Re: [tram] Stephen Farrell's Discuss on draft-ietf-tram-turn-third-party-authz-13: (with DISCUSS and COMMENT)

["Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>]

> -----Original Message-----
> From: Oleg Moskalenko [mailto:mom040267@gmail.com]
> Sent: Tuesday, April 14, 2015 10:57 AM
> To: Martin Thomson
> Cc: Tirumaleswar Reddy (tireddy); tram-chairs@ietf.org; tram@ietf.org;
> Brandon Williams; rlb@ipv.sx; Salz, Rich; Stephen Farrell
> (stephen.farrell@cs.tcd.ie)
> Subject: Re: [tram] Stephen Farrell's Discuss on draft-ietf-tram-turn-third-
> party-authz-13: (with DISCUSS and COMMENT)
> 
> On Mon, Apr 13, 2015 at 11:17 AM, Martin Thomson
> <martin.thomson@gmail.com> wrote:
> >
> > Section 4 doesn't permit any additional information to be carried in
> > the token.  Therefore, the STUN/TURN server is unable to apply any
> > additional policies that the authorization server might impose, such
> > as limits on the length of the session, the number of ports allocated,
> > or the bandwidth that is allocated.  (Or whatever we might later
> > conceive of.)
> 
> I believe that extra token information is a very very bad idea - it kills the
> whole interoperability thing in the draft. If we are adding "extra"
> information to the token, we can as well just kill the draft and tell the STUN
> server developers "do whatever you want, secure the stuff somehow, we do
> not care".

It was discussed in the WG and decision was not to carry any extra token information so as to keep the token size small. In future an out-of-band communication mechanism b/w STUN and authorization server to exchange the token related metadata can be defined similar to the OAuth 2.0 Token Introspection method defined in https://tools.ietf.org/html/draft-ietf-oauth-introspection-07. 

-Tiru