Re: [sipcore] draft-ietf-sipcore-sip-token-authnz-07.txt broader issues
Paul Kyzivat <pkyzivat@alum.mit.edu> Wed, 15 January 2020 20:12 UTC
Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F76C120935 for <sipcore@ietfa.amsl.com>; Wed, 15 Jan 2020 12:12:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alum.mit.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ixQsxstneZfm for <sipcore@ietfa.amsl.com>; Wed, 15 Jan 2020 12:12:53 -0800 (PST)
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12on2073.outbound.protection.outlook.com [40.107.237.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CE7E1208EA for <sipcore@ietf.org>; Wed, 15 Jan 2020 12:12:53 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RzVeq+CQRcYoxhCTTMLWFdwq1Q0qj1ujJL21Hg1BbstKWCvoSutfzZKJBrdNqbKor7qudlH8+ccI6VFTU0Ukrcmx+OiRwlNxVCsXIUVv3GTzE6JfN6AdkvB5aG6UPnsSzr4A+7uqce3GGp8BykvB9Qu1XWvhZKd6vBNQl4eHpEpyFOUgpANvzmJprDfe9HxZtpM72QW9CapvpQYQhvUytbthYY3B/Ihpf80uOUyRuWrFy9dyBOAvQoZFqRI3ppGs4/tkRefH1YsLf/l72afuAVMSBqKLUaH+bRfrvmGUbZ5PuNatO0Z9hCqBhCXOUrjIANq5ZoL0NOcB7nDWKdwBUQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MIS4VQD5ydQ1DpjL2jTpSrcvXJboEfR7I3m5Eno2ddc=; b=eWcEh1S0br5gNmOhOUVlcOOYiAf4W+GNRjiTge3Wl59WGMxjkmZ+bDoHMxUQeQZMa6CUR6ThyQ4nY0sRMMUvquEF+D/4zVHEACLaMJJ3WXiOVkZI2Gg9nSG5NQwT76AodjQpAbMu8DC4zVddP8lR5f1NvZJxmMmyrPVZhKRED9aumzSH+aqwX2I+pAASO8fw3HHQQIBSRmtmDsWPA9LQF32GwFAIK1yxYGqfl6X3VMB42GE7uXLHeYgRQm1Ow5Lp5jYZcs18M2NpxiD8q749nyWrVhHrjj+a+lzrTwyUjkZnNT+0tuKXDnDksOQM179oyAZbi9Jt3PRibDsFmOeYEg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 18.7.68.33) smtp.rcpttodomain=ietf.org smtp.mailfrom=alum.mit.edu; dmarc=bestguesspass action=none header.from=alum.mit.edu; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alum.mit.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MIS4VQD5ydQ1DpjL2jTpSrcvXJboEfR7I3m5Eno2ddc=; b=YSSP+hdTBNKA53AHLadkG8jgMzm9U1SyuIQ61rn2BpQc9VfV5v3E7Ki4pS4Xin+O13M0kSU0neyBm7aL+xeaUlSURdYb5NjsivHTAgCTHkLhhJ54RznfgupeDD4N3DHkNPHZR8852wW6ICl7kpNkdTBGRlVAGdppHTa5kkh590c=
Received: from MWHPR12CA0062.namprd12.prod.outlook.com (2603:10b6:300:103::24) by BN6PR12MB1732.namprd12.prod.outlook.com (2603:10b6:404:107::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2623.14; Wed, 15 Jan 2020 20:12:51 +0000
Received: from SN1NAM02FT044.eop-nam02.prod.protection.outlook.com (2a01:111:f400:7e44::200) by MWHPR12CA0062.outlook.office365.com (2603:10b6:300:103::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2644.20 via Frontend Transport; Wed, 15 Jan 2020 20:12:51 +0000
Authentication-Results: spf=pass (sender IP is 18.7.68.33) smtp.mailfrom=alum.mit.edu; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=alum.mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of alum.mit.edu designates 18.7.68.33 as permitted sender) receiver=protection.outlook.com; client-ip=18.7.68.33; helo=outgoing-alum.mit.edu;
Received: from outgoing-alum.mit.edu (18.7.68.33) by SN1NAM02FT044.mail.protection.outlook.com (10.152.72.173) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2644.19 via Frontend Transport; Wed, 15 Jan 2020 20:12:49 +0000
Received: from Kokiri.localdomain (c-24-62-227-142.hsd1.ma.comcast.net [24.62.227.142]) (authenticated bits=0) (User authenticated as pkyzivat@ALUM.MIT.EDU) by outgoing-alum.mit.edu (8.14.7/8.12.4) with ESMTP id 00FKClaw009893 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for <sipcore@ietf.org>; Wed, 15 Jan 2020 15:12:48 -0500
To: sipcore@ietf.org
References: <157911000899.29206.8478750155091458002@ietfa.amsl.com> <CAGL6ep+tO4baa221T3RZDV-XjBGeSaj0XpJD-cg-x=4caQyYjw@mail.gmail.com>
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
Message-ID: <455440fa-3631-0ecb-a44f-85895b40c04b@alum.mit.edu>
Date: Wed, 15 Jan 2020 15:12:47 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:68.0) Gecko/20100101 Thunderbird/68.4.1
