IETF Logo Mail Archive

Re: [Wish] Authentication for resource url

Adam Roach <adam@nostrum.com> Sat, 11 September 2021 03:59 UTC

Return-Path: <adam@nostrum.com>
X-Original-To: wish@ietfa.amsl.com
Delivered-To: wish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C36013A2F99 for <wish@ietfa.amsl.com>; Fri, 10 Sep 2021 20:59:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.28
X-Spam-Level:
X-Spam-Status: No, score=-1.28 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.399, NICE_REPLY_A=-0.001, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=nostrum.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bBe6Jqma3726 for <wish@ietfa.amsl.com>; Fri, 10 Sep 2021 20:59:09 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32CAB3A2F97 for <wish@ietf.org>; Fri, 10 Sep 2021 20:59:09 -0700 (PDT)
Received: from [172.17.121.48] (76-218-40-253.lightspeed.dllstx.sbcglobal.net [76.218.40.253]) (authenticated bits=0) by nostrum.com (8.17.1/8.16.1) with ESMTPSA id 18B3wxqe059309 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Fri, 10 Sep 2021 22:59:01 -0500 (CDT) (envelope-from adam@nostrum.com)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nostrum.com; s=default; t=1631332746; bh=JWSzrBtrufZ4KGv8QtMYxG7PEOEWpPFUCGwhQiikZk8=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=rqZE6pUdamxccsLP4YmC9nyYi1BjvKnvuCpMaZNH0nWPxiHMvLYIzrfQFAKBhgemN iLJbPEgFqcSBChbSPY3/sCU1hL1NQ5VtiQy7fH9Zo4cJ7wMkoso2nq+aBgGzaxdN7m fIp4vIU6uBp59aMH7WOviPG2z2bfLT0RSkObB0us=
X-Authentication-Warning: raven.nostrum.com: Host 76-218-40-253.lightspeed.dllstx.sbcglobal.net [76.218.40.253] claimed to be [172.17.121.48]
To: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>, Juliusz Chroboczek <jch@irif.fr>
Cc: WISH List <wish@ietf.org>
References: <CA+ag07bjtS1Ucw1BZ5qQ_jJFfXbfQ3-hzDgxfkV1APhV1JZMnQ@mail.gmail.com> <87o893vuz4.wl-jch@irif.fr> <CA+ag07Y41bg_K-60=d5yyODj+bN442enQn-Grb-NkX7zQ8vVBQ@mail.gmail.com>
From: Adam Roach <adam@nostrum.com>
Message-ID: <1e55c847-6a6c-5fca-d7c0-cd3a822855a7@nostrum.com>
Date: Fri, 10 Sep 2021 22:58:54 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Thunderbird/68.12.1
MIME-Version: 1.0
In-Reply-To: <CA+ag07Y41bg_K-60=d5yyODj+bN442enQn-Grb-NkX7zQ8vVBQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------DA38172FDFC1320F15E3943F"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/wish/iWyEp6otNmcR5FGdzoSNPEEsy-A>
Subject: Re: [Wish] Authentication for resource url
X-BeenThere: wish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: WebRTC Ingest Signaling over HTTPS <wish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wish>, <mailto:wish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wish/>
List-Post: <mailto:wish@ietf.org>
List-Help: <mailto:wish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wish>, <mailto:wish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Sep 2021 03:59:14 -0000

This is OAUTH, right? They might be different servers, but I would 
expect them to be the same audience (as OAUTH uses that term) -- 
implying that the same token would be applicable to both of them (if my 
understanding is correct).

My relatively strong preference is to specify that the same token is 
used for the requests; and, that being the case, it's not clear what 
additional security properties you gain by putting a token in the URL 
path (but I'm not, strictly speaking, opposed to it -- I just don't see 
the value).

/a

On 9/10/2021 2:24 AM, Sergio Garcia Murillo wrote:
> The second method (returning an unique url) could be detailed on the 
> security considerations, but sending the same authentication bearer 
> token in both requests should be in the normative part.
>
> Somehow, I don't like any of both ideas, sending the same token in 
> both requests doesn't feel appropriate as the idea is that the whip 
> endpoint and the whip resource could be in different servers, so the 
> token for the PATH/DELETE request is most probably irrelevant for the 
> media server.
>
> But returning an unique url doesn't seem a very secure idea. Anyway, 
> if anyone could get access to the resource url. On the other hand, if 
> an attacker has access to the url in the http response, it would most 
> probably have access to the data in the request (i.e. the token).
>
> What do you think?
> Sergio
>
> El mié, 8 sept 2021 a las 19:27, Juliusz Chroboczek (<jch@irif.fr 
> <mailto:jch@irif.fr>>) escribió:
>
>     > I think we have the following options:
>     >  - Use the same mechanism/info as the initial request to the
>     whip url (i.e.
>     > sending the Authentication header with the same bearer token)
>     >  - Returning a randomized opaque unique url
>     >  - Allow using both?
>
>     I think this is better left unspecified in the normative part of the
>     document, but should be explained in detail in the Security
>     Considerations
>     section or in an informative appendix.
>
>     -- Juliusz
>
>

v2.8.7 | Report a Bug | By Email