IETF Logo Mail Archive

Re: [sipcore] Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13: (with DISCUSS and COMMENT)

Paul Kyzivat <pkyzivat@alum.mit.edu> Thu, 23 April 2020 20:55 UTC

Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD8343A085A; Thu, 23 Apr 2020 13:55:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alum.mit.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l2xOnFSglohr; Thu, 23 Apr 2020 13:55:15 -0700 (PDT)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-eopbgr770075.outbound.protection.outlook.com [40.107.77.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED7433A0858; Thu, 23 Apr 2020 13:55:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ka1fQub1pSqewuf8Y63ncF/scJMcDeK3188VdNsFpgUsuXNZiccs7iqo0VDRDfrpKUf+EE15ttC2V0Opx4tDz4CSXJ24ym4dXPtWJz2us0f5K6tEbdIaRVVJ2roTNX74dzD4XySYSnzjEKI/zOZZod5Lf2IfX7f00GGs9WLSWYz4p+q+DGypKCEx8zufp8lNFIL7VnRtNdLLoH8QjQrbMOIM0FAL4p810YsGo/RWwUXMXLdRFNYIjMOyUelWx00klybjtcjaZjYHFmU4/juOuYoaSG4M5C8IjR/OY0naznnKdpdfkEyC5/IDiUOfiPpCgCKJHCHB2L+388Hg1bI/3g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=y3VvQ+uVKh4olEqMrALWDnxCEEw/G0U9vBwt0Y0Dm6w=; b=gKV8836c3Z6cH8wXsBzBITHHrNdYfNPyLBdR7rhPNwLbhuH3I+1fYPIqBrkiGTMWpiW8UOipNzL/oDTjEi1ZijLI4yrBayVvJoumsiIhv/Tv5By/SjXQqBaHvC/N4ViHVcHHPbragOLLygZZxdwZe/KWhgzop0Uq1yGEIgFbInnNZcTdRQACtgXLFeRJyZPIEC6ZRlQjS35gB/Z1AvfxyP4pe4+XgWD9KnSvzZBScJxqXeSoKqiGoEYU/h6zPcjdVto6LGgXdwhR5KVQwp5y3fRtciWfZBATuuwNVs8XfqibS8zAXnq1M+OikGUE3Yp7h7AAXs1GXrsKm22TBoOnuw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 18.7.68.33) smtp.rcpttodomain=mit.edu smtp.mailfrom=alum.mit.edu; dmarc=bestguesspass action=none header.from=alum.mit.edu; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alum.mit.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=y3VvQ+uVKh4olEqMrALWDnxCEEw/G0U9vBwt0Y0Dm6w=; b=i5/+Z/EksyUvkvK67HleF6F5Op8Wo4tzTr/mwRtgk8pS8LfxB/v5uoANS5zvCWFS7u9VtvKxASof7GvnG2ay77HnuQ2NNbdAUGhM0VH2eFVdHsYR9G49v5Qm+SXjHvgvFJneZG5eBRshgoLBK6/3+bQYKQORIPb9d/6e+BvnqW8=
Received: from SN4PR0401CA0009.namprd04.prod.outlook.com (2603:10b6:803:21::19) by DM5PR12MB1833.namprd12.prod.outlook.com (2603:10b6:3:111::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2921.29; Thu, 23 Apr 2020 20:55:13 +0000
Received: from SN1NAM02FT012.eop-nam02.prod.protection.outlook.com (2603:10b6:803:21:cafe::dd) by SN4PR0401CA0009.outlook.office365.com (2603:10b6:803:21::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.13 via Frontend Transport; Thu, 23 Apr 2020 20:55:13 +0000
Authentication-Results: spf=pass (sender IP is 18.7.68.33) smtp.mailfrom=alum.mit.edu; mit.edu; dkim=none (message not signed) header.d=none;mit.edu; dmarc=bestguesspass action=none header.from=alum.mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of alum.mit.edu designates 18.7.68.33 as permitted sender) receiver=protection.outlook.com; client-ip=18.7.68.33; helo=outgoing-alum.mit.edu;
Received: from outgoing-alum.mit.edu (18.7.68.33) by SN1NAM02FT012.mail.protection.outlook.com (10.152.72.95) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.19 via Frontend Transport; Thu, 23 Apr 2020 20:55:12 +0000
Received: from Kokiri.localdomain (c-24-62-227-142.hsd1.ma.comcast.net [24.62.227.142]) (authenticated bits=0) (User authenticated as pkyzivat@ALUM.MIT.EDU) by outgoing-alum.mit.edu (8.14.7/8.12.4) with ESMTP id 03NKtAl2026722 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 23 Apr 2020 16:55:10 -0400
To: Benjamin Kaduk <kaduk@mit.edu>, The IESG <iesg@ietf.org>
Cc: draft-ietf-sipcore-sip-token-authnz@ietf.org, sipcore@ietf.org, sipcore-chairs@ietf.org
References: <158766991009.32224.6031347936963900326@ietfa.amsl.com>
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
Message-ID: <60a98de4-a8cd-5910-17f9-6849d71f4d8e@alum.mit.edu>
Date: Thu, 23 Apr 2020 16:55:10 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <158766991009.32224.6031347936963900326@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:18.7.68.33; CTRY:US; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:outgoing-alum.mit.edu; PTR:outgoing-alum.mit.edu; CAT:NONE; SFTY:; SFS:(10009020)(136003)(376002)(39860400002)(396003)(346002)(46966005)(7596003)(70586007)(70206006)(186003)(2906002)(956004)(336012)(2616005)(82740400003)(47076004)(26005)(4326008)(5660300002)(31686004)(786003)(110136005)(8936002)(356005)(53546011)(36906005)(478600001)(316002)(86362001)(8676002)(75432002)(246002)(31696002)(82310400002); DIR:OUT; SFP:1101;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 4bd70fae-a461-47a2-ebbc-08d7e7c89e14
X-MS-TrafficTypeDiagnostic: DM5PR12MB1833:
X-Microsoft-Antispam-PRVS: <DM5PR12MB1833429D488BAC074E49A5FEF9D30@DM5PR12MB1833.namprd12.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-Forefront-PRVS: 03827AF76E
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: ADmjEegTs/xS8xidHFGW40DM86H8M2+xL5NRKYUpBErutcte99Z27P14rzW+AfjunQzALeL0MaIVk7DF6KS6YOH21hpG0ArCqHVJy/Coc8uXpkOumB4mVxpxvVR2+pyHWlvrvuKeYJY5kPXfJrdUnKhw2eaHfq8Ncx0t94BBHk/LaMvAXWSuAC5cy0jAlhmrzdxO36rUrFfQZm4vTii3qQaR0S1AU3jpG4mcY1pejlmR2709/QnGde8xsdH20X8rGcorrm+648oxEgjqVtjZBZog/WtxEj6O1KVTve4jYkEUlVV5JO5t3ZJtmQZrpJXe/sThFgYC2C9SwT2LQf6JEpjMXBkXsB9eQ4jSyZVEC+MPN7m6HpepZllX4E4CHl8Guc32hr065eg9aKbGn56RQnp1637AS2k0pQ3Yf4dusC5F6DUy6/dpWSS2mh2ZPu+PNOAJtWuKWW0FV96edkKGB7PdyPEKsgS2xFwQXXmg0GeaD0J/Eg1DI1emuaqvwdX28yq9IuKezIwr/Y0N5vt9Nw==
X-OriginatorOrg: alum.mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Apr 2020 20:55:12.5111 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 4bd70fae-a461-47a2-ebbc-08d7e7c89e14
X-MS-Exchange-CrossTenant-Id: 3326b102-c043-408b-a990-b89e477d582f
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3326b102-c043-408b-a990-b89e477d582f; Ip=[18.7.68.33]; Helo=[outgoing-alum.mit.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR12MB1833
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/wmIoAEEJ5-naDrxEj3KBkr3iYAQ>
Subject: Re: [sipcore] Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13: (with DISCUSS and COMMENT)
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Apr 2020 20:55:18 -0000

