IETF Logo Mail Archive

Re: [Wish] Authentication for resource url

Matt Ward <mattward@mux.com> Mon, 13 September 2021 17:29 UTC

Return-Path: <mattward@mux.com>
X-Original-To: wish@ietfa.amsl.com
Delivered-To: wish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0EAF3A0E81 for <wish@ietfa.amsl.com>; Mon, 13 Sep 2021 10:29:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DC_PNG_UNO_LARGO=0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mux.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cXwtGEh4sAcW for <wish@ietfa.amsl.com>; Mon, 13 Sep 2021 10:29:18 -0700 (PDT)
Received: from mail-oi1-x22f.google.com (mail-oi1-x22f.google.com [IPv6:2607:f8b0:4864:20::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2C633A0E4C for <wish@ietf.org>; Mon, 13 Sep 2021 10:29:18 -0700 (PDT)
Received: by mail-oi1-x22f.google.com with SMTP id v2so15030876oie.6 for <wish@ietf.org>; Mon, 13 Sep 2021 10:29:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mux.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=H3rFkmm16GZBSlY2UHQ0GSPobsP29sKTAAyD+UmnG/Q=; b=RgcyQ8mAInz2pQ+hP+ZjXnFein2Omerxnlvfr/XeusTedlDquXfS3CbWyOyo77NC9I ia39efhr5+EM/2X2VJ6mb/on0B5NsnDZtqxdFgcfCIEBa65sD+FrboHN3VEygcVREhxy fKIXe248fcrEQgisGxFCHnpZ1CTLupd6lFSR0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=H3rFkmm16GZBSlY2UHQ0GSPobsP29sKTAAyD+UmnG/Q=; b=tJ4VTsyW89XebqTaSVv9dS1kRnlfmR7jz7xiYCBWkvmgTjdCRigSrqR2MMTEhLUkhn dewhRUdhGRTn8djWowZIUqLFKS5QsGgOi1cbB/xiUeMTBKEDeqhtpCgUw3m4up202Dj0 KrwGIg03uXnoSAqWZIn77ajprwzoaSPUk5sHAk3/uL1xuJmIeA18v4aGp3NUmfl0Yrsw m1tf3JBnjEzGhMIXLEPUVdEUdHHPrqN7c+rZzHUohNr9BIsWQkxt6/3StqRCFCKNczIm 5IDTzpo2SZ0S07D1/HTko6aLE/a+WCHrLsBXz4tVk6E33nkg7a1w/u0NaROQCkx/PPO5 qKvA==
X-Gm-Message-State: AOAM533eSuEAbQ8A3PrjI6yr5Bj6Z3S9aLor4zBpptZI0u350WTsQDRN hR5nXVfWfg43i5aJ4ZOVEGmXxcBcZxW+nlAw0cBv2gxeDD65kODO
X-Google-Smtp-Source: ABdhPJw0Vgm+tVZJ+4Dx160MEYSOz89f5xTCnYXg/pJsfCeWgZeSRcxCNatoZ6egg1s9fLQvrEuJBvMsaR3iS220F/U=
X-Received: by 2002:aca:f386:: with SMTP id r128mr8682687oih.168.1631554157089; Mon, 13 Sep 2021 10:29:17 -0700 (PDT)
MIME-Version: 1.0
References: <CA+ag07bjtS1Ucw1BZ5qQ_jJFfXbfQ3-hzDgxfkV1APhV1JZMnQ@mail.gmail.com> <87o893vuz4.wl-jch@irif.fr> <CA+ag07Y41bg_K-60=d5yyODj+bN442enQn-Grb-NkX7zQ8vVBQ@mail.gmail.com> <1e55c847-6a6c-5fca-d7c0-cd3a822855a7@nostrum.com> <CA+ag07YZdQooVBLtn=R=Lj0XpojCmVzd51P6=ExFUqwhvqYNdA@mail.gmail.com> <28d39165-3d08-257e-4736-1c8449e99034@nostrum.com> <CAABnt0NxfyTBQmGkh3gU69bf0zDok_pm5+Lun62EABha0gEATQ@mail.gmail.com> <66b34dab-7a67-656e-d619-c5109ca99bbb@nostrum.com> <87ee9sfo63.wl-jch@irif.fr> <CA+ag07Y5Lduu=923bLpp_PC_NLiwpLCiEdfbCN-H3tDD8LnT3A@mail.gmail.com>
In-Reply-To: <CA+ag07Y5Lduu=923bLpp_PC_NLiwpLCiEdfbCN-H3tDD8LnT3A@mail.gmail.com>
From: Matt Ward <mattward@mux.com>
Date: Mon, 13 Sep 2021 10:29:06 -0700
Message-ID: <CAABnt0M2Vg-9=SwX=O1mFbyYTS4b7ewmevW2qzMf17fsagoc2Q@mail.gmail.com>
To: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Cc: Juliusz Chroboczek <jch@irif.fr>, Adam Roach <adam@nostrum.com>, WISH List <wish@ietf.org>
Content-Type: multipart/related; boundary="000000000000f7545705cbe3cd68"
Archived-At: <https://mailarchive.ietf.org/arch/msg/wish/6Yxs0Y4e91d12SLdcesrHvDxv-U>
Subject: Re: [Wish] Authentication for resource url
X-BeenThere: wish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: WebRTC Ingest Signaling over HTTPS <wish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wish>, <mailto:wish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wish/>
List-Post: <mailto:wish@ietf.org>
List-Help: <mailto:wish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wish>, <mailto:wish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Sep 2021 17:29:28 -0000

