IETF Logo Mail Archive

Re: [Wish] Authentication for resource url

Christer Holmberg <christer.holmberg@ericsson.com> Wed, 15 September 2021 10:42 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: wish@ietfa.amsl.com
Delivered-To: wish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 509633A11CF for <wish@ietfa.amsl.com>; Wed, 15 Sep 2021 03:42:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.553
X-Spam-Level:
X-Spam-Status: No, score=-2.553 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4GQdVBolDCdZ for <wish@ietfa.amsl.com>; Wed, 15 Sep 2021 03:42:17 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70052.outbound.protection.outlook.com [40.107.7.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D15E3A11CD for <wish@ietf.org>; Wed, 15 Sep 2021 03:42:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NbKqqU/zo3fC1blCYHXclp5CJhwYzqX72/x3Z5jIMnMAikCY3mk06ioF+Aaj0P5Ijpdf82yFOuIGN1ED8mNLbWY+MqaDfXd2WoJxfYUzHWpzY3cosPoImQUaCZzAPAqFVLhrYq3n0TNzUFWlPbY5hOXkncxQ/6pRq5nOGVRGhQgfAnvldBtHlVEpZsFHd71EV5Gss5RG/Pl5LP0qSJNCn1/rGwcrJDNDSPzEclvvAs3NqC8seHmYrtu9F1bul0nqxHuSAusB5zgK9c8vDSlzPY/nBYPUzbFY3OevUgghTmxFH8ZgWQr6CzRtp/SuQ97husuepALGnDNpzLenDVa4Mw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=tAj94SfOSGOByYpOoWW/29And2p+8/5CQ381BQBQ8XU=; b=fzrWmtzWFfBaeRSJ1fbJ9BpbusZEvY6Xfsru6kJcLuWAnHF2206zOUNd9NHsaixsE3ihcxsH5to1sLdzKWAjqOjxFd4dd4iDxVCquQDxRL8+Rxfb0h+OZ67i5IE4HtTl1OONBmvp3Ita2Ux94slczhCyy366tsE/1JAfuBDjgFX89qSJbIF0SNBC2oc5DNj88aBD/LwooDsHbnVBEYOevsu1RsAXdihE0U7HS6PhJ7JxYx63xjmB+2d9Aq+RDhTSTlVVgT2sthsOFY6pwsDioK6ejF4x7+iPR1oEGcU5pDziwTQAQXBHbLOdWz2nUHxBJWYEOqPFkEUsp95aQjpcJw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tAj94SfOSGOByYpOoWW/29And2p+8/5CQ381BQBQ8XU=; b=vATbLC2wKdvrw0rNszVBztvJu6SSVBDQBUemr6iWF+7V6LMeMtLLj7E6G0mEaEBveFO5Jc1GoZdkhUJ3x2vgjMhHVXUm/fJ6j3oMzxKctbxnivd28HOaCCditKFa+U0GPvgTfx3HeyrK16hUY56SdHpVgxh1jrWGWWsIQ9cvyWc=
Received: from HE1PR07MB4441.eurprd07.prod.outlook.com (2603:10a6:7:9f::27) by HE1PR07MB3162.eurprd07.prod.outlook.com (2603:10a6:7:30::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4523.14; Wed, 15 Sep 2021 10:42:11 +0000
Received: from HE1PR07MB4441.eurprd07.prod.outlook.com ([fe80::49b7:5cc:5aeb:fb2a]) by HE1PR07MB4441.eurprd07.prod.outlook.com ([fe80::49b7:5cc:5aeb:fb2a%4]) with mapi id 15.20.4523.014; Wed, 15 Sep 2021 10:42:11 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Lorenzo Miniero <lorenzo@meetecho.com>, Juliusz Chroboczek <jch@irif.fr>
CC: WISH List <wish@ietf.org>
Thread-Topic: [Wish] Authentication for resource url
Thread-Index: AQHXpL458cRI97QdmUCMNb4Oq74TjauaZAaAgAJ8YQCAAVjJAIAAlkaAgABmj4CAAcDsbYABNGwAgAAEgACAABBbAIAAB1iAgAAAQICAAAOcAIAAA48AgABFigCAAB3qAIAAfqqAgAA524CAABg2AIAALAoAgAAkW4CAAQo9gIAABp+AgAAIQICAAAZD0A==
Date: Wed, 15 Sep 2021 10:42:11 +0000
