Re: [tram] I-D Action: draft-ietf-tram-turn-third-party-authz-02.txt
"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Wed, 03 September 2014 17:40 UTC
Return-Path: <tireddy@cisco.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 161FE1A03B7; Wed, 3 Sep 2014 10:40:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.169
X-Spam-Level:
X-Spam-Status: No, score=-15.169 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1iX16cgQYVnP; Wed, 3 Sep 2014 10:40:52 -0700 (PDT)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 928D81A03BC; Wed, 3 Sep 2014 10:40:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5037; q=dns/txt; s=iport; t=1409766048; x=1410975648; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=58DiwpXQ+oUV0JUWXaOwTJIBg2PCuyGlytfA2A5R66o=; b=bgeug+V5iafkABj9g6WrdzGMCLfaswwLMH5SGFsexmm90xrstQZ78oMS 5PZwpQFfgwVE3O1YmBtOi+kIZTNmyJYTgc2l8GyH0d/sNKj3jxMeJds1J 8VVoGQfrBWwI4RZzoHJSWnrXEOHGekhEfulIO79q+jRV+yRvU5AQ1xMWS 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AjIFAABSB1StJA2E/2dsb2JhbABZgw1TUwQEyEEMh0oBgQ0Wd4QDAQEBAwEBAQE3NAsFBwQCAQgRBAEBAQoUCQcnCxQJCAIEAQ0FCAGIMQgIBb42AReOdgYBAR4xBwaDKYEdBZEyhC6IWJNDgWkcgVxsAYEGAQcXBhyBBwEBAQ
X-IronPort-AV: E=Sophos;i="5.04,458,1406592000"; d="scan'208";a="74583111"
Received: from alln-core-10.cisco.com ([173.36.13.132]) by alln-iport-1.cisco.com with ESMTP; 03 Sep 2014 17:40:47 +0000
Received: from xhc-rcd-x14.cisco.com (xhc-rcd-x14.cisco.com [173.37.183.88]) by alln-core-10.cisco.com (8.14.5/8.14.5) with ESMTP id s83Hel1Q001238 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 3 Sep 2014 17:40:47 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.68]) by xhc-rcd-x14.cisco.com ([173.37.183.88]) with mapi id 14.03.0195.001; Wed, 3 Sep 2014 12:40:47 -0500
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: Brandon Williams <brandon.williams@akamai.com>, "internet-drafts@ietf.org" <internet-drafts@ietf.org>, "i-d-announce@ietf.org" <i-d-announce@ietf.org>
Thread-Topic: [tram] I-D Action: draft-ietf-tram-turn-third-party-authz-02.txt
Thread-Index: AQHPwdwflerwR/6zbESoNvi+uBdM05vv14+A///Y59A=
Date: Wed, 03 Sep 2014 17:40:47 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A283220C0@xmb-rcd-x10.cisco.com>
References: <20140827094830.9888.36362.idtracker@ietfa.amsl.com> <54072639.6030809@akamai.com>
In-Reply-To: <54072639.6030809@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.50.189]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tram/J4sWqWDU4BB69oYa7gsYicUk_JY
Cc: "tram@ietf.org" <tram@ietf.org>
Subject: Re: [tram] I-D Action: draft-ietf-tram-turn-third-party-authz-02.txt
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Sep 2014 17:40:55 -0000
> -----Original Message----- > From: tram [mailto:tram-bounces@ietf.org] On Behalf Of Brandon Williams > Sent: Wednesday, September 03, 2014 8:01 PM > To: internet-drafts@ietf.org; i-d-announce@ietf.org > Cc: tram@ietf.org > Subject: Re: [tram] I-D Action: draft-ietf-tram-turn-third-party-authz-02.txt > > I see the following new text related to hash algorithm agility in the new draft. > > "Discussion: When STUN supports HMAC algorithms other than HMAC-SHA-1 > then client will convey the algorithm negotiated with the TURN server to the > authorization server in the value of 'alg' parameter defined in [I-D.ietf-oauth- > pop-key-distribution]. Authorization server determines length of the > mac_key based on the HMAC algorithm conveyed by the client." > > I've got two concerns about this, which are both just reiterations of things > I've mentioned previously on the list. First, I think it may be premature to say > anything about hash agility in this draft until we've settled the question more > broadly in stunbis. The questions before us are: Do we want to stall progress on this draft till hash agility is finalized in STUNbis OR Have a discussion right now, finalize the behavior and update the draft OR Don't discuss about hash agility in the draft and take it forward ? > Second, I think the OAuth server must be in a position to > enforce policy on the minimum