On 4/23/20 3:25 PM, Benjamin Kaduk via Datatracker wrote:

> RFC 3261 seems to be written in a world that assumed that Basic and Digest
> are the only defined HTTP authentication schemes, and since it prohibits
> Basic, that there would only be one authentication challenge (type)
> possible.  This text righly acknowledges that we are opening the field up
> and could have cases where multiple authentication schemes are possible;
> however, it goes even further and admits the possibility of using them
> simultaneously.  It seems like this places an onus on us to give some
> indication of the semantics when multiple schemes are used at the same time.
> Do the authenticated identities need to match?  Or are we asserting that
> both/all identities are consenting to the request in question?  (If we don't
> have a concrete use case in mind, perhaps the "or more" is just opening a
> box that we don't need to open right now.)

I pushed quite a bit on this area during the development of this draft. 
As you note we are definitely expanding into an area that wasn't 
anticipated in RFC3261. The whole topic of how authentication works in 
the presence of multiple schemes and realms could use some elaboration. 
The authors of this draft were reluctant to get into those weeds. It 
isn't clear what the right mechanism is to do that.

I had a (non-sip) use case in mind: a site I visit allows you register 
directly with the site, resulting in an ability to use Digest 
credentials. The login page on the site offers that as an option, along 
with the alternatives of Facebook, Google, and maybe some others. I can 
see something just like that for SIP. Presumably it would be achieved by 
challenging with Digest and also with Bearer for Facebook, Google, etc. 
The UAC then "chooses" by delegating the choice to the user through the UI.

This is also the case where the "whitelist" really resides within the 
end user's head rather than in the UAC.

It gets harder for devices that might be connecting when there is no end 
user present. This can happen with a "phone" that attempts to be 
permanently registered to its sip server so that in can receive incoming 
calls. If it reboots in the middle of the night there is no user handy 
to interact in the authentication process. It all has to take place 
using credentials preconfigured (or cached) in the UAC.

	Thanks,
	Paul

v2.23.0 | Report a Bug | By Email