IETF Logo Mail Archive

Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt

Christer Holmberg <christer.holmberg@ericsson.com> Mon, 08 July 2019 19:30 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4750120365 for <sipcore@ietfa.amsl.com>; Mon, 8 Jul 2019 12:30:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aG8AiEOiCWmr for <sipcore@ietfa.amsl.com>; Mon, 8 Jul 2019 12:30:19 -0700 (PDT)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40055.outbound.protection.outlook.com [40.107.4.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 470491203E1 for <sipcore@ietf.org>; Mon, 8 Jul 2019 12:30:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=htHMDXmGvzEO13ZFX3ePYhW2h2xatmRYVeiB8ww0elk=; b=n5YT8Y6dByQf8I/wxY6wF15aBa3I9AXkWtCU1pfkrsIFWWgZVeBqmDOJYgKG2Bkb4K9njx5knv1BM6iepmy1BaXuqmX8a9zcwUjhW/HD5LX7/ctlXF1NejNOqYtjM8Ks0AbKJyZ7EFEqLfaVLsjvkD++hXfF+dRHE+pdKQ3pzAk=
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com (10.170.245.23) by HE1PR07MB0954.eurprd07.prod.outlook.com (10.162.27.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2052.15; Mon, 8 Jul 2019 19:30:16 +0000
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43]) by HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43%5]) with mapi id 15.20.2073.008; Mon, 8 Jul 2019 19:30:16 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Paul Kyzivat <pkyzivat@alum.mit.edu>, "sipcore@ietf.org" <sipcore@ietf.org>
Thread-Topic: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
Thread-Index: AQHVNLWxruT/m/C2REGBvr04oIfCDqa/Al8AgAHwRACAACa0QA==
Date: Mon, 08 Jul 2019 19:30:16 +0000
Message-ID: <HE1PR07MB3161C55955B2FCED2C0F6A9993F60@HE1PR07MB3161.eurprd07.prod.outlook.com>
References: <156249821133.14592.1211919336596009446@ietfa.amsl.com> <CAGL6epLsP_UfZMAcFLsORrR05Enu-vp=jnkgUFuKSttQm8swAw@mail.gmail.com> <c8d5c42e-ab21-80e8-3189-c8592dd02d3a@alum.mit.edu>
In-Reply-To: <c8d5c42e-ab21-80e8-3189-c8592dd02d3a@alum.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [62.113.190.248]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a5be8d2b-1de6-47e1-a32b-08d703dab4d0
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:HE1PR07MB0954;
x-ms-traffictypediagnostic: HE1PR07MB0954:
x-microsoft-antispam-prvs: <HE1PR07MB0954BB34C5B1D79DF0F4F86E93F60@HE1PR07MB0954.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 00922518D8
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(136003)(39860400002)(376002)(346002)(366004)(199004)(189003)(51444003)(74316002)(7696005)(446003)(68736007)(53936002)(71200400001)(14444005)(71190400001)(81166006)(7736002)(9686003)(81156014)(229853002)(44832011)(486006)(55016002)(8676002)(33656002)(256004)(6116002)(11346002)(8936002)(25786009)(305945005)(6436002)(99286004)(476003)(66066001)(478600001)(86362001)(5660300002)(2501003)(14454004)(73956011)(110136005)(76116006)(26005)(52536014)(186003)(102836004)(66556008)(316002)(66476007)(66446008)(64756008)(66946007)(2171002)(6246003)(76176011)(3846002)(2906002)(6506007); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB0954; H:HE1PR07MB3161.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 1CLY5SPR6cSasWqhbaGADrevM4HRjFLZ+z3nKrJUR5oh5AbKxSpC6KKDbPo5/Z9Opw6irs3ED93JhduDoRha1aJJqYYzai7cPCGCCPlLaioDrHOSoCTXE6W4+OdhCXpHVDdQcgyXRLgeDSzg7ixu2Pv7AiMcmumiDZD1na2TTx7XyXesuyHxqXb2WGV9mmtZvSqInrgwDKRYk3UbpsYAvNmJdqBBhwVSUQOWieq620ShN/8U7CyY3XI/QdIZx7X4mT9O00asjy1MxbQvtP4yeH4/3zHY34ydBFxGrVHwnIjWIAJVFpu1LmlLnecSo2oyffpG0w4CYagSvA3JSJqS4fW2116R5dN/AfuEEJ3H+5pQEM0GN2nLxt68VOWsAUISIqqG/N4+AeGFStkaUKtn5mrI3Vvq8NFA1yQKzyxLwto=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a5be8d2b-1de6-47e1-a32b-08d703dab4d0
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Jul 2019 19:30:16.5921 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: christer.holmberg@ericsson.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB0954
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/rWTpBfl6poVQFY8RLEOwumkqwFw>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-sip-token-authnz-02.txt
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jul 2019 19:30:32 -0000

Hi,

>* Regarding WWW-Authenticate:
>
>I believe it will how be possible for a server to support both Digest and Bearer. I think this means that the client 
>can use either depending on what sort of credentials it or its user happen to know.
>
>I think it would be good to mention this. I guess in principle the client could return credentials for both. In that case, I don't 
>know whether both must be valid or if it is sufficient for one to be valid. 
>Perhaps we need to discuss that. (Presumably only credentials for a/the realm that the server supports are to 
>be considered, with those for other realms being ignored.)

I think that is outside the scope of the draft. There could be multiple variants of multiple challenges.

And, RFC 3261 already talks generally about multiple challenges. I do think some of the 3261 text could be improved and clarified, but that should be done as a separate task.


>* Regarding non-registration requests (and maybe registration requests too):
>
>    The UA MUST NOT insert a token in a non-REGISTER request, unless the
>    non-REGISTER request has been challenged, or the peer is considered a
>    trusted entity.
>
> What is a trusted entity?

I asked that to be added, but it can be removed.

> In any case I think this is too strong. Once a request has been challenged the client knows this target wants the credentials. 
> We certainly don't want to force every subsequent request to the same target to take two round trips, one without credentials 
> and then one with. So the client needs to associate these credentials with this target, for awhile. But that begs the question of 
> how long to retain this association. In the case of Digest, a nonce eventually expires and the old credentials fail and get forgotten 
> and replaced by new ones. I guess the life cycle will be somewhat different for Bearer. 
> This needs some thought and discussion.

From a generic perspective I think 3261 should describe how credentials are provided in subsequent requests.

As far as tokens are concerned, I am not sure it's within the scope of this draft to define the lifetime of token credentials, as they are not SIP specific.

Having said that, I DO agree with you that the current came out too strong - and wrong: my intention was to say that credentials from a REGISTER request are not placed in a non-REGISTER request.

BUT, if a non-REGISTER requests gets challenged, we should allow the client to include the credentials in subsequent non-REGISTER requests - at least within the same session (in case of session related requests).

Regards,

Christer

v2.23.0 | Report a Bug | By Email