acceptable hash algorithm, and so allowing > the client to pick one makes the mechanism more fragile. It may be > preferable for the client to signal it's full list of capabilities in the request and > for the server to signal its selection from among the options (or an error if > nothing from the client's list is considered acceptable). I have responded to the above suggestion in another mail thread. > > On a separate note, I was reminded by the meeting notes that I promised to > send some comments to the list about resource utilization. Customers of a > 3rd party service will often have contracts that limit resource utilization. > There may be limits in terms of the total number of concurrent end-to-end > streams, aggregate bandwidth, etc. Considering this, it may be necessary for > the OAuth server to authorize the client for a certain maximum utilization to > be associated with the ACCESS-TOKEN. Although it could make the token > larger, I think it may be important to include this authorized utilization > information within the token. Does anyone have any thoughts about this? > Perhaps an alternate way to handle the same concern ? The two possible approaches for solving the problem are discussed in http://tools.ietf.org/html/draft-hardjono-oauth-umacore-10#section-3.3 and I don't think we should complicate the draft with token profile. Probably take up this effort as a separate draft. -Tiru > > --Brandon > > On 08/27/2014 05:48 AM, internet-drafts@ietf.org wrote: > > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > > This draft is a work item of the TURN Revised and Modernized Working > Group of the IETF. > > > > Title : TURN Extension for Third Party Authorization > > Authors : Tirumaleswar Reddy > > Prashanth Patil > > Ram Mohan Ravindranath > > Justin Uberti > > Filename : draft-ietf-tram-turn-third-party-authz-02.txt > > Pages : 16 > > Date : 2014-08-27 > > > > Abstract: > > This document proposes the use of OAuth to obtain and validate > > ephemeral tokens that can be used for TURN authentication. The usage > > of ephemeral tokens ensure that access to a TURN server can be > > controlled even if the tokens are compromised. > > > > > > The IETF datatracker status page for this draft is: > > https://datatracker.ietf.org/doc/draft-ietf-tram-turn-third-party-authz/ > > > > There's also a htmlized version available at: > > http://tools.ietf.org/html/draft-ietf-tram-turn-third-party-authz-02 > > > > A diff from the previous version is available at: > > http://www.ietf.org/rfcdiff?url2=draft-ietf-tram-turn-third-party-authz-02 > > > > > > Please note that it may take a couple of minutes from the time of > submission > > until the htmlized version and diff are available at tools.ietf.org. > > > > Internet-Drafts are also available by anonymous FTP at: > > ftp://ftp.ietf.org/internet-drafts/ > > > > _______________________________________________ > > tram mailing list > > tram@ietf.org > > https://www.ietf.org/mailman/listinfo/tram > > > > -- > Brandon Williams; Senior Principal Software Engineer > Emerging Products Engineering; Akamai Technologies Inc. > > _______________________________________________ > tram mailing list > tram@ietf.org > https://www.ietf.org/mailman/listinfo/tram
- [tram] I-D Action: draft-ietf-tram-turn-third-par… internet-drafts
- Re: [tram] I-D Action: draft-ietf-tram-turn-third… Tirumaleswar Reddy (tireddy)
- Re: [tram] I-D Action: draft-ietf-tram-turn-third… Simon Perreault
- Re: [tram] I-D Action: draft-ietf-tram-turn-third… Oleg Moskalenko
- Re: [tram] I-D Action: draft-ietf-tram-turn-third… Oleg Moskalenko
- Re: [tram] I-D Action: draft-ietf-tram-turn-third… Prashanth Patil (praspati)
- Re: [tram] I-D Action: draft-ietf-tram-turn-third… Oleg Moskalenko
- Re: [tram] I-D Action: draft-ietf-tram-turn-third… Brandon Williams
- Re: [tram] I-D Action: draft-ietf-tram-turn-third… Tirumaleswar Reddy (tireddy)
- Re: [tram] I-D Action: draft-ietf-tram-turn-third… Gonzalo Salgueiro (gsalguei)
- Re: [tram] I-D Action: draft-ietf-tram-turn-third… Brandon Williams