Re: [stir] SIP PASSporT and Registrations

Chris Wendt <chris-ietf@chriswendt.net> Fri, 02 June 2017 01:52 UTC

Return-Path: <chris-ietf@chriswendt.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25204129A90 for <stir@ietfa.amsl.com>; Thu, 1 Jun 2017 18:52:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=chriswendt-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QK5b_zADDbi1 for <stir@ietfa.amsl.com>; Thu, 1 Jun 2017 18:52:16 -0700 (PDT)
Received: from mail-qk0-x22d.google.com (mail-qk0-x22d.google.com [IPv6:2607:f8b0:400d:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80EB312948E for <stir@ietf.org>; Thu, 1 Jun 2017 18:52:16 -0700 (PDT)
Received: by mail-qk0-x22d.google.com with SMTP id d14so50307424qkb.1 for <stir@ietf.org>; Thu, 01 Jun 2017 18:52:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chriswendt-net.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=oJ3m4HNisIEXI/k675fcu4i4vJKKkQ2ZcIL1VSvSbXA=; b=ESen/iffTnZs1IZxIhWaM9Qb3AeeGNTEDPhLRRrS5MKPveBKbO3lDJCRAMVa2ZV8q4 iF2eH+5SJoXrw2iuRaY3vcb3fNk4ZBUAiXbobvz4bgwqRPHYdhDri8Vcn0uiLAvKTZdU gkQjqor5KBAYQdysYAj1MgPB8SWqdpWQynY1dlyAM461eF/UXvbuzFBWdbqqfSosxptp /zvbJzhKvqc+p2xO1FNitvtPPgn6pqV/oyAXcii+8QDDZlHSPuDEVr1pFverR/YR2b3I reBUeCc4LgAUH/TTJfiH7Mj/2WMjjw/S7/XYQbl5T2+8R4snITSxxAV1KHTGarc8yBsM XuEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=oJ3m4HNisIEXI/k675fcu4i4vJKKkQ2ZcIL1VSvSbXA=; b=Y3YupYBoUb1bMpocjoryLB/JlaLiljQtBL0F6NovafA3/YueoRJVs2vGeaEMNSs/Gf m/DZ9QzQ4qMUjf1OA8AGxeO1B6Bx7iAEW/eUZwKwIa2sORXZ8EF+cUpwCBJ6HiBKWQgf S6xrXAubbBUO75AG5f4QetMuBAW4tkVaIZGJf4LB4qAbP8syGaiZyrsKRNzMC/hTDu3j uvjdPIR7QZw4eY7Fa8vh3bVxV6xPitcRHTbx1X/uMMuPVqjzo4eR+YiS0u0La8YDf8PS BGh4S1XWHYvWmDKkOm3qrlKTY4XzxOVGK/xBE+EBjXwQgwMwSDEL4Pi7ELtaYu1B2tao JpWw==
X-Gm-Message-State: AODbwcCQXcTdAW35RHaxA9rA47iZ9KUvDd5/AkTOKAmf4RpRqYn1Kk4n 47RI5GfsYVLpKVmMZmDN6Q==
X-Received: by 10.55.188.135 with SMTP id m129mr5075225qkf.226.1496368335630; Thu, 01 Jun 2017 18:52:15 -0700 (PDT)
Received: from ?IPv6:2601:41:c102:3d1e:fca6:5c83:cf05:e9e2? ([2601:41:c102:3d1e:fca6:5c83:cf05:e9e2]) by smtp.gmail.com with ESMTPSA id s16sm14174752qte.61.2017.06.01.18.52.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 01 Jun 2017 18:52:14 -0700 (PDT)
From: Chris Wendt <chris-ietf@chriswendt.net>
Message-Id: <CEADFAAC-5EC2-40E3-8F88-B4E8317B9A09@chriswendt.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_9319B2BE-28FF-4776-A4DF-582B2897B991"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Thu, 1 Jun 2017 21:52:12 -0400
In-Reply-To: <2903f8692953134fa8a7b2ac981e6188@poldon.com>
Cc: stir@ietf.org
To: "Brian C. Wiles" <brian@poldon.com>
References: <01be31dd33c2c3dc576e8c73f0393b37@poldon.com> <DB94C595-3E83-4589-A5DE-F59A94798FF5@chriswendt.net> <2903f8692953134fa8a7b2ac981e6188@poldon.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/lURyq1JN0EABmBoEMKy7lNJ-wIw>
Subject: Re: [stir] SIP PASSporT and Registrations
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Jun 2017 01:52:18 -0000

I believe the best approach would be to submit to dispatch WG where there can be a discussion of the path forward and working group that might be best.

-Chris

> On Jun 1, 2017, at 9:45 AM, Brian C. Wiles <brian@poldon.com> wrote:
> 
> Hi, Chris,
> 
>  
>   OK, that sounds fine then.  Can we get a JWT authentication scheme standardized for SIP?  I'll write up the draft if so.  Also, would that be under SIPCORE?  Thanks!
> 
>  
> -Brian
> 
>  
> On Thu, 1 Jun 2017 00:15:52 -0400, Chris Wendt wrote:
> 
>> Hi Brian,
>> 
>> 
>> 
>> What you are really looking for is not Passport but specifically an authentication mechanism.  Passport is not for authentication and is very specific to proving an originator to a destination party.  Thus the explicit dependency on orig and dest as claims in the JWT.
>> 
>> 
>> There was some recent work on using OAuth 2.0 with SIP, and as you say there is other authentication mechanisms exist outside of SIP both using JWT and not.  But unfortunately, Passport is not going to be the right answer for REGISTER.
>> 
>> 
>> -Chris
>> 
>> 
>> 
>> 
>>> On May 31, 2017, at 2:24 PM, Brian C. Wiles <brian@poldon.com <mailto:brian@poldon.com>> wrote:
>>> 
>>> 
>>> Hi, Jon and Chris,
>>> 
>>> 
>>> 
>>>   I have been searching for a way to use JSON Web Tokens in SIP, and it looks like PASSporT is close to what I need.  However, I see a couple of issues that would need to be addressed in order for me to be able to use it.  I was hoping we could get some changes before it becomes a final RFC because I think they are big issues for some uses of SIP, but it sounds like I'm a bit too late.
>>> 
>>>  
>>> 
>>>   The main issue is that PASSporT is only designed for INVITEs.  There is no method for handling REGISTER events in the context of a PASSporT.  For example, I have clients that need to authenticate with a SIP gateway to receive calls, and I'm trying to use JWT tokens so that my SIP gateway doesn't have to contact an external database or web service to verify the credentials.
>>> 
>>>  
>>> 
>>>   The other issue is that I don't want to have to specify the destination in my PASSporT token.  I realize there are some security implications there, but using expirations via the "exp" claim and other methods, I can protect against replay attacks, etc.  My architecture has its own security protocols to prevent unauthorized use, and I don't really care how many calls are made since they are only to other clients who have registered.
>>> 
>>>  
>>> 
>>>   My current implementation is close to PASSporT but using the Authorization header like most other JWT implementations use.  I'm fine with using PASSporT if we can at least make the "dest" claim optional and specify that it can be used with REGISTERs as well.  Let me know what you think.  I'd like to get something drafted soon before I publish my open source module.  Thanks.
>>> 
>>>  
>>> 
>>> -Brian
>>> 
>>>  
>>> 
>> 
>> 
> _______________________________________________
> stir mailing list
> stir@ietf.org
> https://www.ietf.org/mailman/listinfo/stir