IETF Logo Mail Archive

Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt

Christer Holmberg <christer.holmberg@ericsson.com> Thu, 11 July 2019 15:43 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B7C51202D9 for <sipcore@ietfa.amsl.com>; Thu, 11 Jul 2019 08:43:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MAHqMN7d-BHs for <sipcore@ietfa.amsl.com>; Thu, 11 Jul 2019 08:43:47 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-ve1eur03on0614.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe09::614]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 892581202E9 for <sipcore@ietf.org>; Thu, 11 Jul 2019 08:43:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RPD4SbPv5OsTK4TOr18kYkC7tq9S7CoQwTpYc6xHK2B+8PGSSXnZJJBba1uVH7ctwrNMOKdK8bkRcTmUuatlyAg1t0Vwssgh4NY/PKwY/K0kPyhDzkCx0bgWDisoFjn0pY6uEXJ3KWbzrebOfuus+l+hfnDMmAxjEQvp5XlhZwdr7Qrw5xQYXaK2U5xq2LWxzgun3KAud/qtT5bzxOoofgXUC6aAD5sSYUQqAFfA9XjFevmuh0vt9aJ/o5F6GSL+1aFx+EggxkLaWEA8zuD5WODTsV1DnBKI0vtKcqmt5F42DvAaewQ/Wpf5QiaXJu74arG4PsTL58GyIJo8+bz8PA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VN3LlKM4k631wE70E8SYNirkLTnmwpK2zu1p92lCTfE=; b=eI1IFiIedo/k6YU/G9oDzoIZLcyCKgOmt5Upucag5wr2UBEEHTLpyGLJfyz7UhiYrQGMgO7VOnekDu8dRQNtUU2WNfTfn4FXIOgoJvTXXJ4hTq9042+Mxe6VxIqdp3W40kAj/GVZ8KSYHgXTTUs+0NdlCuoN4Wf/sMSQ0HLSE3sPALkIYD6m5QRkdjn1RizyH5RtkYhvkStqC5ht8xVJoQGE5z+C0btEB1jkklKEPJR2pk72j/9Pnz9BsIYeE5f11kiHIL55Jp8DjEXNX87kos0XmMFhEw8LKz0jQFNx8CrxhPC8cKcKpHbnPjDKn+7OuOQrh42gTJZgxWA3FrRogA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=ericsson.com;dmarc=pass action=none header.from=ericsson.com;dkim=pass header.d=ericsson.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VN3LlKM4k631wE70E8SYNirkLTnmwpK2zu1p92lCTfE=; b=eTN5zOTc40DGnoeVUtke2sA7AOUl4HzgauylTQQLvkq2i6XAzON8FjTku/1uJH3CWSuQNkMCOViXMAXksrMZfLfTBQvQsf2n+R3iz+WA1/p9w9O92PLB4WSDHV3KnWc+cZpGnyAEYNOzkVxp0A3VMBpe7kHmFWW2eJfZ0Qj8x+4=
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com (10.170.245.23) by HE1PR07MB3212.eurprd07.prod.outlook.com (10.170.246.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2073.10; Thu, 11 Jul 2019 15:43:40 +0000
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43]) by HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43%5]) with mapi id 15.20.2073.008; Thu, 11 Jul 2019 15:43:40 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: "Olle E. Johansson" <oej@edvina.net>
CC: "sipcore@ietf.org" <sipcore@ietf.org>
Thread-Topic: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
Thread-Index: AQHVNLWxruT/m/C2REGBvr04oIfCDqa/Al8AgAHwRACAACa0QIAAOvWAgACKbgCAAH00gIAARqSA///Z+ACAADMUgP//1TCAgABAXACAATj+gIABDXaAgAA3igD//9RDgAALc6uA///Q/4CAADuIAP//1FUAgAA3WQD///38gIAANg6A///RVAAABuLOAA==
Date: Thu, 11 Jul 2019 15:43:40 +0000
Message-ID: <2929664D-4E91-4D45-8706-4F9D1038F55D@ericsson.com>
References: <156249821133.14592.1211919336596009446@ietfa.amsl.com> <CAGL6epLsP_UfZMAcFLsORrR05Enu-vp=jnkgUFuKSttQm8swAw@mail.gmail.com> <c8d5c42e-ab21-80e8-3189-c8592dd02d3a@alum.mit.edu> <HE1PR07MB3161C55955B2FCED2C0F6A9993F60@HE1PR07MB3161.eurprd07.prod.outlook.com> <68ed93ae-57df-6bc7-774b-47959417abda@alum.mit.edu> <HE1PR07MB3161D46B4A44FC7E789ADDB893F10@HE1PR07MB3161.eurprd07.prod.outlook.com> <4a9787e5-b5e2-bc08-0fa0-fae6bd44148d@alum.mit.edu> <527F4C39-F065-4335-A939-6D443F1801E7@ericsson.com> <5bb63c0c-130d-7f69-10b0-1ed1b274cc58@alum.mit.edu> <87AD4BB8-CE77-4FD7-BB72-6643DF513058@ericsson.com> <168b1354-b35b-edee-e5f9-d4ddbecfae40@alum.mit.edu> <607A513F-8616-4777-8B5E-59390E845709@ericsson.com> <b6ca4c79-5a17-10da-3882-20bc8b0e9b98@alum.mit.edu> <5ABB2F7B-8928-4581-8AAD-C8EFDBE95F7E@edvina.net> <99649808-9894-42B4-ADD1-52D0F70A3FB3@ericsson.com> <BCFE43BD-86FF-457E-9006-1DA7C8F3F6BE@edvina.net> <C3BFE2FE-0797-4E54-BAD4-B24E32CB183F@ericsson.com> <BD0B9B14-1E35-42C4-BF51-430C7E052145@edvina.net> <C5597D63-1B58-44D0-A2CE-4170CC1BE23E@ericsson.com> <7CE54346-6558-4605-A5DB-84C539400A19@edvina.net> <1C6CBDE3-EAD4-4470-A528-8EDA7F2487D2@ericsson.com> <D07B6838-8697-40B2-B191-1B8C411D8838@edvina.net> <8A712633-C587-40B7-9D8A-63AA9B636580@ericsson.com> <E06514D2-1ADF-4A8D-A3F4-005E53BFF7E7@edvina.net>
In-Reply-To: <E06514D2-1ADF-4A8D-A3F4-005E53BFF7E7@edvina.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1a.0.190609
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [89.166.49.243]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: cf9c8192-fc85-40a3-5318-08d706168c14
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:HE1PR07MB3212;
x-ms-traffictypediagnostic: HE1PR07MB3212:
x-microsoft-antispam-prvs: <HE1PR07MB32121842D06CD98D88E252F893F30@HE1PR07MB3212.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0095BCF226
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(366004)(346002)(376002)(136003)(39860400002)(199004)(189003)(81156014)(76176011)(8676002)(81166006)(3846002)(26005)(33656002)(8936002)(4326008)(36756003)(25786009)(6486002)(6916009)(229853002)(316002)(486006)(71200400001)(71190400001)(66946007)(14444005)(256004)(5660300002)(102836004)(478600001)(7736002)(64756008)(66556008)(66446008)(66476007)(305945005)(6116002)(76116006)(6512007)(68736007)(2906002)(186003)(2616005)(14454004)(476003)(11346002)(66066001)(6506007)(44832011)(446003)(6246003)(58126008)(53936002)(86362001)(99286004)(6436002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3212; H:HE1PR07MB3161.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: aXyCfR6frNpBFVh8WnMYtxbOaWGHlUlq26NMdsPL6wbbYSGfh3hUyCmDkd+3PFeQd50PXk51RZrgkj9kqNFQ8/eN9YBnWS85eTxe/oLJoO69Iyp2S310Y+HC3nMPG+/qSmNQ691mVXRKBufvWB59CRkwBR+pMg9aS7rm+5qZCBENGfgJ77eQWAzRj8ZFJ3vu6rnBT73oM+FW+Sc5mq6dvFOkeS1SEmAtHNVi4ECwFpr4LtOxvKZST20CI7qAPC27XW8+CYkfMGD2wFhUokisU0Ti5IqlXyCg44s8Ejc8LcQXVBv+wW3onfd6qzvddYxje7KfWN5vpc5BPrvHLaOcan2m/caMtS6694Q5FXOYGyz0grYUrJtZLobYw7BfFDDZPyaP6DDX4/HyBleAUUxEjfQulyuu53A092QNRN6Ihjw=
Content-Type: text/plain; charset="utf-8"
Content-ID: <6D98841216F1654F91FA62D03F85E65D@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: cf9c8192-fc85-40a3-5318-08d706168c14
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jul 2019 15:43:40.4084 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: christer.holmberg@ericsson.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3212
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/wD-flqsOhHgf8PetdJWMBf_dxgQ>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jul 2019 15:43:51 -0000

