IETF Logo Mail Archive

Re: [sipcore] WGLC draft-ietf-sipcore-sip-token-authnz

Christer Holmberg <christer.holmberg@ericsson.com> Fri, 13 December 2019 18:49 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5CB21200A1 for <sipcore@ietfa.amsl.com>; Fri, 13 Dec 2019 10:49:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.003
X-Spam-Level:
X-Spam-Status: No, score=-2.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rjNAYR4XLHV0 for <sipcore@ietfa.amsl.com>; Fri, 13 Dec 2019 10:49:33 -0800 (PST)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40050.outbound.protection.outlook.com [40.107.4.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A7C2120013 for <sipcore@ietf.org>; Fri, 13 Dec 2019 10:49:33 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gWuGhBmgd4VId0fd+6vH/Lnw+ICYXuxdrGRreGCCxSTR4ofsalNgMD8zJDSW4fRzqufNa9u6phgJpzF2zXLf+YcNalUdtGibNHKfTJZc4iY5Id/5oi44XSIi+C5gy8Iug3dJCZ7xOvcm7nRLDgBsnS0X66AlDffzcm6qe/C5L16YVCTfVYlAylOis8qxNURCZp+ymkOKniT6YDz89IsIK8Uu43tSkLdRMnjIziPinR1LofAzhT4F+kH2DOfuWMBna2Gqfn2TJqx2mLMZz5eyJk8n+My+YkNAGz/EC4aWa5vmoME2LT0yFg/Sag5ViMdwGu9++6/DXjHqh7P9h9I1yw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=K78bwjidMaJQmA9pfeNqRTti4lWK41yPOe3aD3X8dKI=; b=fh8rUgf46pfcQy+T+AkGoRGkSu5W9nHw/TKJlkw51p4VlPHrMXcJOPeV3UQZMWnM2M+6JZpaxPLIlrR9bix0RN1MY+23DM+UllMWCv1zscmDW3YPGmpVZtTGfdJi394AF+rUqH2XxYc+8SqF/BWTm4cE9Dn8TrPREGTKLfzcHsv/0RVgEWKOoC4187BY4NKRrsahdHd3vUnYSmyPWU4OfqOFRlvS4xonC9ADrtP1RKq1XWMOM9OIKco97bFvVD5UNF1TVkhG53rI8e0XoyQkon+xBJQWRy1BThmffdXZZwr4WjRgv/mlza0kWo52aQY4SNJ49827nMqcCI+OAb5NOw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=K78bwjidMaJQmA9pfeNqRTti4lWK41yPOe3aD3X8dKI=; b=aDv2ndiCbZbf1AM0ok0MEvtbaD88dwl9Kstz2z/5ExqHNXDMQJMq5oielljdfL5D+8GUv6CMe1raFAaa0lJj56zUJVGH5QLzfGCaft0G6BVcR0222e3JzIrMIiBBzCg6uBiuhPyRYjXBd6BGeSz2yXxsetXuKbR7Mi0VgLuqkjQ=
Received: from DB6PR0701MB2421.eurprd07.prod.outlook.com (10.168.73.16) by DB6PR0701MB2422.eurprd07.prod.outlook.com (10.168.75.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2559.10; Fri, 13 Dec 2019 18:49:31 +0000
Received: from DB6PR0701MB2421.eurprd07.prod.outlook.com ([fe80::39bd:a590:dcd9:201e]) by DB6PR0701MB2421.eurprd07.prod.outlook.com ([fe80::39bd:a590:dcd9:201e%10]) with mapi id 15.20.2538.017; Fri, 13 Dec 2019 18:49:31 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Paul Kyzivat <pkyzivat@alum.mit.edu>, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
CC: "sipcore@ietf.org" <sipcore@ietf.org>, Christer Holmberg <christer.holmberg=40ericsson.com@dmarc.ietf.org>
Thread-Topic: [sipcore] WGLC draft-ietf-sipcore-sip-token-authnz
Thread-Index: AQHVqRaq+n57bvgHbkmAxusa4398hqeoufCAgAEHG4CABnMOAIAApGKAgAdRNgCAACTkAIAATN6A
Date: Fri, 13 Dec 2019 18:49:31 +0000
Message-ID: <2A861C17-7D03-49FF-A0AA-D9BD31D3E2A4@ericsson.com>
References: <9b7ddc2f-d54a-bbaa-8e56-276c8bed725f@nostrum.com> <d7efa4c6-ac85-58ac-1c6c-5b09d955ab00@alum.mit.edu> <76BD0473-8921-4931-9AEE-1880C3AA6A57@ericsson.com> <CAGL6epLqymO26cY2U=NEGgMXAA6BE+NBf12UtOkkFXxKoWdp-Q@mail.gmail.com> <8bc9d0f1-2b13-6ee0-73a5-8056c186b029@alum.mit.edu> <CAGL6epLcv-Y+u86RgWvLuzRoNKaviF-8Uv7R52Okd_zxyi_0jA@mail.gmail.com> <797824da-fbd0-666b-67b1-51b510af19ac@alum.mit.edu>
In-Reply-To: <797824da-fbd0-666b-67b1-51b510af19ac@alum.mit.edu>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1e.0.191013
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [129.192.75.5]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 07aa2cbc-8917-4c29-c43e-08d77ffd306c
x-ms-traffictypediagnostic: DB6PR0701MB2422:
x-microsoft-antispam-prvs: <DB6PR0701MB2422983B5C5A176F1FDE9D5D93540@DB6PR0701MB2422.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0250B840C1
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(396003)(376002)(346002)(136003)(39860400002)(199004)(189003)(478600001)(66556008)(54906003)(66476007)(26005)(81166006)(81156014)(186003)(8676002)(2616005)(316002)(76116006)(91956017)(4326008)(71200400001)(110136005)(66574012)(2906002)(33656002)(36756003)(86362001)(6486002)(66946007)(6506007)(44832011)(5660300002)(8936002)(6512007)(64756008)(66446008); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6PR0701MB2422; H:DB6PR0701MB2421.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 0G/TFeQ7VEWzKGZqLAMN468O+TWCqRiqz1y/+M5YMtO1CAq1tHAELrTEEuqfrf9V06cU0VGexqU7nyOb7okZSk6Gm6QRvjiX4uhsb+GuTJsi/Zr6PuRNhSDN04o5+rky+IN8YvbFhra04FDxvPye2TKFXxDDVilaTLOR7rHAzV89iXZEfsL+Bh/7kSUIDCFZg7sisP2ShKx0spbaXw5n0vP0S9teX2+7NE+IUKcXSut2EqKAUP8zYDb7ANUszW7o0JVovmbOTcMjQ/WlDtF9J0o6/JJi9u9o4iYmCR8l6V6Mk+FhO/kdNq0U8jd7nedtnh0buLHvSzJsODjEMglR8AU7Bwhtm3OFsn2TjaK3fzxapHtmVL7dzI0qxSRtEiUv8/K8ntAZNIWzDmlL7UuddOzminZJ63VUn3fOu+RFNt0SP7inY9+QSjNn962Hbp8y
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <77A4A9F2D080EC499834BD5226EA0AB9@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 07aa2cbc-8917-4c29-c43e-08d77ffd306c
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Dec 2019 18:49:31.0603 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Fec/YY4NhWD7rJJILaTK5Xes9GkCWN5etoIOnEJdpOc46g1ZJNy1P1e9FLyXlER/9Wj/Dw5rbjBTmrN6vaMowA/azzNyJfupVn0VDqy4l+w=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0701MB2422
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/sWnV_ZuURjAsrAa_vGRTksMHIs4>
Subject: Re: [sipcore] WGLC draft-ietf-sipcore-sip-token-authnz
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Dec 2019 18:49:35 -0000

