSA///Z+ACAADMUgP//1TCAgABAXACAATj+gIAAOeSA
Date: Wed, 10 Jul 2019 15:53:17 +0000
Message-ID: <89A28FAE-A25A-4AFF-9A94-91E09FDD6C3B@ericsson.com>
References: <156249821133.14592.1211919336596009446@ietfa.amsl.com> <CAGL6epLsP_UfZMAcFLsORrR05Enu-vp=jnkgUFuKSttQm8swAw@mail.gmail.com> <c8d5c42e-ab21-80e8-3189-c8592dd02d3a@alum.mit.edu> <HE1PR07MB3161C55955B2FCED2C0F6A9993F60@HE1PR07MB3161.eurprd07.prod.outlook.com> <68ed93ae-57df-6bc7-774b-47959417abda@alum.mit.edu> <HE1PR07MB3161D46B4A44FC7E789ADDB893F10@HE1PR07MB3161.eurprd07.prod.outlook.com> <4a9787e5-b5e2-bc08-0fa0-fae6bd44148d@alum.mit.edu> <527F4C39-F065-4335-A939-6D443F1801E7@ericsson.com> <5bb63c0c-130d-7f69-10b0-1ed1b274cc58@alum.mit.edu> <87AD4BB8-CE77-4FD7-BB72-6643DF513058@ericsson.com> <168b1354-b35b-edee-e5f9-d4ddbecfae40@alum.mit.edu> <607A513F-8616-4777-8B5E-59390E845709@ericsson.com> <b6ca4c79-5a17-10da-3882-20bc8b0e9b98@alum.mit.edu>
In-Reply-To: <b6ca4c79-5a17-10da-3882-20bc8b0e9b98@alum.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1a.0.190609
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [89.166.49.243]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 12521bed-662f-4da9-5ebf-08d7054eb9c0
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:HE1PR07MB0955;
x-ms-traffictypediagnostic: HE1PR07MB0955:
x-microsoft-antispam-prvs: <HE1PR07MB0955885FE782689CD00991AD93F00@HE1PR07MB0955.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0094E3478A
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(366004)(136003)(396003)(376002)(346002)(189003)(199004)(3846002)(6116002)(478600001)(102836004)(25786009)(99286004)(66446008)(14454004)(2906002)(76176011)(66556008)(64756008)(68736007)(66476007)(66946007)(5660300002)(76116006)(26005)(36756003)(66066001)(186003)(256004)(14444005)(81166006)(229853002)(44832011)(33656002)(476003)(486006)(11346002)(2501003)(71200400001)(2616005)(6436002)(71190400001)(8936002)(8676002)(81156014)(446003)(58126008)(110136005)(6486002)(6512007)(86362001)(7736002)(6246003)(305945005)(316002)(6506007)(2171002)(53936002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB0955; H:HE1PR07MB3161.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: QEr11POn8M1MjWeZm/Gt6C0OieVAD9OmUReSb3mNw6JrK8B4Rk6Px8vPUIUHOHcLGKBkO6HPn2Oj58OnZcwnwp7ClQFv4BIxQbrspoUzSIeym7skMmZa3gcZsjDMmumCB2tL0iOjHxpSWA2qwIrCutt/QQxhIOCafBFoNQkp9L030R2SaIpMBhCw18PxKdt2pjZkXHkmjjSetWSi77joETv0g6s1AIxRkJAjiFay1qao5JcPv6P4ZFCWGyB5jgERXslQ8I7Tvnh5l+UBwDQRxeqrfamlmOahsjewbzwC2X66fck06KaF3hv1DThyAGaTlNsZpxSsEMBxCIxeanYmjK9+lhA8JCnbRyR9Ui6ry3BumfDQu926XL8Y1RLDfAFP8RvZMoHpc8XssSo2kqQ3BlwtOs9kaFqgDXcUnWZyK2c=
Content-Type: text/plain; charset="utf-8"
Content-ID: <AB54917607D72141BC85220E4E32E092@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 12521bed-662f-4da9-5ebf-08d7054eb9c0
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jul 2019 15:53:17.6495 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: christer.holmberg@ericsson.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB0955
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/gjeR2GoN-SAOA39PxK9T6afX4jM>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jul 2019 15:53:23 -0000

Hi,

>> OAuth allows you to re-use the token as many times as you want (until it expires) for the same service. So, for SIP, re-using the token in binding refresh REGISTER requests is fine.
>> 
>> But, you should not re-use a token you got for one "service" (e.g., your registration authentication) with another "service" (e.g., user-to-user authentication for a SIP call). It most likely wouldn't even work.
>    
>    Is the token somehow bound to the "registration service"? (Whatever that is.)
>  
>    ISTM that the token is bound to the parameters from www-authenticate 
>    were used in the process of obtaining the token. And so presumably the 
>    token should be applicable to any other use that provokes a 
>    www-authenticate with the same values of those parameters.

Yes.

>    So, if I use a token in REGISTER, and then I do a SUBSCRIBE and get 
>    challenged the same way I would expect to use the same token for that. 
>    And I might decide to preemptively use the same token in the SUBSCRIBE 
>    if it is being sent to the same target.

Yes.

>    Based on analogies to Digest, I would expect that after receiving a 
>    Bearer challenge and fetching a matching token I would then add that 
>    token to a key ring, indexed by some (which?) of the parameters from the 
>    www-authenticate. And then in the future for new requests I would look 
>    on the key ring for keys (credentials/tokens) suitable for use on this 
>    request. (When doing this I might find either Digest or Bearer 
>    credentials, or maybe both.)
>    
>    Am I missing something?
  
No __

In the case you describe, you should be able to use the same token.

All I am saying is that one should not send a token to someone that it has NOT been issued for.

Regards,

Christer

v2.23.0 | Report a Bug | By Email