IETF Logo Mail Archive

Re: [sipcore] Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13 - DISCUSS Reply

Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> Sat, 25 April 2020 12:58 UTC

Return-Path: <rifaat.ietf@gmail.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50AA03A0D96; Sat, 25 Apr 2020 05:58:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kb9IcJT-XHa4; Sat, 25 Apr 2020 05:58:03 -0700 (PDT)
Received: from mail-il1-x143.google.com (mail-il1-x143.google.com [IPv6:2607:f8b0:4864:20::143]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 585823A0BA9; Sat, 25 Apr 2020 05:58:03 -0700 (PDT)
Received: by mail-il1-x143.google.com with SMTP id u5so12000200ilb.5; Sat, 25 Apr 2020 05:58:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mkCLF7zVVmKzF4faSY/9cyLIQU8eZjYkOZThnHraRpo=; b=Z1Jt583BVdDxQ24SA5w5Ec+Qb5h9hLAfM7RoG8dRaQQBTesTzdBzA4ZudEKPTAp0w1 ietZfe+rhKt2VAQ6zD8Q0WE38rZsxmZZ+jY89x8yppcjTJJCS90Ktd/u915ig66IIN8E Xhmukbx6N1bcP5obzL67ng0m3YjjE3a0md3MY5ledvUNDdi19LKoBEtuIRvOo4sbiTOK Y2/tPSvG3mPiWxxsmvrIwqIX5Bs01iGrqVZceNvADdO7IENO5r8EXw8aHdYMLn4HLipL /PoH2CrJYRj5jwv6LIRXyIP3CdEhMTDcjXleKE8E6jSeHjE9Elzq79GvpVd1nnje9PHT KRsg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mkCLF7zVVmKzF4faSY/9cyLIQU8eZjYkOZThnHraRpo=; b=UoFRnIZElQJj+jqZReTSevyOZ8gALL4sazwge69HLVVM/t88dCTqCCwygY+JJS1PKe Ds4rT6jhIzcrjfv8O3xFnRQvAudI8Vs8OhF82ZhpnCnXSmrYfp78VlY8Tg2v7AxnZMY1 iJmQOaE+ZvXri9SPQmHaxHauhBgf3M8t81sGvQmHUqo2igbFSVC1X4g3xkaAxcntr77f alo0reGIoedDnRanQ2MfPGZWUBvhZyfW/Xusdbbvcpgm/RV2sJNW/szyRC6p21jAgNfF pk49lLqkejIlxk+869lxG67H6LYiPzySHM00hNcWPJ2DKR1Ahgiq/OTfSiyCLhA9RbTn G0lg==
X-Gm-Message-State: AGi0Puaka+vE1OatRkoeJiZeAbSthAfxOMfIbWrVMwyY4STlhhtoPURK PpjafMPadg2Xk36xaql0i2XvfNSIxG3LMiSNreI=
X-Google-Smtp-Source: APiQypLnuiNDzZUUiLHYPxWtJe8647g7DEamOlTHL6TbVTsWdSeKAS+beniQKvIftFZTgbFFsp82wrsha5uOw93AaVo=
X-Received: by 2002:a05:6e02:cc4:: with SMTP id c4mr12766110ilj.31.1587819482674; Sat, 25 Apr 2020 05:58:02 -0700 (PDT)
MIME-Version: 1.0
References: <158766991009.32224.6031347936963900326@ietfa.amsl.com>
In-Reply-To: <158766991009.32224.6031347936963900326@ietfa.amsl.com>
From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Date: Sat, 25 Apr 2020 08:57:51 -0400
Message-ID: <CAGL6epJR916uMf-eeihvRyZRD3u-CR73v=C0pRGmbCi_tmbPEw@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: The IESG <iesg@ietf.org>, draft-ietf-sipcore-sip-token-authnz@ietf.org, sipcore-chairs@ietf.org, SIPCORE <sipcore@ietf.org>, Jean Mahoney <mahoney@nostrum.com>
Content-Type: multipart/alternative; boundary="0000000000003b7b7705a41d08f8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/vU61usE0251TtrTTRw16Kz7ispE>
Subject: Re: [sipcore] Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13 - DISCUSS Reply
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Apr 2020 12:58:06 -0000

Hi Ben,

Thanks for the detailed and comprehensive review.
I will try to address the DISCUSS in this email with my inline comments
below.

Regards,
 Rifaat


On Thu, Apr 23, 2020 at 3:25 PM Benjamin Kaduk via Datatracker <
noreply@ietf.org> wrote:

> Benjamin Kaduk has entered the following ballot position for
> draft-ietf-sipcore-sip-token-authnz-13: Discuss
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-sipcore-sip-token-authnz/
>
>
>
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
> I support Roman's Discuss.
>
>
> The "Bearer" authentication challenge includes the address (or name?) of an
> authorization server to contact to obtain tokens, as mentioned in multiple
> places in the document (noted in the COMMENT section).  Our experience in
> the OAuth world has shown that several classes of vulnerabilities are
> possible when the client blindly attempt to use any provided AS, and that a
> whitelist of "allowed" or "trusted" ASes is needed for secure operation.  I
> believe that the same is true for the SIP usage, and we should mention this
> requirement explicitly.
>
>  Yeah, good point. I will add some text to address that.


> Section 1.2 tries to apply the OAuth confidential/public client distinction
> to SIP UACs, but it does so in a non-analogous fashion: the OAuth
> distinction is for the client's ability to protect credentials that
> identify
> the client itself; the usage in this document refers to protecting *user*
> credentials and obtained tokens.  I don't think that it's appropriate to
> invoke the OAuth terminology when using it for a different meaning.
> Both Public and Confidential OAuth clients are capable of providing the
> necessary protections for *user* credentials (though they are of course not
> guaranteed to do so), which leaves me unclear on what the intended
> requirements actually are.
>
> Well, a browser-based client apps do not have client credentials at all,
and they are considered public clients.
I think the clarification needed here is to make it clear that we are
talking about persistent storage of credentials.
What I am trying to do with these two definitions is to differentiate
between a browser-based UAC and non-browser based UAC.
Because a browser-based UAC should be using a different flow, the
authorization code grant flow, which is not covered by this document.
Would adding such clarification address this comment?


>
> Section 2.3 states that:
>
>    When a proxy wishes to authenticate a received request, it MUST
>    search the request for Proxy-Authorization header fields with 'realm'
>    parameters that match its realm.  It then MUST successfully validate
>
> https://tools.ietf.org/html/rfc7235#section-4.4 suggests that it is not
> expected to have a sequence or list of Proxy-Authorization header fields
> present in a single request that are intended to be interpreted by
> different
> proxies.  Is this text compatible with that part of RFC 7235?  Furthermore,
> I didn't find much guidance in 7235 or 3261 about when to include the
> "realm" parameter in Proxy-Authorization; do we want to give any guidance
> here?  (That is to say, I almost didn't find where it was even defined as
> possible to do so...)
>
> There is a separate thread already on this one.


>
> I'm also not sure if we're attempting to profile RFC 6749 and always
> require
> a refresh token to be issued, or just have some editorial tweaks to make to
> avoid suggesting that we do have such a requirement (noted in the COMMENT).
>
> This part is out of scope for this document, as it is related to the
interaction between the UAC and the AS.
This document is not trying to deviate from the OAuth 2.0 recommendations;
we will clarify this.

v2.23.0 | Report a Bug | By Email