Hi Paul,

...

>    I know very little about web development, and so I found 
>    draft-ietf-oauth-browser-based-apps very difficult to understand. But 
>    based on that I think I realize a bit of where it is coming from:
>    
>    With a browser based web app, the code running in the browser may be 
>    provided by the web app it is talking to. In that case they can have 
>    customized implicit knowledge of the inner workings of each other and 
>    the mechanics of the interaction between the two need not be standardized.
>    
>    The question is, what does that have to do with sip? Are you imagining a 
>    case where there is a browser based sip client that has been served to 
>    the browser by a web server that has implicit knowledge of the workings 
>    of the sip registrar?

I am not sure what "workings of the sip registrar" you are referring to.

The user/application obviously need to support at least one of the OAuth application server providers used by the registrar. If it doesn't, authentication will fail. That is normal behavior for web applications. However, when a user makes a contract with the registrar operator, the user will normally be told which application server providers are supported by the operator.

>    My concern is driven by an expectation that sip client MAY be an 
>    independent entity has no knowledge of the workings of the sip server. 
>
>    In that case the *only* knowledge it has in support of authentication is 
>    what comes in the authorization challenge. 

It doesn't need to know more.

> That MUST be sufficient  information, together with information it can get by asking the end user 
> in realtime, to complete the authentication and successfully retry the request with proper credentials. 
> As far as SDP is concerned, the only format is 'webrtc-datachannel'.

It gets that information in the 401/407 response. The HTTPS URI indicates which application server provider is used, so the application can query the credentials associated with that application server and perform the OAuth procedures with the application server.

>    I get the impression (though I am far from sure) that you are trying to 
>    cover cases where the sip server assumes that the client has been custom 
>    implemented to work with that server. If so, I don't think that is an 
>    appropriate stance for a sip standard.
  
The server only assumes that the client supports OAuth - which the client can indicate using the media feature tag.

Regards,

Christer

v2.23.0 | Report a Bug | By Email