Re: [stir] SIP PASSporT and Registrations

Chris Wendt <> Thu, 01 June 2017 04:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A759E127775 for <>; Wed, 31 May 2017 21:15:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id oGGXcXcVMUHc for <>; Wed, 31 May 2017 21:15:55 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c0d::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BA561127078 for <>; Wed, 31 May 2017 21:15:55 -0700 (PDT)
Received: by with SMTP id l39so4391316qtb.1 for <>; Wed, 31 May 2017 21:15:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=8wLgvwu1dOTx5rCV6KXgEN9SfgnFAypfoS1ucBbfdK0=; b=YltMlqobzSkc9NNDMNJ3XEPnmm9XYCNwPWcXKYaoYXWnDf5EXVs/nq/3N4Swsdebpy Yja0XwVhYA8W6ggTkFkr/sXP/tJGo2yoVmNrZDX0imlgUy3+vmEWyC0wGJpcgZ6iueoV K96mM7EfhNGaMyz+eJiNDLHU4knGXZdEhDrTq46rOuT4jdgkDbvkwcp9NWjlQ0Q9wepu VBd8GFgjAQcZ/lyXTMdzIMnXuD4DixBL+1y1Z06FupsztFlmBVc/Ye0zRToOyITHrJc8 VQW9K78qeVOJwq1CdKjThyvM9LDzgxJGOwb45gSIpnbuUM1GipZlz3+UA7QETc80wTCI 3F+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=8wLgvwu1dOTx5rCV6KXgEN9SfgnFAypfoS1ucBbfdK0=; b=SbYHLWM6cbYZWpfp/8KUsxVdxooL7beQFmkXlQlr4LDi4pq4QV9GgihJ5xEOmH2pYv uw/5dzD3nq33ThXUUKQsquPeZ78CILGa6QimN38nmuOm1MMMNCyN69/AULDxmQsLHzTs ztISzqbeIBLEx4h2JOKi73NQ3Spa/vayjPyXGD9ibMI75I1ftXVYif1a0l/vNK439HwQ 3vuMpNG57a1S5C7paBuI3V/ZzKcSkpZanAskLjx476ORkND/N+E0tdj8ARZmwXkciX+h xRXDRl0Kbeq/MU79Rui6OLb3usJVGTvJbp4EDTxLkxO/7OLnwbLOHAKZPvUo6quURwuf rl+A==
X-Gm-Message-State: AODbwcDvtjUWrBNu5Wvo0SYnG21TycF0+Cc+78NwRmz4t91chDGZZupI OcQ2bB4uh/l39P0+
X-Received: by with SMTP id t27mr36265535qta.10.1496290554923; Wed, 31 May 2017 21:15:54 -0700 (PDT)
Received: from ?IPv6:2601:41:c102:3d1e:9420:2913:b54f:e2d3? ([2601:41:c102:3d1e:9420:2913:b54f:e2d3]) by with ESMTPSA id c5sm11832636qkf.14.2017. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 31 May 2017 21:15:54 -0700 (PDT)
From: Chris Wendt <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E46E4631-9EDD-4439-9116-39013D57D816"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Thu, 01 Jun 2017 00:15:52 -0400
In-Reply-To: <>
To: "Brian C. Wiles" <>
References: <>
X-Mailer: Apple Mail (2.3273)
Archived-At: <>
Subject: Re: [stir] SIP PASSporT and Registrations
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Telephone Identity Revisited <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 01 Jun 2017 04:15:58 -0000

Hi Brian,

What you are really looking for is not Passport but specifically an authentication mechanism.  Passport is not for authentication and is very specific to proving an originator to a destination party.  Thus the explicit dependency on orig and dest as claims in the JWT.

There was some recent work on using OAuth 2.0 with SIP, and as you say there is other authentication mechanisms exist outside of SIP both using JWT and not.  But unfortunately, Passport is not going to be the right answer for REGISTER.


> On May 31, 2017, at 2:24 PM, Brian C. Wiles <> wrote:
> Hi, Jon and Chris,
>   I have been searching for a way to use JSON Web Tokens in SIP, and it looks like PASSporT is close to what I need.  However, I see a couple of issues that would need to be addressed in order for me to be able to use it.  I was hoping we could get some changes before it becomes a final RFC because I think they are big issues for some uses of SIP, but it sounds like I'm a bit too late.
>   The main issue is that PASSporT is only designed for INVITEs.  There is no method for handling REGISTER events in the context of a PASSporT.  For example, I have clients that need to authenticate with a SIP gateway to receive calls, and I'm trying to use JWT tokens so that my SIP gateway doesn't have to contact an external database or web service to verify the credentials.
>   The other issue is that I don't want to have to specify the destination in my PASSporT token.  I realize there are some security implications there, but using expirations via the "exp" claim and other methods, I can protect against replay attacks, etc.  My architecture has its own security protocols to prevent unauthorized use, and I don't really care how many calls are made since they are only to other clients who have registered.
>   My current implementation is close to PASSporT but using the Authorization header like most other JWT implementations use.  I'm fine with using PASSporT if we can at least make the "dest" claim optional and specify that it can be used with REGISTERs as well.  Let me know what you think.  I'd like to get something drafted soon before I publish my open source module.  Thanks.
> -Brian