Re: [sipcore] Magnus Westerlund's Discuss on draft-ietf-sipcore-sip-token-authnz-13: (with DISCUSS and COMMENT)
Christer Holmberg <christer.holmberg@ericsson.com> Thu, 23 April 2020 19:51 UTC
Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 237093A12E0; Thu, 23 Apr 2020 12:51:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.921
X-Spam-Level:
X-Spam-Status: No, score=-2.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.82, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FcgO8g_i_GR4; Thu, 23 Apr 2020 12:51:47 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130088.outbound.protection.outlook.com [40.107.13.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 945B43A12DF; Thu, 23 Apr 2020 12:51:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YA63X7LqONii0ofNtmIrFd75ll1OBdwTpEOjVNgNdf/i2Zz+GU2p5fb4PQrbUNaLx0T2IuI3p5KFM04ce6iicFtEHc2w8tZOEU2NXQ6FiucTu+178ICLKVQNRALyWcFaM/IcrCqIb7q3ZpDazxDinfZ1sWR7kaDjAdNcmKcxhmArxYv/5/MHCYiaZWN/5Fv6TTdEV/d12UQ1lBrdVtd7uXYLpVGmA3C33Jb/Qyn4/25gLPQVBHX9Zz4UYZDl3/ep+nMBmbhw6zDDAMt03tzsNphumIeHXXB+FNed+IvhhRg8u6QIFaYQ8Z/BpJJg8BRk4Klj58VXW8TsYvdtSA0fXw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kMjwLA+rcVI1xx+yAeRxjN++9G00LFy1B1h7VnR1XCU=; b=iisVQkXYGfwW9bW9Aus4wZ0uYd3B7CvBPbSEC+Bls4jZLcDTxrl2wDOsUrnMkIGbVS0RlW/5U0jg6w/8KfnMZtkNZKl8Px7bQs4WwmThkC2lQsSCot91mfT1cCr4a27FvLU77p/5iKEC59ZsQMpeWpZgjTxlzF6BvT9CzoZEXgGmd71rYTIj8+xOh0DpwHZQSPLSeVJFfC28ckImtlNUmt0H9d6icnw/brRYc2EdWXJCmZQ8x8H1SQ+vzpR1TshJrbyvNwkcc5qkQZwLdBq9QpsnboSSBwn9mHXiy0u7GEq2YLdP+1zC+O+woKzTw0Ol7aB0bMPHBAWa/95nIrJzWg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kMjwLA+rcVI1xx+yAeRxjN++9G00LFy1B1h7VnR1XCU=; b=lGngz58/QUq7vGsB6JHtKUaLzrHTYf4QSkYZuOYhQLT5kHAhu0JFnZ0LZ7VdVFFLhTE4cnTFneoEspMqLJmT7wlafT2eOmasD/g4VOtohICHSt62vYZ+kPiA0d9n5VYBfeoMNktPT7KeqGJd1cP4y+eSa8ZQ3403Z4GxcYMUrco=
Received: from AM0PR07MB3987.eurprd07.prod.outlook.com (2603:10a6:208:46::31) by AM0PR07MB4004.eurprd07.prod.outlook.com (2603:10a6:208:47::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2958.9; Thu, 23 Apr 2020 19:51:43 +0000
Received: from AM0PR07MB3987.eurprd07.prod.outlook.com ([fe80::b929:4e5c:6b46:3ccc]) by AM0PR07MB3987.eurprd07.prod.outlook.com ([fe80::b929:4e5c:6b46:3ccc%7]) with mapi id 15.20.2937.020; Thu, 23 Apr 2020 19:51:43 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Magnus Westerlund <magnus.westerlund@ericsson.com>, The IESG <iesg@ietf.org>
CC: "draft-ietf-sipcore-sip-token-authnz@ietf.org" <draft-ietf-sipcore-sip-token-authnz@ietf.org>, "sipcore-chairs@ietf.org" <sipcore-chairs@ietf.org>, "sipcore@ietf.org" <sipcore@ietf.org>, Jean Mahoney <mahoney@nostrum.com>
Thread-Topic: Magnus Westerlund's Discuss on draft-ietf-sipcore-sip-token-authnz-13: (with DISCUSS and COMMENT)
Thread-Index: AQHWGXWcgJbZMnSFkkaFWKmg220ZdaiHUJiA
Date: Thu, 23 Apr 2020 19:51:43 +0000
Message-ID: <2927EF2C-8BF7-44EB-ABEB-63BD52EE9ADC@ericsson.com>
References: <158764958890.26081.9155918989165894263@ietfa.amsl.com>
In-Reply-To: <158764958890.26081.9155918989165894263@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1e.0.191013
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [188.127.223.154]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a226b16a-d2bd-4c05-ae49-08d7e7bfbfc7
x-ms-traffictypediagnostic: AM0PR07MB4004:|AM0PR07MB4004:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <AM0PR07MB40044E88E4AF0416BBB7B5ED93D30@AM0PR07MB4004.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 03827AF76E
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR07MB3987.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(366004)(376002)(136003)(396003)(39860400002)(346002)(186003)(26005)(966005)(5660300002)(54906003)(110136005)(316002)(81156014)(86362001)(91956017)(33656002)(8936002)(2906002)(66946007)(76116006)(66476007)(71200400001)(66446008)(64756008)(66556008)(8676002)(6486002)(478600001)(6512007)(2616005)(4326008)(44832011)(36756003)(6506007)(21314003); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: LWFm3lbcWsEri6YZrT9jZOK6K9RCXu0Xxxbr4GkxWkPy2BfdB2TnTmWc5IaLeskYFWsPmeSYVgphiD9b0PeD0gjzOiKJS+g731GD3kX2xtVZEOrCrhiyY/wFUHYo0hHiOY16e7H4RkabgKNE+iwM+ql2P5igdFR0x7S88ap8ebqt6M4oFnTEhOQ3qkwZgvjxXPP+EKnzq9aofCG6lm+Yna3KqFtmSBQZx7cj3oet2s1XIKdtgE6ed0abx4lRuSEJqYzGURQ+t/CGOEE8LWxIQRlKlCAQlM/CX3gPip8B5M9tZFuS4l6+3k1EIghR+KAMDiCoMdTPG1HNFjLJyS0jfej0suJ9ze1zlLr70+psYILGrBZXK/8lc0PdKpubDGIKpMRpcO5/tNxYhoB12/EZVZlRSWKv50V/jrNVPS4LU+ahaCPXjb5E32EeXXMy70zSa+gM8B7izXmROp5Yj0YR6Dur7vixqJSVjF8UCDRj3bloY5TrHPazJlazxhHVItoCdBuJ8GM82bc9a6pBgTixvUbG0HV227qpdkiZfhZc7f/WsTQ0hksCtslsWh2NYGCi
