Re: [sipcore] Roman Danyliw's Discuss on draft-ietf-sipcore-sip-token-authnz-13: (with DISCUSS and COMMENT) - COMMENT
Roman Danyliw <rdd@cert.org> Tue, 05 May 2020 13:15 UTC
Return-Path: <rdd@cert.org>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F55A3A064A; Tue, 5 May 2020 06:15:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.856
X-Spam-Level:
X-Spam-Status: No, score=-0.856 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NUMERIC_HTTP_ADDR=1.242, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NMsGWBk2McDV; Tue, 5 May 2020 06:15:17 -0700 (PDT)
Received: from taper.sei.cmu.edu (taper.sei.cmu.edu [147.72.252.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E6903A0765; Tue, 5 May 2020 06:15:17 -0700 (PDT)
Received: from korb.sei.cmu.edu (korb.sei.cmu.edu [10.64.21.30]) by taper.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 045DFC5P024734; Tue, 5 May 2020 09:15:12 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu 045DFC5P024734
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1588684512; bh=Vg3IFjGu922lQOxe1B/qL+Vw9w8U1jFIWBOrRrolAkw=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=ATWILbtRl7/xSjrjY6R+s+44LEwDig6rDLnBGZIVLZ2n3ZYD/Tru6UNir+NLQPK2G QdOIGQJsq5XXhFRV1PvxyckL3rtXQG39dIOmNUdajkh7UltdkBdVR2kwIYjydNRAfD l9mkKvfsy4XbiEzHRuK3OipCaj2rt5q3vIhVIA20=
Received: from CASSINA.ad.sei.cmu.edu (cassina.ad.sei.cmu.edu [10.64.28.249]) by korb.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 045DFAUP020888; Tue, 5 May 2020 09:15:10 -0400
Received: from MURIEL.ad.sei.cmu.edu (147.72.252.47) by CASSINA.ad.sei.cmu.edu (10.64.28.249) with Microsoft SMTP Server (TLS) id 14.3.487.0; Tue, 5 May 2020 09:15:09 -0400
Received: from MORRIS.ad.sei.cmu.edu (147.72.252.46) by MURIEL.ad.sei.cmu.edu (147.72.252.47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1847.3; Tue, 5 May 2020 09:15:09 -0400
Received: from MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb]) by MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb%22]) with mapi id 15.01.1847.007; Tue, 5 May 2020 09:15:09 -0400
From: Roman Danyliw <rdd@cert.org>
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, Christer Holmberg <christer.holmberg@ericsson.com>
CC: The IESG <iesg@ietf.org>, "draft-ietf-sipcore-sip-token-authnz@ietf.org" <draft-ietf-sipcore-sip-token-authnz@ietf.org>, "sipcore-chairs@ietf.org" <sipcore-chairs@ietf.org>, "sipcore@ietf.org" <sipcore@ietf.org>, Jean Mahoney <mahoney@nostrum.com>
Thread-Topic: Roman Danyliw's Discuss on draft-ietf-sipcore-sip-token-authnz-13: (with DISCUSS and COMMENT) - COMMENT
Thread-Index: AQHWGMMOtxZIT3jHHk6raCfflxfIDqiFsLAAgBPb28A=
Date: Tue, 05 May 2020 13:15:09 +0000
Message-ID: <650304eeff354140bdfe6e7dd20fa4b8@cert.org>
References: <469529BD-F254-4B45-9000-E1F5B8463A08@ericsson.com> <CAGL6epJ7GfwwDh36McF=rpUKDwtfb-ZgizRTQGByD0OR3V+Eig@mail.gmail.com>
In-Reply-To: <CAGL6epJ7GfwwDh36McF=rpUKDwtfb-ZgizRTQGByD0OR3V+Eig@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.202.196]
Content-Type: multipart/alternative; boundary="_000_650304eeff354140bdfe6e7dd20fa4b8certorg_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/x0o6z8CtZl9oE-HOpldzWd3nNes>
Subject: Re: [sipcore] Roman Danyliw's Discuss on draft-ietf-sipcore-sip-token-authnz-13: (with DISCUSS and COMMENT) - COMMENT
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 May 2020 13:15:21 -0000
