IETF Logo Mail Archive

Re: [Wish] Authentication for resource url

Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com> Fri, 10 September 2021 07:25 UTC

Return-Path: <sergio.garcia.murillo@gmail.com>
X-Original-To: wish@ietfa.amsl.com
Delivered-To: wish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85E833A1FDE for <wish@ietfa.amsl.com>; Fri, 10 Sep 2021 00:25:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T5s2xMZvzCY9 for <wish@ietfa.amsl.com>; Fri, 10 Sep 2021 00:25:05 -0700 (PDT)
Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AAA173A1FDD for <wish@ietf.org>; Fri, 10 Sep 2021 00:25:05 -0700 (PDT)
Received: by mail-pl1-x629.google.com with SMTP id e7so580463plh.8 for <wish@ietf.org>; Fri, 10 Sep 2021 00:25:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Ie7W69slIug2Rh40ksZ3pscZinpCEOoc5kjQtqRkd94=; b=G9U3Ljh7miWWzJnoahjviyIxoGgSHmDa+N6kKXuaJ43TMvZUdcTgzsSeZMAUWZuomw 7v9glIEg9VdYcq4Qh33oC49OGPRHoq0yhFGwgo12tF9ly0hzYyMq/F4mhggVpdixs5x/ lDywuvpB9An7g4EhPmoohu6Z1fggR6T+pZOj1rQ3Ps0kZSn6SBLuQ4reN4e6oaKyN2Us E8GzkoDJ+geFwWuWKsMXUC273s5pMqUiYBX4AtyAEdoTUi10pkC/w4B0JRVCb8pR7vIo 7XWC7YwCIozxEWmyU2ffgVQs9t9/LLh78PU0D6lBVD3HD2ygysZ3e697tJrfXDF//Y4z qYow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Ie7W69slIug2Rh40ksZ3pscZinpCEOoc5kjQtqRkd94=; b=50UjxqfUUld4Gn7OqsB1305UxjbB7VjMHa7uRTdcVMe8A2a8ttoKaSYkHJD95QvqnX T6jaY9D4E6DVyutcg+am+TjEK15YeCe0TR8A3XKwo4XgEuOu8H6Mxclks2rbDqCfxrqA 70nB+UzspkwFEQGPv4xEjcZRGGSjmbWRah6nw1ba3xOhAnPcGfBXhXuTFPNw0xquiUtE v9+19yyXSEA47wPwsHs5hi8mL3YrSsDRv58BrYfTjnIvRGf+nX9N5RB1UVzGkfRRxPup 094c9BcysYHigRQxS7D1JCbt1bM/EIoA3iSkHiVaAJVrpDvPkXd1oXUI6JWFWFJXkOS5 qllQ==
X-Gm-Message-State: AOAM533Lq+py+7U8BvJa1vcJHzg1pxMKOFSAvbFTxy5bnxKn4khuDUmE 3ntKTnfd+kDSMEaZEu7Vf1zwSqynsk2kRRj/jUM=
X-Google-Smtp-Source: ABdhPJx1YRMM6/A75GPPl5t2k7RhGx9y4RFTidaVyFCMokkk1tKSM27xcPZGgMeGznXxjF3PozQwuGlH0XqYadzm+ZE=
X-Received: by 2002:a17:90b:3e89:: with SMTP id rj9mr8105327pjb.138.1631258703892; Fri, 10 Sep 2021 00:25:03 -0700 (PDT)
MIME-Version: 1.0
References: <CA+ag07bjtS1Ucw1BZ5qQ_jJFfXbfQ3-hzDgxfkV1APhV1JZMnQ@mail.gmail.com> <87o893vuz4.wl-jch@irif.fr>
In-Reply-To: <87o893vuz4.wl-jch@irif.fr>
From: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Date: Fri, 10 Sep 2021 09:24:52 +0200
Message-ID: <CA+ag07Y41bg_K-60=d5yyODj+bN442enQn-Grb-NkX7zQ8vVBQ@mail.gmail.com>
To: Juliusz Chroboczek <jch@irif.fr>
Cc: WISH List <wish@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009514fe05cb9f032a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/wish/dOmgdywabX5rKv1TPwYdUZ5EdS0>
Subject: Re: [Wish] Authentication for resource url
X-BeenThere: wish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: WebRTC Ingest Signaling over HTTPS <wish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wish>, <mailto:wish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wish/>
List-Post: <mailto:wish@ietf.org>
List-Help: <mailto:wish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wish>, <mailto:wish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Sep 2021 07:25:11 -0000

The second method (returning an unique url) could be detailed on the
security considerations, but sending the same authentication bearer token
in both requests should be in the normative part.

Somehow, I don't like any of both ideas, sending the same token in both
requests doesn't feel appropriate as the idea is that the whip endpoint and
the whip resource could be in different servers, so the token for the
PATH/DELETE request is most probably irrelevant for the media server.

But returning an unique url doesn't seem a very secure idea. Anyway, if
anyone could get access to the resource url. On the other hand, if an
attacker has access to the url in the http response, it would most probably
have access to the data in the request (i.e. the token).

What do you think?
Sergio

El mié, 8 sept 2021 a las 19:27, Juliusz Chroboczek (<jch@irif.fr>)
escribió:

> > I think we have the following options:
> >  - Use the same mechanism/info as the initial request to the whip url
> (i.e.
> > sending the Authentication header with the same bearer token)
> >  - Returning a randomized opaque unique url
> >  - Allow using both?
>
> I think this is better left unspecified in the normative part of the
> document, but should be explained in detail in the Security Considerations
> section or in an informative appendix.
>
> -- Juliusz
>

v2.8.7 | Report a Bug | By Email