Re: [stir] SIP PASSporT and Registrations
"Brian C. Wiles" <brian@poldon.com> Thu, 01 June 2017 13:46 UTC
Return-Path: <brian@poldon.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B061012ECA1 for <stir@ietfa.amsl.com>; Thu, 1 Jun 2017 06:46:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.018
X-Spam-Level:
X-Spam-Status: No, score=-0.018 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RatXMIwNAneY for <stir@ietfa.amsl.com>; Thu, 1 Jun 2017 06:46:12 -0700 (PDT)
Received: from p3plsmtpout001.prod.phx3.secureserver.net (p3plsmtpout001.prod.phx3.secureserver.net [208.109.80.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CA7E12ECA0 for <stir@ietf.org>; Thu, 1 Jun 2017 06:46:12 -0700 (PDT)
Received: from ip-208-109-238-122.ip.secureserver.net ([208.109.238.122]) by : HOSTING RELAY : with SMTP id GQPXd4gqFStwFGQPXdEbN6; Thu, 01 Jun 2017 06:45:11 -0700
x-originating-ip: 208.109.238.122
Received: (qmail 21601 invoked by uid 2); 1 Jun 2017 06:45:11 -0700
To: stir@ietf.org
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_d3e53696a173d8cf95e4d0d86166a6cb"
Date: Thu, 01 Jun 2017 08:45:11 -0500
From: "Brian C. Wiles" <brian@poldon.com>
In-Reply-To: <DB94C595-3E83-4589-A5DE-F59A94798FF5@chriswendt.net>
References: <01be31dd33c2c3dc576e8c73f0393b37@poldon.com> <DB94C595-3E83-4589-A5DE-F59A94798FF5@chriswendt.net>
Message-ID: <2903f8692953134fa8a7b2ac981e6188@poldon.com>
X-Sender: brian@poldon.com
User-Agent: RoundCube Webmail/0.5.1
X-CMAE-Envelope: MS4wfPCyp60TKBR5tdIe7TYXRNk9TCp2E+iZ+m5xExGjkkitguFp3aJ8pUEZ2ZXz7T3YpOoAHeZ0+uVX1eMUU3J91PeSQXoVA4IIKbgMR4T2AtKCMPvtV8Qv PblgLyxhs8CU0uuNibvAs4zGB4QO5rOpNR3iSypqOYefvIlVo9xvgWeTPa0Vm6eKOQ/ezluJEwoq12pntdbEwPqZt6iCTcIuJjU=
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/Z0a5UTAbqdttM2M2pIZ-79ewUJE>
Subject: Re: [stir] SIP PASSporT and Registrations
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Jun 2017 13:46:14 -0000
Hi, Chris, OK, that sounds fine then. Can we get a JWT authentication scheme standardized for SIP? I'll write up the draft if so. Also, would that be under SIPCORE? Thanks! -Brian On Thu, 1 Jun 2017 00:15:52 -0400, Chris Wendt wrote: > Hi Brian, > > What you are really looking for is not Passport but specifically an authentication mechanism. Passport is not for authentication and is very specific to proving an originator to a destination party. Thus the explicit dependency on orig and dest as claims in the JWT. > > There was some recent work on using OAuth 2.0 with SIP, and as you say there is other authentication mechanisms exist outside of SIP both using JWT and not. But unfortunately, Passport is not going to be the right answer for REGISTER. > > -Chris > >> On May 31, 2017, at 2:24 PM, Brian C. Wiles wrote: >> >> Hi, Jon and Chris, >> >> I have been searching for a way to use JSON Web Tokens in SIP, and it looks like PASSporT is close to what I need. However, I see a couple of issues that would need to be addressed in order for me to be able to use it. I was hoping we could get some changes before it becomes a final RFC because I think they are big issues for some uses of SIP, but it sounds like I'm a bit too late. >> >> The main issue is that PASSporT is only designed for INVITEs. There is no method for handling REGISTER events in the context of a PASSporT. For example, I have clients that need to authenticate with a SIP gateway to receive calls, and I'm trying to use JWT tokens so that my SIP gateway doesn't have to contact an external database or web service to verify the credentials. >> >> The other issue is that I don't want to have to specify the destination in my PASSporT token. I realize there are some security implications there, but using expirations via the "exp" claim and other methods, I can protect against replay attacks, etc. My architecture has its own security protocols to prevent unauthorized use, and I don't really care how many calls are made since they are only to other clients who have registered. >> >> My current implementation is close to PASSporT but using the Authorization header like most other JWT implementations use. I'm fine with using PASSporT if we can at least make the "dest" claim optional and specify that it can be used with REGISTERs as well. Let me know what you think. I'd like to get something drafted soon before I publish my open source module. Thanks. >> >> -Brian Links: ------ [1] mailto:brian@poldon.com
- [stir] SIP PASSporT and Registrations Brian C. Wiles
- Re: [stir] SIP PASSporT and Registrations Chris Wendt
- Re: [stir] SIP PASSporT and Registrations Brian C. Wiles
- Re: [stir] SIP PASSporT and Registrations Chris Wendt