MIME-Version: 1.0
In-Reply-To: <CAGL6ep+tO4baa221T3RZDV-XjBGeSaj0XpJD-cg-x=4caQyYjw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:18.7.68.33; IPV:CAL; SCL:-1; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10009020)(39860400002)(136003)(396003)(376002)(346002)(199004)(189003)(7596002)(316002)(478600001)(75432002)(186003)(786003)(966005)(66574012)(36906005)(956004)(336012)(5660300002)(26826003)(246002)(53546011)(6916009)(70586007)(8936002)(356004)(31686004)(86362001)(70206006)(26005)(2906002)(2616005)(8676002)(31696002); DIR:OUT; SFP:1101; SCL:1; SRVR:BN6PR12MB1732; H:outgoing-alum.mit.edu; FPR:; SPF:Pass; LANG:en; PTR:outgoing-alum.mit.edu; A:1; MX:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 3fa3d07d-88e5-48ed-282c-08d799f74b5f
X-MS-TrafficTypeDiagnostic: BN6PR12MB1732:
X-Microsoft-Antispam-PRVS: <BN6PR12MB1732FA43FDA9B4F136B0618CF9370@BN6PR12MB1732.namprd12.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-Forefront-PRVS: 02830F0362
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: GQqds7va2sNYVXxT1R27BOZYk4R0F/SoduDaQ325jAiQK4pI6jNnD1qVwEhK9Qb6K0yYgbN4gnBoRc87gLAdUk5npNjKOjZIxanqu2qS6z+UmM6j1Y4cTGS8Ar4r7wEyXxnyAHEldhcGfmBXpqQlps9YUyNo7vKKPDiu6OCVJ1QACbtCOcPNrhNAsfEI7QHAn9s3BK1k4pi2Yd7NA7+KyIq6mtv0lrISHOsePGzY6yYrS0fhgSoKRnL+QavAA/RzAQMEfBFTo+kz+K6VLPTjJwbKhCRciaQ6ajeb79Pl8IOnkwBfvSQ50HWH4GFRyTmXF8Yng3VuGSzmN31FxuKDd9713mhVdViwOr92zIfyirmJFLVgQZNslHkPtGEqTOmWaMWEE4alhjRM/0GGjhIOnWA1ns6ID9exjUb/INxxOC124MsfsOude+2STyqLctfkoSPQzirTDTqc7r+SEKYSvTM92HKBk9KDuqI8mEuqO+mYKG961TTdxEM7BGXqEIOFld82tIVVuW7CLvLEmND+jA==
X-OriginatorOrg: alum.mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Jan 2020 20:12:49.5292 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 3fa3d07d-88e5-48ed-282c-08d799f74b5f
X-MS-Exchange-CrossTenant-Id: 3326b102-c043-408b-a990-b89e477d582f
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3326b102-c043-408b-a990-b89e477d582f; Ip=[18.7.68.33]; Helo=[outgoing-alum.mit.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR12MB1732
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/u4HluTl5uPOACB3YY8bFZX_p6xk>
Subject: Re: [sipcore] draft-ietf-sipcore-sip-token-authnz-07.txt broader issues
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jan 2020 20:12:56 -0000
While reviewing this new version I began to wonder if the general procedures for authentication in sip are sufficiently clear and unambiguous. This isn't strictly an issue for this draft, but because this draft introduces a new authentication scheme along side digest it has the potential to aggravate thee issues. ISTM that without answers to these issues it will be difficult to deploy this new token authnz draft. But that draft may not be the appropriate place to answer them. I'd like to hear what others here think is the proper way to deal with this. My general issue is what to do when, while trying to send a request, a UAC receives authorization challenges for multiple schemes and/or multiple realms. This can potentially occur in a single 401 response, a single 407 response, or some combination of 407 and 401 responses. Note that a forking proxy may aggregate 401 and 407 responses from multiple forks and pass the multiple WWW-Authenticate and Proxy-Authenticate responses back to the UAC. How the UAC deals with this is also at issue. Also, if there are multiple authenticating proxies on an unforked path from UAC to UAS, then the UAC will receive the challenges one at a time. The request will only reach a subsequent proxy after the request is sent with adequate credentials for every early proxy in the change. Note that this means that the UAC must remember to include the credentials from earlier challenges when retrying after a subsequent