Message-ID: <HE1PR07MB4441791F1620CB6B6B9C5D8893DB9@HE1PR07MB4441.eurprd07.prod.outlook.com>
References: <CA+ag07bjtS1Ucw1BZ5qQ_jJFfXbfQ3-hzDgxfkV1APhV1JZMnQ@mail.gmail.com> <66b34dab-7a67-656e-d619-c5109ca99bbb@nostrum.com> <87ee9sfo63.wl-jch@irif.fr> <CA+ag07Y5Lduu=923bLpp_PC_NLiwpLCiEdfbCN-H3tDD8LnT3A@mail.gmail.com> <CAABnt0M2Vg-9=SwX=O1mFbyYTS4b7ewmevW2qzMf17fsagoc2Q@mail.gmail.com> <CA+ag07aJKFy2s_UD0L-PaGHNwA9XH6Khz+0tReOMMcweJ0Q0hQ@mail.gmail.com> <CAABnt0MSUuxYK1CvOQUmC-a4b_U9m7YQ+vhXfjaaDxFZE+_JOQ@mail.gmail.com> <CA+ag07bb5WfoUJRkQt37nYtkmtEi=Kpp44ihVNGRd=OytakADg@mail.gmail.com> <CAABnt0PXKPejtywBDizx_Og0d0qPp6qa6cXXsCjBrbTQHN9pKg@mail.gmail.com> <CAMyc9bXUXR5nrxoQsQwDqE46sHWN_8vicG_c53ZruRbC0gfeMw@mail.gmail.com> <877dfk9fil.wl-jch@irif.fr> <CA+ag07ZxJF95xd7y_ToRRNJmbRboRR56t=mnW+nGYFqpAkH61g@mail.gmail.com> <8735q72yo4.wl-jch@irif.fr> <CA+ag07Z6_Nd2VvWG4HyuXK=E3u2xn8a2a_xVCEWk3_yyfQSp3A@mail.gmail.com> <87r1dr89mr.wl-jch@irif.fr> <a12adb1d-da65-8290-7d91-d911aa0aa6cc@nostrum.com> <87ee9qyyum.wl-jch@irif.fr> <87bl4uyxr4.wl-jch@irif.fr> <20210915121851.67088a25@lminiero>
In-Reply-To: <20210915121851.67088a25@lminiero>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: meetecho.com; dkim=none (message not signed) header.d=none;meetecho.com; dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0835d3a9-b203-4cc5-db67-08d97835796d
x-ms-traffictypediagnostic: HE1PR07MB3162:
x-microsoft-antispam-prvs: <HE1PR07MB31626B08B1DDE2EBE4E60C3C93DB9@HE1PR07MB3162.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: AE4gQmumDQQ659RZ+r+HnT6DvZlX6LvQU5g6cULBodT16gyxvd4Ps44Fe7dznRaMdAGV64uNz5XBPQrJIgQ+6I40VEBSYS8XOBN7LKNPkMkH/7C0zw4CkWVaWhMtPjhBzEMpVfVdBzUEylKnHnJBxKneDtiFvkMbp8DcrqlFPxGcyM+1x304lXGymxCuGWrhY14As51yoPpy/ahsahOzpDv5/e5g+o48KgpcYq/DPK9eFMFQjNiLYBvou4mZrfuolJ2FkeHDxRabdaR8epABQC31Yo+WJMuxlKO2H0fMiJksDIqdHRnkIMhdrscc+Ydq8GDb47ARP0oxepoifZeWD/AFrYYOh43pzOvSQR6tsXysS7WNAe5XZ9lQU1B6BtK6DP0tW7TzB9/2se+atL/4X01uTxDkZ8ZtnRv5R4L8RTTqcJ3ZromlpyRhgMPA5y3P5hbwsPMEC1RET/44+WyvvokYsqVbF0B6yN+tGu/2ujEr1yRNGs0j7f0f6HUnvavZV3OEIrmoE5xSHzom86oL4t0jIwfZvynFscAGBmlOTW5oUvdjyCR6qGnrhNK/Oa8AHJH5Xux83M+EXeEL+wgZ2IK5gKbtICN4pWF9kzXAGpikE1ultci/bw4HTbw4EO9krbHSIDZkOtMnSKYzH053DvGYTRHi33+yjpj/FUvXJ/XHMfWJINXQXTJlrX7IyoGMQnRcxsqdDWpsyH9eV2frZ/G7HL3bB5czmrEKn7EqIZpdk+3OKZwtqpMeII4fR+y+o7zd3jY+1j51kKhPUgT1W4Tyk11x106Vs8PpNxSx3SxapEIzFrp1YuM3gcbhxMzFkaN+ps1abYPbsdUna3tdew==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR07MB4441.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(76116006)(71200400001)(5660300002)(44832011)(66446008)(83380400001)(86362001)(8936002)(55016002)(6506007)(4326008)(8676002)(9686003)(33656002)(110136005)(38070700005)(7696005)(966005)(66556008)(66476007)(66946007)(316002)(64756008)(52536014)(26005)(38100700002)(508600001)(122000001)(2906002)(186003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?1zVNWyZjsPQDal62fssElwFw9cwVj1lyEUr/UECb56P97jcl8AyIccxTDYlC?