In the current abstract for WHIP, the spec comes out stating "Currently
there is no standard protocol (like SIP or RTSP) designed for ingesting
media in a streaming service, and content providers still rely heavily on
protocols like RTMP for it."

Why do content providers rely on RTMP and possibly more interestingly, why
do publishers/broadcasters/end-users love RTMP?

It is dead simple.

If our goal is to replace RTMP, I think we need to allow clients to be as
dead simple as RTMP is today. In order to do this, we must allow clients to
ship with support for only path based authentication as in RTMP. This will
require a minimal amount of UI/UX changes and speed time to support in many
broadcasting software/appliances.

As for MAY support beyond that, I'd look at how custom RTMP is configured
in OBS. To that end, it only supports authentication via basic auth. I
imagine adding support for bearer authentication that's only supported for
WHIP in OBS adds complexity to that client. I imagine this additional
burden would not be uncommon across the space of existing broadcasting
software/appliances. As for one more example, I have seen approximately 0
ffmpeg example commands outputting with bearer authentication.

[image: Screenshot from 2021-09-13 10-16-54.png]


On Mon, Sep 13, 2021 at 9:30 AM Sergio Garcia Murillo <
sergio.garcia.murillo@gmail.com> wrote:

> I disagree with the approach.
>
> IMHO, using username/password authentication in http rest apis is insecure
> as it forces the user to store it's password into several "low security"
> applications and most service providers have deprecated it in favor of a
> token based authentication.
>
> My proposal would be that it is a MUST for clients to support
> authentication via the bearer token and it would be optional for the server
> to implement it or not. In case the user does not provision the token on
> the whip client, an unauthenticated request would be sent to the server.
>
> Best regards
> Sergio
>
> El lun, 13 sept 2021 a las 18:14, Juliusz Chroboczek (<jch@irif.fr>)
> escribió:
>
>> > I understand the motivation, but this doesn't get us to
>> > interoperability. We need a baseline, mandatory-to-implement
>> > authentication method for both client and server; otherwise, we'll end
>> up
>> > in a situation where your client implements mechanism A, my network
>> > implements mechanism B, and your users can't use my network.
>>
>> Yes, and that is why I suggested HTTP Basic instead of bearer token.
>>
>> Most servers today implement authentication using a username/password
>> pair.  While this is certainly not the most secure solution, it is well
>> understood by users, and is therefore likely to remain the main mode of
>> authentication for the foreseeable future.
>>
>> With HTTP Basic, it is perfectly clear how to map a username/password pair
>> to the protocol.  With bearer token, the client and the server need to
>> both agree on how to map the username/password pair to a token, and
>> I expect different implementations to use different mappings, with all the
>> fun that this entails.
>>
>> So I suggest that for clients:
>>
>>   - support for unauthenticated WISH over HTTPS is MUST;
>>   - support for HTTP Basic over HTTPS is MUST;
>>   - other authentication methods is MAY.
>>
>> If that is not what Sergio has in mind, then the draft needs to mandate an
>> unambiguous and deterministic way of mapping a username/password pair to
>> an authentication method.
>>
>> -- Juliusz
>>
>

v2.8.7 | Report a Bug | By Email