IETF Logo Mail Archive

Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt

Paul Kyzivat <pkyzivat@alum.mit.edu> Mon, 08 July 2019 22:45 UTC

Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83518120048 for <sipcore@ietfa.amsl.com>; Mon, 8 Jul 2019 15:45:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ALdvwQaP0kZ4 for <sipcore@ietfa.amsl.com>; Mon, 8 Jul 2019 15:45:43 -0700 (PDT)
Received: from outgoing-alum.mit.edu (outgoing-alum.mit.edu [18.7.68.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F3B5120335 for <sipcore@ietf.org>; Mon, 8 Jul 2019 15:45:43 -0700 (PDT)
Received: from PaulKyzivatsMBP.localdomain (c-24-62-227-142.hsd1.ma.comcast.net [24.62.227.142]) (authenticated bits=0) (User authenticated as pkyzivat@ALUM.MIT.EDU) by outgoing-alum.mit.edu (8.14.7/8.12.4) with ESMTP id x68MjbjD027745 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Mon, 8 Jul 2019 18:45:38 -0400
To: Christer Holmberg <christer.holmberg@ericsson.com>, "sipcore@ietf.org" <sipcore@ietf.org>
References: <156249821133.14592.1211919336596009446@ietfa.amsl.com> <CAGL6epLsP_UfZMAcFLsORrR05Enu-vp=jnkgUFuKSttQm8swAw@mail.gmail.com> <c8d5c42e-ab21-80e8-3189-c8592dd02d3a@alum.mit.edu> <HE1PR07MB3161C55955B2FCED2C0F6A9993F60@HE1PR07MB3161.eurprd07.prod.outlook.com>
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
Message-ID: <68ed93ae-57df-6bc7-774b-47959417abda@alum.mit.edu>
Date: Mon, 08 Jul 2019 18:45:37 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:60.0) Gecko/20100101 Thunderbird/60.7.2
MIME-Version: 1.0
In-Reply-To: <HE1PR07MB3161C55955B2FCED2C0F6A9993F60@HE1PR07MB3161.eurprd07.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/tPQOjUSVd7hLLOo-QgeRvwnx4xc>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jul 2019 22:45:56 -0000

On 7/8/19 3:30 PM, Christer Holmberg wrote:
> Hi,
> 
>> * Regarding WWW-Authenticate:
>>
>> I believe it will how be possible for a server to support both Digest and Bearer. I think this means that the client
>> can use either depending on what sort of credentials it or its user happen to know.
>>
>> I think it would be good to mention this. I guess in principle the client could return credentials for both. In that case, I don't
>> know whether both must be valid or if it is sufficient for one to be valid.
>> Perhaps we need to discuss that. (Presumably only credentials for a/the realm that the server supports are to
>> be considered, with those for other realms being ignored.)
> 
> I think that is outside the scope of the draft. There could be multiple variants of multiple challenges.
> 
> And, RFC 3261 already talks generally about multiple challenges. I do think some of the 3261 text could be improved and clarified, but that should be done as a separate task.

While I agree in principle that this is in some sense independent of the 
individual schemes, Bearer is what pushes this from one to two, which is 
when the issue appears. So IMO it makes sense to say something about it 
here. Saying that it *ought* to be in 3261 is fine, but in practice that 
is simply saying that it isn't going to be considered at all.

>> * Regarding non-registration requests (and maybe registration requests too):
>>
>>     The UA MUST NOT insert a token in a non-REGISTER request, unless the
>>     non-REGISTER request has been challenged, or the peer is considered a
>>     trusted entity.
>>
>> What is a trusted entity?
> 
> I asked that to be added, but it can be removed.
> 
>> In any case I think this is too strong. Once a request has been challenged the client knows this target wants the credentials.
>> We certainly don't want to force every subsequent request to the same target to take two round trips, one without credentials
>> and then one with. So the client needs to associate these credentials with this target, for awhile. But that begs the question of
>> how long to retain this association. In the case of Digest, a nonce eventually expires and the old credentials fail and get forgotten
>> and replaced by new ones. I guess the life cycle will be somewhat different for Bearer.
>> This needs some thought and discussion.
> 
>  From a generic perspective I think 3261 should describe how credentials are provided in subsequent requests.

See my comment above on what ought to go in 3261.

> As far as tokens are concerned, I am not sure it's within the scope of this draft to define the lifetime of token credentials, as they are not SIP specific.

I'm not too much concerned with the *lifetime* of the token, since that 
will pretty much take care of itself. (When it exceeds its lifetime it 
will stop working.)

But I suspect there might be security concerns here, and that they may 
be different from those that apply to Digest.

It *may* be that it would be fine to include the token in every request, 
regardless of target - that doing so won't cause any security concerns. 
Conversely, that might not be so.

IIUC, similar tokens are used for single-signon, so perhaps there are 
guidelines that can be repurposed for use here. But I think *something* 
needs to be said or else implementors won't know what to do and the 
result will be interop problems.

> Having said that, I DO agree with you that the current came out too strong - and wrong: my intention was to say that credentials from a REGISTER request are not placed in a non-REGISTER request.
> 
> BUT, if a non-REGISTER requests gets challenged, we should allow the client to include the credentials in subsequent non-REGISTER requests - at least within the same session (in case of session related requests).

ISTM that is also too strong. If I used a token for REGISTER, and then I 
do something else (e.g., SUBSCRIBE) with the same server, then it should 
be fine to use it in other requests directed to the same server. And 
possibly to other servers as well. You seem to be assuming that 
credentials for registration are somehow different from credentials for 
other things. It is up to the servers in question to decide that, not 
this protocol document.

	Thanks,
	Paul

v2.23.0 | Report a Bug | By Email