= =?us-ascii?Q?Ia+o1sR/KvV9JN5PL8a79u/LmHYval13zOuQP8a004hcGDWjr/iLQR2dpre9?= =?us-ascii?Q?+F8euW1ayY2vi1d/NK5ySM4bOO+HzS7j5CMAk5B9n0qxhxHDbg+l3GptrzV3?= =?us-ascii?Q?a2tL3prJz1J3T7cDkr371EDZhSRFX5VTmBZfQ4iOrtrvSppvSzODMDMVaYdx?= =?us-ascii?Q?1ihf+INLLHLPm2f84/ZiaUSlwfxK5F5S/MB9cfy7Eo3CBvuZrb1EtTnmZhzK?= =?us-ascii?Q?nwsVJS2iFbGES5mGlrpqXn8yEV8M82/3Iv/6kqS85utlxwVU8if84rEG/JWy?= =?us-ascii?Q?h5iu8flt2LV3FqW9P0B5lOCIxyn2V8Tx8vePmLQUw0GOOG8djZWubUqLXYbV?= =?us-ascii?Q?JFm5pDPpiFvpZ+YjyHkwrKPgzT3ib+7XdDEJxeUiMOqWHI91saXtK145eqcb?= =?us-ascii?Q?LMaAj1S5/mYZ7B4NI5I18tcrfQienz5at+m0CtTP5ayE8MkCVD5uNyNTew8R?= =?us-ascii?Q?7lsGNwsdkCNKRNRmt/5ny9yIkMLo+EEzGeR60IJRYhywfk35GtWyuNCil4+F?= =?us-ascii?Q?WQ1Bge22+d4lrJsreVt6gU4g9bl90JhdLgyTI8FOMeFaosirf0EyxqjnOP4T?= =?us-ascii?Q?99PSvvh6ZWM8Y7c2itTY6OZtg//l139mnpk9Z0v9dQRrAho4p+hyNJLuFyEe?= =?us-ascii?Q?lcnPmcRi7VSJiYNmeSDm9B8SaaR3P3fN9uB3Cgg9vw+Sp1ePjTyI804xrz/7?= =?us-ascii?Q?0uDfJpb4TWhW+GsTZLBW3QLJQgTtDxHpd5XI/iuZFpbXP1rIgFCRxbAOp5qe?= =?us-ascii?Q?JRep1i1W+qELdnbEdbghJMsGnoii+e1otuKNw1xnktuZfH0Wyvoqx0uzt4fY?= =?us-ascii?Q?jq8ALnGoylXJGzld7imAvtUYPYSfDv7nEK2xob4d7Q1krI8CAqEk4zpNpwtW?= =?us-ascii?Q?4BXTeiUicXWTVKP3LHVp4bHAr7FEVQKR0/pnYtoxQcEj27B3JDo0E/sm7tFD?= =?us-ascii?Q?o5eZ9U8a/3/xniZdGXjRbqfAsU0PuqneM8Ne/mojYfrhkrtDITjbrNke7cJO?= =?us-ascii?Q?ecCy6N/m1CRlLEHgStTD9BWPxq00dUUuoGorIQvqilVyWF2nIiqNbrP2cYZC?= =?us-ascii?Q?l4tpZ1AcR9RMZ6RkosVhcyip/If1punGGsmEEq1ER8dyZl6ttXLJb6YugQ9M?= =?us-ascii?Q?FIilQa4WdPbP/VKVXqvw7gK6OECyFcSig9bWtHig4z1ikkIiUnGv0Gh5ZtKj?= =?us-ascii?Q?bQ8F2+eeBqzijnSQGtxr7rKvJjrZjQ2cpbscYXrOeML+SuMkphEXN8l0MHTw?= =?us-ascii?Q?dGFOl44/dch0nWq+9NTASLK9?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR07MB4441.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0835d3a9-b203-4cc5-db67-08d97835796d
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Sep 2021 10:42:11.3409 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Psse1IQXUj45NJjldRdQ28Tq5O2cQFZDsft+r4u71YPDWOFBBowD735wAeDrTXoNXaHUX/jbZCVOPIiKq2bQ5GF3xinP13+bOVYBaFbCbHA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3162
Archived-At: <https://mailarchive.ietf.org/arch/msg/wish/QsnhM6PKzbXT9OqlQSt217Qzt5k>
Subject: Re: [Wish] Authentication for resource url
X-BeenThere: wish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: WebRTC Ingest Signaling over HTTPS <wish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wish>, <mailto:wish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wish/>
List-Post: <mailto:wish@ietf.org>
List-Help: <mailto:wish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wish>, <mailto:wish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Sep 2021 10:42:23 -0000

