IETF Logo Mail Archive

Re: [sipcore] Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13: (with DISCUSS and COMMENT)

Christer Holmberg <christer.holmberg@ericsson.com> Fri, 24 April 2020 06:40 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7062F3A0D40; Thu, 23 Apr 2020 23:40:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KZ5W1diNRc7X; Thu, 23 Apr 2020 23:40:43 -0700 (PDT)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40066.outbound.protection.outlook.com [40.107.4.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B84323A0D2F; Thu, 23 Apr 2020 23:40:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FoCyQS8ufeICHSDRexIq88LlnvC99CrbDZmzm0vi42p7udD4pMJTMuInCRC3GH/cKSZTiJ70frNKv1XOM0cE1+fbXecQK5ePdZoUrLnmfXqASuAAvjoZKWyhcG2rPVZYLm3CzPqPpiJcYDdJ7pHPanH73qV3DoFSdrYJL1tQwaxQnYh0s3ikQDv3D2icLYLO2IvMJfiRCiYHxjYbh6y4tbctwmd6R0rsGd0RfWwPjAKOIX7cf35ptUuGO/Opd/OuYtvcEyRU0gTYj88cJ3+g8USA4Yg6dTp5Ej5tTqL1qEc5uVRdchR1c9AmeHFcOWpGs3aof2wszrQ1UXZwjB7m0Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=U2ZJE2SnlBRc4Bgv3PrJMa71FfeppjE5CZ/iAk8xpjo=; b=dOV/jCNfdXT3+6/Tr9otiY1BQkfxvhscfEYXDJJB0opXqb/4v3j/mispuQ1xC8F32D83ISY4MzUUn6n+Gk0ZpoQ4hfAEe0qu2zCVl7Pp1flKKOXiTS+3VucXJRXVloeaMXFbQoEMyiaiUtSJeNZTc0MW6fsmr55DVHuhvA9clwt+qeINZiMFfdfTTOD3iKyG1417oNj8l7WcVZwdnvo53W4bt+7f0iQlayE4TIfEdppLTG20n/cDdXMI88MA/uUEuPeOBT8zeIvSl1ydjmPBWrw1TixXKZ7hvV/uDUsHMQRaFJewslNlVULf01M8uKMVybPttz6eIE21JGGUlgZdvA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=U2ZJE2SnlBRc4Bgv3PrJMa71FfeppjE5CZ/iAk8xpjo=; b=qyu/9h99z8FHjMBshNzX6xXVfG2vMr+dCiRWZ1HOcDHkKEpGmz/f9tMr3dsjRArYE+W7wz9E6ZKHWK4CAWcjrrdyYl78WPOaxDXff+Q1EuMbMOpcz2NnbcOmYXfTUP1qdXScnbnKx8Gt5WP/3mJeMOXlKTEw/Qk3zCllsh0o0mM=
Received: from AM0PR07MB3987.eurprd07.prod.outlook.com (2603:10a6:208:46::31) by AM0PR07MB4226.eurprd07.prod.outlook.com (2603:10a6:208:b5::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.11; Fri, 24 Apr 2020 06:40:14 +0000
Received: from AM0PR07MB3987.eurprd07.prod.outlook.com ([fe80::b929:4e5c:6b46:3ccc]) by AM0PR07MB3987.eurprd07.prod.outlook.com ([fe80::b929:4e5c:6b46:3ccc%7]) with mapi id 15.20.2937.020; Fri, 24 Apr 2020 06:40:14 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: "Olle E. Johansson" <oej@edvina.net>, Paul Kyzivat <pkyzivat@alum.mit.edu>
CC: Benjamin Kaduk <kaduk@mit.edu>, The IESG <iesg@ietf.org>, "draft-ietf-sipcore-sip-token-authnz@ietf.org" <draft-ietf-sipcore-sip-token-authnz@ietf.org>, "sipcore@ietf.org" <sipcore@ietf.org>, "sipcore-chairs@ietf.org" <sipcore-chairs@ietf.org>
Thread-Topic: [sipcore] Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13: (with DISCUSS and COMMENT)
Thread-Index: AQHWGaTv/W/UMLKp7ECr0CNaSmCuWKiHL6oAgACauACAADsIgA==
Date: Fri, 24 Apr 2020 06:40:14 +0000
Message-ID: <79245079-4BE2-4CA1-9B8F-E7E71AD38458@ericsson.com>
References: <158766991009.32224.6031347936963900326@ietfa.amsl.com> <60a98de4-a8cd-5910-17f9-6849d71f4d8e@alum.mit.edu> <B61DF7BD-C304-47AA-AB10-2095CC621E5A@edvina.net>
In-Reply-To: <B61DF7BD-C304-47AA-AB10-2095CC621E5A@edvina.net>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1e.0.191013
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [188.127.223.154]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f4e452bc-286a-4e1c-c233-08d7e81a583e
x-ms-traffictypediagnostic: AM0PR07MB4226:
x-microsoft-antispam-prvs: <AM0PR07MB4226C89830665D32EA43E1D093D00@AM0PR07MB4226.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 03838E948C
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR07MB3987.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(396003)(346002)(39860400002)(366004)(376002)(136003)(6512007)(2616005)(8936002)(6486002)(2906002)(44832011)(26005)(186003)(81156014)(8676002)(71200400001)(5660300002)(4326008)(110136005)(316002)(66556008)(91956017)(64756008)(54906003)(86362001)(36756003)(66446008)(6506007)(76116006)(66946007)(478600001)(66476007)(33656002); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: T09W6nt4rtOCpLAl2cZQxsL+Im1O6hjv4w0r70D3TKz5QhSFow3ARURFWxU1nX21pNT1hE80eXbhWeIi5qQCVCD7en4vR7pDOKFb+HvLPuzNydyIp9D9fTHKr5L8FL/1kwD1E44Jxz6/wjS4Al3unorVfpB3fXbOESAE/6lR5m+9QxzeED9zDXC9E+7nuEbalPDKDSAUAM+OUUFHbdRzm1Q64HdlAKcYrXh7iCPRpSURnh20//QIpNHcPXrPTCry+i/sxOXxDEu/SHGwQfKhKO2RowYGLdGbsRHsAOXbJi4ob6YG/BJUJq0wobYTvVS5j5ZWOX+5j6IErsF+qrJLL2M3xKZa8HAZMCM5fjUxrCixHLMkgJrBNI0QYXcepchvLbvSvTBdZyszkaEz8HuXBjmK4SfkksDldsh66Oijbnh2BHoWdfzXht+PvYnp4FmC
x-ms-exchange-antispam-messagedata: bz0c287AI4xYshIQ+iLyv1mO/8+ji5V+2uoIyWnGSlyT+TGXlDyBLfc8t0OqBwZnLfSGZs3q3kBDtmhDR1tNdreaqD+FmO0zeLw1xpgUO48tI1ScZzcWKKenSQBW4jEbWIi751MiILrWAnSnrTUqrQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <FBD299C64677B04EBAB092F9EE7677D4@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f4e452bc-286a-4e1c-c233-08d7e81a583e
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Apr 2020 06:40:14.2266 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: J6J77beHRKNEdxtnLq3dJHzytVCGEtkf+izSZV2m/7qwygvjeZd30qCkQoz07yJmRvg+GTLk0YysJrR0tTJ5Z6vGjzsLYsHReAyMkGYn9uQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB4226
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/zCF-cvjWy6XR_7jgDBNGE7GC5lI>
Subject: Re: [sipcore] Benjamin Kaduk's Discuss on draft-ietf-sipcore-sip-token-authnz-13: (with DISCUSS and COMMENT)
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Apr 2020 06:40:46 -0000