challenge because that subsequent challenge won't include the earlier challenges. (1) is it valid for a single UAS or proxy to issue concurrent challenges specifying differing schemes? I believe it is or should be. (2) is it valid for a single UAS or proxy to issue concurrent challenges on its own behalf specifying differing realms? I'm not sure if this makes sense or not. (This is distinct from a forking proxy aggregating downstream challenges.) (3) If a UAS or proxy does issue concurrent challenges specifying differing schemes, how is the UAC expected to successfully respond? Is the UAC expected to respond with credentials for *each* scheme, or is it sufficient to respond to one of them? I am inclined to think that the different schemes should be considered alternatives, so that it is sufficient to respond to one of them. At least in the case where they are for the same realm. It may be more confusing if they are for differing realms. (4) If multiple UASs and/or proxies claim the same realm then are they expected to accept the same credentials? I think this must be so, else the user and UAC won't be able to sort out what credential to use for a given challenge. Generally, ISTM that the UAC should group challenges by realm, attempting to obtain a single set of credentials for each realm. If there is more than one realm mentioned in the response, then it should obtain a set of credentials for each. And then, if there 407 responses to prior attempts to send this same request then the credentials chosen for them should also be included in this retry. What do others think about this? Do you think this is sufficiently specified in existing RFCs? If so, can you explain this? Thanks, Paul On 1/15/20 12:42 PM, Rifaat Shekh-Yusef wrote: > All, > > We have just submitted a new version of the document that hopefully > addresses all the comments received so far. > Please, take a look and let us know what you think. > > Regards, > Rifaat > > > On Wed, Jan 15, 2020 at 12:40 PM <internet-drafts@ietf.org > <mailto:internet-drafts@ietf.org>> wrote: > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Session Initiation Protocol Core WG > of the IETF. > > Title : Third-Party Token-based Authentication > and Authorization for Session Initiation Protocol (SIP) > Authors : Rifaat Shekh-Yusef > Christer Holmberg > Victor Pascual > Filename : draft-ietf-sipcore-sip-token-authnz-07.txt > Pages : 14 > Date : 2020-01-15 > > Abstract: > This document defines a SIP mechanism that relies on the OAuth 2.0 > and OpenID Connect Core 1.0 to enable delegation of the user > authentication and SIP registration authorization to a third-party. > The document updates RFC 3261. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-sipcore-sip-token-authnz/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-sipcore-sip-token-authnz-07 > https://datatracker.ietf..org/doc/html/draft-ietf-sipcore-sip-token-authnz-07 > <https://datatracker.ietf.org/doc/html/draft-ietf-sipcore-sip-token-authnz-07> > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-sipcore-sip-token-authnz-07 > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org > <http://tools.ietf.org>. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > sipcore mailing list > sipcore@ietf.org <mailto:sipcore@ietf.org> > https://www.ietf.org/mailman/listinfo/sipcore > > > _______________________________________________ > sipcore mailing list > sipcore@ietf.org > https://www.ietf.org/mailman/listinfo/sipcore >
- [sipcore] I-D Action: draft-ietf-sipcore-sip-toke… internet-drafts
- Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-… Rifaat Shekh-Yusef
- Re: [sipcore] draft-ietf-sipcore-sip-token-authnz… Paul Kyzivat
- Re: [sipcore] draft-ietf-sipcore-sip-token-authnz… Christer Holmberg