x-ms-exchange-antispam-messagedata: aRf81Eykc5h3XDT8xJE6QLLuvAkBGtY2HyATxwjLav/kx3axcaUOMbl7fMvpAEXVW23qPXUI8q53k8euMFP0HaiDgLoT/Ml60OOWnJzTGR00/zrLP+i0GwqSnCNBAKtX0/DbO95qrJsW7Ha7aP136g==
Content-Type: text/plain; charset="utf-8"
Content-ID: <AE5F54331E6F824797A2449161456E3D@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a226b16a-d2bd-4c05-ae49-08d7e7bfbfc7
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Apr 2020 19:51:43.7279 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: syEAgHDs9PZ5JyQBsGO8KQ70Q0VQKTiVTihcFfkMf2zMwTlnYw34AftLuHvTx92C5nLTO/OF4icdtDV0sriF9cUtDVBsndVbkyaHB4bycOc=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB4004
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/qOcDFJxBBIaQKjpsY1rFsyIO03Y>
Subject: Re: [sipcore] Magnus Westerlund's Discuss on draft-ietf-sipcore-sip-token-authnz-13: (with DISCUSS and COMMENT)
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Apr 2020 19:51:50 -0000
Hi Magnus,
Thank You for the review! Please see inline.
----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------
> I think these resolution for this is rather straight forward, however the
> implications of one is going to break deployed implementations.
>
> 1. Section 4:
>
> This is rather straight forward to resolve but you do have a SIP syntax
> violation in these rules.
>
> challenge =/ ("Bearer" LWS bearer-cln *(COMMA bearer-cln))
> bearer-cln = realm / scope / authz-server / error / auth-param
> authz-server = "authz_server" EQUAL authz-server-value
> authz-server-value = https-URI
> realm = <defined in RFC3261>
> auth-param = <defined in RFC3261>
> scope = <defined in RFC6749>
> error = <defined in RFC6749>
> https-URI = <defined in RFC7230>
>
> So RFC 3261 defines the Challenge construct as:
>
> challenge = ("Digest" LWS digest-cln *(COMMA digest-cln)) / other-challenge
>
> Where this extension needs to match the syntax of the other-challenge:
>
> other-challenge = auth-scheme LWS auth-param *(COMMA auth-param)
>
> Where we need to look at:
> auth-param = auth-param-name EQUAL ( token / quoted-string )
>
> Please note what is included in the "token" rule.
> token = 1*(alphanum / "-" / "." / "!" / "%" / "*"
> / "_" / "+" / "`" / "'" / "~" )
>
> the allowed syntax for https-URI in RFC 7230 is:
>
> https-URI = "https:" "//" authority path-abempty [ "?" query ] [ "#" fragment ]
>
> Which include both "/", "?" and "#" that are not allowed in token. Thus, the
> URI included in the authz-server-value MUST be converted into a quoted-string
> matching syntax rule.
You are correct. We currently reference https-URI in RFC 7230, but the definition in 7230 does not place quotes around it.
The same applies to scope and error.
So, we need to fix:
OLD:
authz-server = "authz_server" EQUAL authz-server-value
scope = <defined in RFC6749>
error = <defined in RFC6749>
NEW:
authz-server = "authz_server" EQUAL DQUOTE authz-server-value DQUOTE
scope-cln = DQUOTE scope DQUOTE
scope = <defined in RFC6749>
error-cln = DQUPTE error DQUOTE
error = <defined in RFC6749>
(I noted that that Benjamin has some comments regarding the referenced RFCs for the parameter values, but I will address that in the reply to his review.)
-----
> 2. In addition should not the "authz_server" be registered in the
> https://www.iana.org/assignments/sip-parameters/sip-parameters.xhtml#sip-parameters-12
> registry?
I guess so. And, then I guess we also need to register "scope" and "error".
----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------
> An additional thing.
>
> Is SIP directly using the HTTP Authentication Schemes IANA registry
> (https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml#authschemes)
> or does it have its own tucked away somewhere? And if it is the former, should
> its references for the "bearer" add this RFC as a reference?
SIP uses the HTTP registry.
(The SIP registry does register a "digest" value, but that is for the Security-XXX headers defined in RFC 3329)
Regards,
Christer
- [sipcore] Magnus Westerlund's Discuss on draft-ie… Magnus Westerlund via Datatracker
- Re: [sipcore] Magnus Westerlund's Discuss on draf… Christer Holmberg