Hi Rifaat and Christer! Thanks for the updates made in -14 and -15. They address both my DISCUSS and COMMENT items. I’ve cleared my ballot. Regards, Roman From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> Sent: Wednesday, April 22, 2020 1:58 PM To: Christer Holmberg <christer.holmberg@ericsson.com> Cc: Roman Danyliw <rdd@cert.org>; The IESG <iesg@ietf.org>; draft-ietf-sipcore-sip-token-authnz@ietf.org; sipcore-chairs@ietf.org; sipcore@ietf.org; Jean Mahoney <mahoney@nostrum.com> Subject: Re: Roman Danyliw's Discuss on draft-ietf-sipcore-sip-token-authnz-13: (with DISCUSS and COMMENT) - COMMENT Hi Roman, Thanks for the review! Regarding the DISCUSS: Section 2.1.1, 3rd paragraph, last sentence, has a bit more about the usage of the ID Token. How about extending that as follows: An OpenID Connect server returns an additional ID Token that contains claims about the authentication of the user by an Authorization Server. The ID Token can potentially include other optional claims about the user, e.g. the SIP URI, that will be consumed by the UAC and later used to register with the SIP Registrar. More inline regarding some of the comments. Regards, Rifaat On Wed, Apr 22, 2020 at 12:28 PM Christer Holmberg <christer.holmberg@ericsson.com<mailto:christer.holmberg@ericsson.com>> wrote: HI Roman, Thank You for the review! In this reply I will address most of your COMMENT issues. The DISCUSS issue, and a couple of COMMENT issues, will be addressed in a separate reply. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- >** Section 1.3. Per “Access Tokens could be represented in one of the above >two formats.”, if not one of these two formats, then which other ones? I suggest to change "could" to "can". How about replacing "could be" with "are"? --- > ** Section 2.1.1. Per “An OpenID Connect server …”, based on the flows > depicted in Figure 1 and 2, how the OpenID Connect server fits isn’t clear. We will address this in the reply that addresses the DISCUSS, as the issues are related. The AS could be a typical OAuth Authorization Server or an OpenID Provider (OP). Would changing the "AS" column in the figures to "AS/OP" help? --- > ** Section 2.1.2. Per “Endpoints that support this specification MUST support > encrypted JSON Web Tokens (JWT) [RFC7519] for encoding and protecting access > tokens when they are included in SIP requests, unless some other mechanism is > used to guarantee that only authorized SIP endpoints have access to the access > token.” -- is it the “use of” or “support for” JWT that is required if there > isn’t an alternative? Section 5 uses similar language. "MUST use" is more correct. --- > ** Section 2.1.3. Per “Note that, if there were multiple challenges with > different schemes, then the UAC may be able to successfully retry the request > using non-Bearer credentials.”, would that decision be made based on local > policy? Yes. That is described in Section 2.1.1.<http://2.1.1.>: "If the UAC receives a 401/407 response with multiple WWW- Authenticate/Proxy-Authenticate header fields, providing challenges using different authentication schemes for the same realm, the UAC selects one or more of the provided schemes (based on local policy) and provides credentials for those schemes." --- > ** Section 5. Should the use of the scope parameter be noted (or RECOMMENDED) > to narrow the utility of the token? I will refer this to Rifaat. How about adding the following sentence to this section: The SIP Registrar SHOULD include a Scope parameter to control the minimum level of service access the client is required to obtain from the Authorization Server to be able to register with the SIP Registrar. Regards, Rifaat --- > ** Editorial Nits: > Section 1.3. Typo. s/usualy/usually/ Will fix. > Section 7. Typo. s/coversion/conversion/ Will fix. --- Regards, Christer
- Re: [sipcore] Roman Danyliw's Discuss on draft-ie… Christer Holmberg
- Re: [sipcore] Roman Danyliw's Discuss on draft-ie… Rifaat Shekh-Yusef
- Re: [sipcore] Roman Danyliw's Discuss on draft-ie… Roman Danyliw
- Re: [sipcore] Roman Danyliw's Discuss on draft-ie… Rifaat Shekh-Yusef
- Re: [sipcore] Roman Danyliw's Discuss on draft-ie… Christer Holmberg