IETF Logo Mail Archive

Re: [sipcore] Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13 - DISCUSS Reply

Christer Holmberg <christer.holmberg@ericsson.com> Sat, 25 April 2020 23:27 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB7AF3A0D32; Sat, 25 Apr 2020 16:27:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VbTwpN9l6s_F; Sat, 25 Apr 2020 16:27:39 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2053.outbound.protection.outlook.com [40.107.20.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C839A3A0D2D; Sat, 25 Apr 2020 16:27:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=P7d+YanM2znvIzg+mXProybEWzw6aNgZ4neJq3pQ3kU3gJXi6+UWuBLfkNPt7zXiYjSzm3cbD67Irk+Buvx0yshq6fkfCJ5HpsMcQvpxnZYDYLUelnmZK5smvCMxLSRzF9l6vxbmVAuWl+vFiondkB/ENxBx/a+izDOeClQnNjrI7PsfmenU6MmH/jQ5yq1OQ/Wx8xI04AzB/ediFcA+0GN9QG4k/DR93zzfKGRUOKMjvaiRID2tQzuLD0A4CWz5HB+rIosVsg3UV19gEh3+dw86gcw/cb5NVcrQq76qYi4261qMs3rLu4Brk2jR22N/tZqJIJfRY3IIZGmnCb4Q4w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=E7cy8JcoRYsl1+fl5lhc+fzyOq37vz+stFqo20cW2d0=; b=I3mcVdPSFz64pphQrp8xj07iirUR/8Jfpm2thS1UeWRTv0xVlrZ5b5Klmaog2M3AWBmKrYMxq59J/gXuEh+v9qKyq/lRnFB6ELsiYnMyl4Es3gMxwfalNe+7/7eqpJFGRwKHC0TiTEvlp3S2PT6D9Yi7wDNRARLrEYcSZr05Uzs1/RoOkIrf4KR25VRsS/lvIj0jGjFDLTvZvUC41YuO0waaHDmMzCLdaBhpEJrdoEmWenZ1PIkxQglVR5t9AdXXP1RvUfs9qkMPF7qSZDiulFfkKPIawNVmAC8MnjqKUpB851qefhItVF76yOrq8lTy4HD6J4yB0ZMi7KvvVLTYRA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=E7cy8JcoRYsl1+fl5lhc+fzyOq37vz+stFqo20cW2d0=; b=cDx4a9k8odLSnOsBAlpgvpNget3od0fKLjaBGPHmCMh+eKRpO6CbHcaWZpk/x71Pwcp4gqY6xbW6QdiUxmaPCHXnaB/maNslVLWvm2UGn4QE3MSYWoblYQwQqRHyWHPAGw4Z9QSUKI94XXvGQixSCb2ql7dwKc2Ybbr0NhOX0zw=
Received: from AM0PR07MB3987.eurprd07.prod.outlook.com (2603:10a6:208:46::31) by AM0PR07MB6242.eurprd07.prod.outlook.com (2603:10a6:20b:152::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2958.9; Sat, 25 Apr 2020 23:27:35 +0000
Received: from AM0PR07MB3987.eurprd07.prod.outlook.com ([fe80::b929:4e5c:6b46:3ccc]) by AM0PR07MB3987.eurprd07.prod.outlook.com ([fe80::b929:4e5c:6b46:3ccc%7]) with mapi id 15.20.2958.014; Sat, 25 Apr 2020 23:27:35 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, Benjamin Kaduk <kaduk@mit.edu>
CC: The IESG <iesg@ietf.org>, "draft-ietf-sipcore-sip-token-authnz@ietf.org" <draft-ietf-sipcore-sip-token-authnz@ietf.org>, "sipcore-chairs@ietf.org" <sipcore-chairs@ietf.org>, SIPCORE <sipcore@ietf.org>, Jean Mahoney <mahoney@nostrum.com>
Thread-Topic: Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13 - DISCUSS Reply
Thread-Index: AQHWGwEtfH/bpP2YLUqlNdqU6ZLbLaiKrnoA
Date: Sat, 25 Apr 2020 23:27:34 +0000
Message-ID: <6EBE66ED-E26B-4B92-B776-1F799E095DB7@ericsson.com>
References: <158766991009.32224.6031347936963900326@ietfa.amsl.com> <CAGL6epJR916uMf-eeihvRyZRD3u-CR73v=C0pRGmbCi_tmbPEw@mail.gmail.com>
In-Reply-To: <CAGL6epJR916uMf-eeihvRyZRD3u-CR73v=C0pRGmbCi_tmbPEw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1e.0.191013
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [178.55.150.213]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 85bd2aa3-a683-40a2-89cd-08d7e9703c27
x-ms-traffictypediagnostic: AM0PR07MB6242:
x-microsoft-antispam-prvs: <AM0PR07MB6242DF53D0B49E684F37119293D10@AM0PR07MB6242.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0384275935