Hi,

If the only thing you mandate to support is HTTP basic, would WHIP pass the security review?

Regards,

Christer

-----Original Message-----
From: Wish <wish-bounces@ietf.org> On Behalf Of Lorenzo Miniero
Sent: keskiviikko 15. syyskuuta 2021 13.19
To: Juliusz Chroboczek <jch@irif.fr>
Cc: WISH List <wish@ietf.org>
Subject: Re: [Wish] Authentication for resource url

On Wed, 15 Sep 2021 11:49:19 +0200
Juliusz Chroboczek <jch@irif.fr> wrote:

> >> To give an example of how this is done in production services: on 
> >> Twitch, once you log in, you go into account management, click on 
> >> the "Stream" tab, and copy a really long string of junk out of a 
> >> field labeled "Primary Stream Key." You paste this into your 
> >> broadcast client in a field usually named "Stream Key."
> 
> Just to be clear: I think token auth is a good idea, and as a matter 
> of fact Galene uses token auth for authentication to the TURN server.
> 
> What I'm arguing for is a simple, interoperable user/password 
> mechanism for the simple case, for when the infrastructure required to 
> securely communicate the token to the client is not deemed necessary.  
> My current opinion (likely to change as Sergio and Adam explain stuff 
> to me further) can be summarised as:
> 
>   * HTTP basic: MUST implement in clients, MAY implement in servers;
>   * token: SHOULD implement in clients, SHOULD implement in servers.
>   
> This way, server authors are guaranteed to interoperate with all 
> clients if they choose to implement HTTP Basic, and they can use the 
> more secure token auth if they are willing to put it the work required 
> to build the infrastructure required to communicate tokens to their 
> chosen clients.
> 
> This way, WISH is useful both for Millicast, whose business model 
> relies on helping users deploy their high-quality broadcasting 
> solutions, and for free servers such as Galene, who want to minimise 
> the amount of hand-holding that they need to provide to their 
> non-specialist users, even if that implies not using the most secure 
> authentication techniques available.
> 
> -- Juliusz
> 


I personally think that would actually needlessly complicate things.
Using Bearer tokens in WHIP right now is as easy as adding an HTTP header in the client, and reading it in the server: that's what my prototypes (who know nothing of oauth) do, so very trivial to implement and seems to be working just fine in my interoperability tests with Sergio.

Any other authentication mechanism implemented by services (including Basic Auth) could be reused anyway, as they can be what's used in a custom API to, e.g., generate the unique token you'll then use in the WHIP client (and check in the server).

Lorenzo

--
I'm getting older but, unlike whisky, I'm not getting any better https://protect2.fireeye.com/v1/url?k=53689319-0cf3aa34-5368d382-8692dc8284cb-5e768c3ce9c5456f&q=1&e=28817502-5c33-425b-bdd6-a236a4d69a97&u=https%3A%2F%2Ftwitter.com%2Felminiero

--
Wish mailing list
Wish@ietf.org
https://www.ietf.org/mailman/listinfo/wish

v2.8.7 | Report a Bug | By Email