IETF Logo Mail Archive

Re: [Wish] Authentication for resource url

Juliusz Chroboczek <jch@irif.fr> Wed, 15 September 2021 09:49 UTC

Return-Path: <jch@irif.fr>
X-Original-To: wish@ietfa.amsl.com
Delivered-To: wish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD1173A0B3A for <wish@ietfa.amsl.com>; Wed, 15 Sep 2021 02:49:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6dD-wPlazKxY for <wish@ietfa.amsl.com>; Wed, 15 Sep 2021 02:49:26 -0700 (PDT)
Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B8123A0B2A for <wish@ietf.org>; Wed, 15 Sep 2021 02:49:25 -0700 (PDT)
Received: from potemkin.univ-paris7.fr (potemkin.univ-paris7.fr [IPv6:2001:660:3301:8000::1:1]) by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/82085) with ESMTP id 18F9nLbG025588 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <wish@ietf.org>; Wed, 15 Sep 2021 11:49:21 +0200
Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253]) by potemkin.univ-paris7.fr (8.14.4/8.14.4/relay2/82085) with ESMTP id 18F9nL9G027732 for <wish@ietf.org>; Wed, 15 Sep 2021 11:49:21 +0200
Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id 026FBAD0B6 for <wish@ietf.org>; Wed, 15 Sep 2021 11:49:27 +0200 (CEST)
X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr
Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id ODLLghtfPiYE for <wish@ietf.org>; Wed, 15 Sep 2021 11:49:25 +0200 (CEST)
Received: from pirx.irif.fr (unknown [78.194.40.74]) (Authenticated sender: jch) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id 5294DAD0B2 for <wish@ietf.org>; Wed, 15 Sep 2021 11:49:25 +0200 (CEST)
Date: Wed, 15 Sep 2021 11:49:19 +0200
Message-ID: <87bl4uyxr4.wl-jch@irif.fr>
From: Juliusz Chroboczek <jch@irif.fr>
To: WISH List <wish@ietf.org>
In-Reply-To: <87ee9qyyum.wl-jch@irif.fr>
References: <CA+ag07bjtS1Ucw1BZ5qQ_jJFfXbfQ3-hzDgxfkV1APhV1JZMnQ@mail.gmail.com> <28d39165-3d08-257e-4736-1c8449e99034@nostrum.com> <CAABnt0NxfyTBQmGkh3gU69bf0zDok_pm5+Lun62EABha0gEATQ@mail.gmail.com> <66b34dab-7a67-656e-d619-c5109ca99bbb@nostrum.com> <87ee9sfo63.wl-jch@irif.fr> <CA+ag07Y5Lduu=923bLpp_PC_NLiwpLCiEdfbCN-H3tDD8LnT3A@mail.gmail.com> <CAABnt0M2Vg-9=SwX=O1mFbyYTS4b7ewmevW2qzMf17fsagoc2Q@mail.gmail.com> <CA+ag07aJKFy2s_UD0L-PaGHNwA9XH6Khz+0tReOMMcweJ0Q0hQ@mail.gmail.com> <CAABnt0MSUuxYK1CvOQUmC-a4b_U9m7YQ+vhXfjaaDxFZE+_JOQ@mail.gmail.com> <CA+ag07bb5WfoUJRkQt37nYtkmtEi=Kpp44ihVNGRd=OytakADg@mail.gmail.com> <CAABnt0PXKPejtywBDizx_Og0d0qPp6qa6cXXsCjBrbTQHN9pKg@mail.gmail.com> <CAMyc9bXUXR5nrxoQsQwDqE46sHWN_8vicG_c53ZruRbC0gfeMw@mail.gmail.com> <877dfk9fil.wl-jch@irif.fr> <CA+ag07ZxJF95xd7y_ToRRNJmbRboRR56t=mnW+nGYFqpAkH61g@mail.gmail.com> <8735q72yo4.wl-jch@irif.fr> <CA+ag07Z6_Nd2VvWG4HyuXK=E3u2xn8a2a_xVCEWk3_yyfQSp3A@mail.gmail.com> <87r1dr89mr.wl-jch@irif.fr> <a12adb1d-da65-8290-7d91-d911aa0aa6cc@nostrum.com> <87ee9qyyum.wl-jch@irif.fr>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/27.1 Mule/6.0
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]); Wed, 15 Sep 2021 11:49:21 +0200 (CEST)
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (potemkin.univ-paris7.fr [194.254.61.141]); Wed, 15 Sep 2021 11:49:21 +0200 (CEST)
X-Miltered: at korolev with ID 6141C1A1.006 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-Miltered: at potemkin with ID 6141C1A1.002 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-j-chkmail-Enveloppe: 6141C1A1.006 from potemkin.univ-paris7.fr/potemkin.univ-paris7.fr/null/potemkin.univ-paris7.fr/<jch@irif.fr>
X-j-chkmail-Enveloppe: 6141C1A1.002 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/<jch@irif.fr>
X-j-chkmail-Score: MSGID : 6141C1A1.006 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Score: MSGID : 6141C1A1.002 on potemkin.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Status: Ham
X-j-chkmail-Status: Ham
Archived-At: <https://mailarchive.ietf.org/arch/msg/wish/0ttvCGykfaxK7JBThu0S8cg3kcw>
Subject: Re: [Wish] Authentication for resource url
X-BeenThere: wish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: WebRTC Ingest Signaling over HTTPS <wish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wish>, <mailto:wish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wish/>
List-Post: <mailto:wish@ietf.org>
List-Help: <mailto:wish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wish>, <mailto:wish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Sep 2021 09:49:29 -0000

>> To give an example of how this is done in production services: on Twitch,
>> once you log in, you go into account management, click on the "Stream"
>> tab, and copy a really long string of junk out of a field labeled "Primary
>> Stream Key." You paste this into your broadcast client in a field usually
>> named "Stream Key."

Just to be clear: I think token auth is a good idea, and as a matter of
fact Galene uses token auth for authentication to the TURN server.

What I'm arguing for is a simple, interoperable user/password mechanism
for the simple case, for when the infrastructure required to securely
communicate the token to the client is not deemed necessary.  My current
opinion (likely to change as Sergio and Adam explain stuff to me further)
can be summarised as:

  * HTTP basic: MUST implement in clients, MAY implement in servers;
  * token: SHOULD implement in clients, SHOULD implement in servers.
  
This way, server authors are guaranteed to interoperate with all clients
if they choose to implement HTTP Basic, and they can use the more secure
token auth if they are willing to put it the work required to build
the infrastructure required to communicate tokens to their chosen clients.

This way, WISH is useful both for Millicast, whose business model relies
on helping users deploy their high-quality broadcasting solutions, and for
free servers such as Galene, who want to minimise the amount of hand-holding
that they need to provide to their non-specialist users, even if that
implies not using the most secure authentication techniques available.

-- Juliusz

v2.8.7 | Report a Bug | By Email