Hi,

...

    >>> As an example: When reading the docs I see ways of protecting the access token so that only a specific service (read SIP domain)  may decrypt and
    >>> use it. That way we don’t need to disallow forwarding of SIP messages with a bearer token, as the token will be useless beyond that point.
    >> 
    >>    JWT gives you that property, doesn't it? There is nothing in the current draft that forbids or prevents you from using JWT. As we noted earlier, it's probably 
    >>    what most (all?) people are using anyway.
    >
    >The implementations I’ve seen is mostly signed JWTs, but you are right, JWTs can be encrypted.
    > 
    >>> Starting to go down that road, wlil definitely mean that we leave the implementation you currently have behind. And that is just
    >>> one issue. The other is having a parsable access token, which I think would be a requirement to follow the BCP and propably to get through
    >>> the hole security audit for any standard-track RFC publication.
    >> 
    >>    JWT is parsable :)
    >> 
    >>    Is your issue that we don't mandate JWT? If so, why don't we liaise (as you suggested earlier) with the oauth wg to see 
    >>    whether it would be safe to assume that everyone uses JWT.
    >
    > I don’t think we can reach any level of acceptable security in this without parseable access (and identity) tokens. All new Oauth 
    > documents from the WG seems to assume you can transport metadata from the authorization server to the resource server in 
    > tokens in order to limit access token usage. 
    
    > In addition I think putting the bearer token in a SIP header is dangerous - it will require a lot for existing non-compliant browsers 
    > not to leak this header out in the wild.

    What do you mean by "existing non-compliant browsers"?

    > Protecting it in a way that only the targeted audience can decode it and validate it would make the situation better.

    Again, JWT :)

    You can include JWT encoded information in a SIP header. We already do that elsewhere.    

   Regards,

   Christer

v2.23.0 | Report a Bug | By Email