IETF Logo Mail Archive

Re: [Wish] Authentication for resource url

Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com> Mon, 13 September 2021 16:30 UTC

Return-Path: <sergio.garcia.murillo@gmail.com>
X-Original-To: wish@ietfa.amsl.com
Delivered-To: wish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7F083A0879 for <wish@ietfa.amsl.com>; Mon, 13 Sep 2021 09:30:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bncjvxfVirWH for <wish@ietfa.amsl.com>; Mon, 13 Sep 2021 09:30:47 -0700 (PDT)
Received: from mail-pf1-x431.google.com (mail-pf1-x431.google.com [IPv6:2607:f8b0:4864:20::431]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 968043A0877 for <wish@ietf.org>; Mon, 13 Sep 2021 09:30:47 -0700 (PDT)
Received: by mail-pf1-x431.google.com with SMTP id 18so9346754pfh.9 for <wish@ietf.org>; Mon, 13 Sep 2021 09:30:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pfme8c5P7Xl4BciKrwwsekMN3RbpdrOOLtxNZrrGvc4=; b=L+kzGKCJ2AtoXi4/n/oIHJELwoWIGXRfvUnKlDjeyMRoo7+9OhsXI3oTllHTMzotsv 9x9UUFf5CCq5DFFxl+rqKil2G5kPUpyDmyxBFgjUJvUsFUH15GZTroao5c/6XSBji1EF ju5VNEmHSobg/hTV4HY+a0vKuhJkr68Y2xrvfThlOL0aiUIpxakORWVbipkxbKNwCO1J HijAB61r4jONNIrA1kFsTDLp2Ss/PyQp2ZTjHNud/g3Gj3ACBzG8orjHFtFZba7uC9hR SZ/oWHYPPSL4PGSUHQfAPZLLvQE52bB63IqhdY5f2jGeQLJ7HmfOwgQyHrRs26rLxMS0 Xhvg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pfme8c5P7Xl4BciKrwwsekMN3RbpdrOOLtxNZrrGvc4=; b=GHeM9ArsJoowfKH1wKx8DWfoljNv7O3pg09qmGpUC3k6YKnQvdQwILSbyptExZik6o nkVGl8Z83F9OURc9l+bJQ59ePgYK7Q4Z/7yErwSkoAW2YOws31ZChPqFaktKqusmdvVf PyM4YFJZvRJlPGVbsDOp8zOwPSimFJUUOnEiygFsCKVAjQKhphkSMc+cdyXn7bHNtkix RD2C2MnzawXzth+U9WmlgPQkbLkxhf/AwOCFeqW7OCu9SyZeURxUM8BXMWTiMXcIlwTG 4MT3WhDYoeSc0o48WW6Zm4WB7aSSKPZzyJQyG7Tf9iiiwG2hSG5OeNLi6bjN8QRZE3N+ cKEw==
X-Gm-Message-State: AOAM530FIk56DxsFoIt74l0K5H5BpS9tuugwxoPlvjIIImj3ogJiqa5Z rp0ZIaJGl6mlfVOrsDJciUsAGmC4QWwBlEKQyQw=
X-Google-Smtp-Source: ABdhPJwCniCmAVWOE0U8SAzHjB+61QQ5bjHdzG3YOuvn6+JgvPOxwIVxTHBU7G8G9qk34xCfY7awqfHwAqR8B8aq7iY=
X-Received: by 2002:a63:f241:: with SMTP id d1mr11686020pgk.424.1631550646053; Mon, 13 Sep 2021 09:30:46 -0700 (PDT)
MIME-Version: 1.0
References: <CA+ag07bjtS1Ucw1BZ5qQ_jJFfXbfQ3-hzDgxfkV1APhV1JZMnQ@mail.gmail.com> <87o893vuz4.wl-jch@irif.fr> <CA+ag07Y41bg_K-60=d5yyODj+bN442enQn-Grb-NkX7zQ8vVBQ@mail.gmail.com> <1e55c847-6a6c-5fca-d7c0-cd3a822855a7@nostrum.com> <CA+ag07YZdQooVBLtn=R=Lj0XpojCmVzd51P6=ExFUqwhvqYNdA@mail.gmail.com> <28d39165-3d08-257e-4736-1c8449e99034@nostrum.com> <CAABnt0NxfyTBQmGkh3gU69bf0zDok_pm5+Lun62EABha0gEATQ@mail.gmail.com> <66b34dab-7a67-656e-d619-c5109ca99bbb@nostrum.com> <87ee9sfo63.wl-jch@irif.fr>
In-Reply-To: <87ee9sfo63.wl-jch@irif.fr>
From: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Date: Mon, 13 Sep 2021 18:30:34 +0200
Message-ID: <CA+ag07Y5Lduu=923bLpp_PC_NLiwpLCiEdfbCN-H3tDD8LnT3A@mail.gmail.com>
To: Juliusz Chroboczek <jch@irif.fr>
Cc: Adam Roach <adam@nostrum.com>, Matt Ward <mattward@mux.com>, WISH List <wish@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b0ef3505cbe2fcd8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/wish/YjhtZ4XXCa1bkSAQr6dQKd4TIVM>
Subject: Re: [Wish] Authentication for resource url
X-BeenThere: wish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: WebRTC Ingest Signaling over HTTPS <wish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wish>, <mailto:wish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wish/>
List-Post: <mailto:wish@ietf.org>
List-Help: <mailto:wish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wish>, <mailto:wish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Sep 2021 16:30:53 -0000

I disagree with the approach.

IMHO, using username/password authentication in http rest apis is insecure
as it forces the user to store it's password into several "low security"
applications and most service providers have deprecated it in favor of a
token based authentication.

My proposal would be that it is a MUST for clients to support
authentication via the bearer token and it would be optional for the server
to implement it or not. In case the user does not provision the token on
the whip client, an unauthenticated request would be sent to the server.

Best regards
Sergio

El lun, 13 sept 2021 a las 18:14, Juliusz Chroboczek (<jch@irif.fr>)
escribió:

> > I understand the motivation, but this doesn't get us to
> > interoperability. We need a baseline, mandatory-to-implement
> > authentication method for both client and server; otherwise, we'll end up
> > in a situation where your client implements mechanism A, my network
> > implements mechanism B, and your users can't use my network.
>
> Yes, and that is why I suggested HTTP Basic instead of bearer token.
>
> Most servers today implement authentication using a username/password
> pair.  While this is certainly not the most secure solution, it is well
> understood by users, and is therefore likely to remain the main mode of
> authentication for the foreseeable future.
>
> With HTTP Basic, it is perfectly clear how to map a username/password pair
> to the protocol.  With bearer token, the client and the server need to
> both agree on how to map the username/password pair to a token, and
> I expect different implementations to use different mappings, with all the
> fun that this entails.
>
> So I suggest that for clients:
>
>   - support for unauthenticated WISH over HTTPS is MUST;
>   - support for HTTP Basic over HTTPS is MUST;
>   - other authentication methods is MAY.
>
> If that is not what Sergio has in mind, then the draft needs to mandate an
> unambiguous and deterministic way of mapping a username/password pair to
> an authentication method.
>
> -- Juliusz
>

v2.8.7 | Report a Bug | By Email