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR07MB3987.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(376002)(396003)(39860400002)(366004)(136003)(66476007)(26005)(64756008)(66556008)(91956017)(66446008)(66946007)(966005)(71200400001)(86362001)(478600001)(4326008)(76116006)(2906002)(81156014)(44832011)(186003)(316002)(6506007)(110136005)(2616005)(6512007)(33656002)(8936002)(36756003)(54906003)(8676002)(5660300002)(6486002); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: AVse0AuruRkXFpCcO93uSzm04tAwfd2kUL9VCtspaBoKpAeRTi5YNzbIdM+TLbXgYgqUU+4STN3xBrpg+DzaZtkJyvrvoEDwU4Kxng2a3wcOnc7ApVJGGKtdrXVAIZlCobrHJF1/N3r3+Tkq2O4tyKsfakpQj74TS1frCIGyaJKDyt5zrHeTRMvuZKCQgX8cgr11YxExLPR/Za0cD3hQy+i87HU2rfBVqqjAzWcoBIwad4UquJ6blzaK71MIlJIxyVQQlGVkheLIhPkvCYfvDtoPHgQT5XpYQbMsFz9NajDC/PAP/E2lZkgqWvRjpxeaY2j36W0FYRhrc2GaVbTXBVUeTAldEOYKYWC9phczc0dAKeEoBud7Pye/JM2Qz1bAtaCyhJEBj206yvysXpK9Khx2+rMwAUYwdWsA6d8Q8tvAHtryL4UUPQ6NQE/2b0FKPcufFi+JLbscEYz+xOY1D2poYQURucXPwYxhsiV8fY4lIfCLDmQ7bkchERR9l9GiWZ71u8KaYzd5vPRS+iOfQA==
x-ms-exchange-antispam-messagedata: qeVkXxCUKxu4xkq8EukCO7fJ9pucaEVmJxIIj6IR7V1aJh9rD9m6gFj3hMLOR5nysb6sTr1qkQTPsyVRpNxECE5yjN32zImSckYk8mOK+iM/mYjqhPm+T+b5rJuyGTKOdugRkqPmQuu+LLHuLvyP2HgwK2VSYyRhplLN7Sih9v5fi1LMJnkUbD/7rgYNwxwAGJ30/vC6b+pTAu/o4SoP9ufz8EG+VnV4Iqszq3icpvW6OtQhjgfQadgrZrONkhVP9B18as/ebTK+gp9b84vl31MJDenyua1O+Z9QhetwOQ+OM2/gnj5S21OR/uZD0OWxYhXS9hpV2UK1zPP+gbce+Sbgl2lviVsR1h85jrfBMzSVDn7uFfIWJOYYCbrL3bIM6jqBYLiMoA4xazvzwYrj38FHEqHStdRObppUg0yZwLTt1JlG01amTmG2kTRA7ZmNw9qsmHPxkCcgIJMsIktKuet1q0/eMq3G8oU+Nbc8IdnXoNwGJOQL8uDm8bNei7iviu1Ey/Q+m+wwyU5vd5nW/t1Hjg/ePPeUy1ATc9kK1nmaWftt8aVqIFFWCY/Ol9xVK7NiGNUxtXLwvCbsrToO+WYVVfTZb9ZlNghra3qE12dm4p6iddudTbl9mREyI4m6sfQ1AfFwktENo1oX3XYqcVKvvhCCS0AHbDvpm06MNP7UCFW4cliIitIjFzK/0xmJBJUTsrTuCUSKjuK1xtUPG6p51dYWcUzb/lduItt1Q94DG0obGcT6rT15eRYcRfhl3km3zhKxANmG67dAy9mFt17OIwpJEz90jT1bKd34t+U=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <1F9D9F169724694D9DE4B2EBC166C5FF@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 85bd2aa3-a683-40a2-89cd-08d7e9703c27
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Apr 2020 23:27:34.9978 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 5IyaIuJjeOeWJtYHzmRYHZFAvwcos/emlw/BFqNegO0wJnE7bcWlBIDmsyXTY5OPDIVuWogrY8t0NRj+Terv3PEe+z/BnzBDte9b9On3p7E=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB6242
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/x5nmfj689HvmJ88jAhpzSVVsZms>
Subject: Re: [sipcore] Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13 - DISCUSS Reply
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Apr 2020 23:27:41 -0000

Hi Benjamin,
 
>> Section 2.3 states that:
>>
>>   When a proxy wishes to authenticate a received request, it MUST
>>   search the request for Proxy-Authorization header fields with 'realm'
>>   parameters that match its realm.  It then MUST successfully validate
>>
>> https://tools.ietf.org/html/rfc7235#section-4.4 suggests that it is not
>> expected to have a sequence or list of Proxy-Authorization header fields
>> present in a single request that are intended to be interpreted by different
> proxies.  Is this text compatible with that part of RFC 7235? 

RFC 3261 allows multiple Proxy-Authorization header fields.

> Furthermore, I didn't find much guidance in 7235 or 3261 about when to include the
> "realm" parameter in Proxy-Authorization; do we want to give any guidance
> here?  (That is to say, I almost didn't find where it was even defined as
> possible to do so...)

I think it is clear from Section 22.3 (and the example in Section 20.28) in RFC 3261 that the "realm" is included in the Proxy-Authorization header field.

If we think 7235 and/or 3261 needs to be improved regarding that I think it is a separate task, outside the scope of this document.
 
(The thread Rifaat mentioned is not really related to this. It is whether the UAC provides credentials for one or more schemes.)

Regards,

Christer

v2.23.0 | Report a Bug | By Email