Hi,

    >>> RFC 3261 seems to be written in a world that assumed that Basic and Digest
    >>> are the only defined HTTP authentication schemes, and since it prohibits
    >>> Basic, that there would only be one authentication challenge (type)
    >>> possible.  This text righly acknowledges that we are opening the field up
    >>> and could have cases where multiple authentication schemes are possible;
    >>> however, it goes even further and admits the possibility of using them
    >>> simultaneously.  It seems like this places an onus on us to give some
    >>> indication of the semantics when multiple schemes are used at the same time.
    >>> Do the authenticated identities need to match?  Or are we asserting that
    >>> both/all identities are consenting to the request in question?  (If we don't
    >>> have a concrete use case in mind, perhaps the "or more" is just opening a
    >>> box that we don't need to open right now.)
    >> 
    >> I pushed quite a bit on this area during the development of this draft. As you note we are definitely expanding into an area that wasn't anticipated in RFC3261.
    >> The whole topic of how authentication works in the presence of multiple schemes and realms could use some elaboration. The authors of this draft were
    >> reluctant to get into those weeds. It isn't clear what the right mechanism is to do that.
    >> 
    >> I had a (non-sip) use case in mind: a site I visit allows you register directly with the site, resulting in an ability to use Digest credentials. The login page on the
    >> site offers that as an option, along with the alternatives of Facebook, Google, and maybe some others. I can see something just like that for SIP. Presumably it
    >> would be achieved by challenging with Digest and also with Bearer for Facebook, Google, etc. The UAC then "chooses" by delegating the choice to the user through the UI.
    >> 
    >> This is also the case where the "whitelist" really resides within the end user's head rather than in the UAC.
    >> 
    >> It gets harder for devices that might be connecting when there is no end user present. This can happen with a "phone" that attempts to be permanently registered
    >> to its sip server so that in can receive incoming calls. If it reboots in the middle of the night there is no user handy to interact in the authentication process. It all
    >> has to take place using credentials preconfigured (or cached) in the UAC.
    > 
    > I think it’s critical - and I’ve also raised the issue before like Paul - that we develop a BCP for the various combinations we have - both two types of digest algorithms and now the OAuth2/OpenID Connect.
    > There are huge risks of mis-configured platforms allowing for downgrade attacks, so even if you’ve added stronger authentication, someone will misuse your system because MD5 was still open with simple passwords for some very old SIP phones.

    I agree that such BCP (or whatever form it would take) would be useful. As I said before, I think it should be done as a separate task.

    Therefore, in the authnz draft the suggestion is to say that the processing is based on "local policy".

    If people want, we can add a note saying that a future specification may provide more detailed procedures and guidance regarding processing multiple schemes.

    Regards,

    Christer

v2.23.0 | Report a Bug | By Email