IETF Logo Mail Archive

Re: [Wish] Authentication for resource url

Juliusz Chroboczek <jch@irif.fr> Tue, 14 September 2021 11:18 UTC

Return-Path: <jch@irif.fr>
X-Original-To: wish@ietfa.amsl.com
Delivered-To: wish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30A303A170A for <wish@ietfa.amsl.com>; Tue, 14 Sep 2021 04:18:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S2xrB4-fQXEO for <wish@ietfa.amsl.com>; Tue, 14 Sep 2021 04:18:34 -0700 (PDT)
Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C69C53A1706 for <wish@ietf.org>; Tue, 14 Sep 2021 04:18:32 -0700 (PDT)
Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253]) by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/82085) with ESMTP id 18EBILPY012093; Tue, 14 Sep 2021 13:18:21 +0200
Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id 002B7F20A2; Tue, 14 Sep 2021 13:18:26 +0200 (CEST)
X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr
Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id SmFrVmu0pudd; Tue, 14 Sep 2021 13:18:25 +0200 (CEST)
Received: from lanthane.irif.fr (unknown [172.23.36.89]) (Authenticated sender: jch) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id DB434F209E; Tue, 14 Sep 2021 13:18:24 +0200 (CEST)
Date: Tue, 14 Sep 2021 13:18:19 +0200
Message-ID: <8735q72yo4.wl-jch@irif.fr>
From: Juliusz Chroboczek <jch@irif.fr>
To: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Cc: Cameron Elliott <cameron@cameronelliott.com>, Matt Ward <mattward@mux.com>, Adam Roach <adam@nostrum.com>, WISH List <wish@ietf.org>
In-Reply-To: <CA+ag07ZxJF95xd7y_ToRRNJmbRboRR56t=mnW+nGYFqpAkH61g@mail.gmail.com>
References: <CA+ag07bjtS1Ucw1BZ5qQ_jJFfXbfQ3-hzDgxfkV1APhV1JZMnQ@mail.gmail.com> <87o893vuz4.wl-jch@irif.fr> <CA+ag07Y41bg_K-60=d5yyODj+bN442enQn-Grb-NkX7zQ8vVBQ@mail.gmail.com> <1e55c847-6a6c-5fca-d7c0-cd3a822855a7@nostrum.com> <CA+ag07YZdQooVBLtn=R=Lj0XpojCmVzd51P6=ExFUqwhvqYNdA@mail.gmail.com> <28d39165-3d08-257e-4736-1c8449e99034@nostrum.com> <CAABnt0NxfyTBQmGkh3gU69bf0zDok_pm5+Lun62EABha0gEATQ@mail.gmail.com> <66b34dab-7a67-656e-d619-c5109ca99bbb@nostrum.com> <87ee9sfo63.wl-jch@irif.fr> <CA+ag07Y5Lduu=923bLpp_PC_NLiwpLCiEdfbCN-H3tDD8LnT3A@mail.gmail.com> <CAABnt0M2Vg-9=SwX=O1mFbyYTS4b7ewmevW2qzMf17fsagoc2Q@mail.gmail.com> <CA+ag07aJKFy2s_UD0L-PaGHNwA9XH6Khz+0tReOMMcweJ0Q0hQ@mail.gmail.com> <CAABnt0MSUuxYK1CvOQUmC-a4b_U9m7YQ+vhXfjaaDxFZE+_JOQ@mail.gmail.com> <CA+ag07bb5WfoUJRkQt37nYtkmtEi=Kpp44ihVNGRd=OytakADg@mail.gmail.com> <CAABnt0PXKPejtywBDizx_Og0d0qPp6qa6cXXsCjBrbTQHN9pKg@mail.gmail.com> <CAMyc9bXUXR5nrxoQsQwDqE46sHWN_8vicG_c53ZruRbC0gfeMw@mail.gmail.com> <877dfk9fil.wl-jch@irif.fr> <CA+ag07ZxJF95xd7y_ToRRNJmbRboRR56t=mnW+nGYFqpAkH61g@mail.gmail.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/27.1 Mule/6.0
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [194.254.61.138]); Tue, 14 Sep 2021 13:18:22 +0200 (CEST)
X-Miltered: at korolev with ID 614084FD.003 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-j-chkmail-Enveloppe: 614084FD.003 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/<jch@irif.fr>
X-j-chkmail-Score: MSGID : 614084FD.003 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Status: Ham
Archived-At: <https://mailarchive.ietf.org/arch/msg/wish/jt9659EOKR8K1QvGTdBcfv7EC4E>
Subject: Re: [Wish] Authentication for resource url
X-BeenThere: wish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: WebRTC Ingest Signaling over HTTPS <wish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wish>, <mailto:wish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wish/>
List-Post: <mailto:wish@ietf.org>
List-Help: <mailto:wish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wish>, <mailto:wish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Sep 2021 11:18:39 -0000

> Using an username and password for authentication is very limited and for sure
> does not cover all the use cases for whip.

I understand that, and I am all in favour of people implementing better
authentication mechanisms.

What I am requesting here is an MTI authentication mechanism that
guarantees interoperability between independent implementations of WHIP.
In other words, I am asking for guidance about what I need to implement so
I can ensure that I interoperate with all WHIP clients, including those
that haven't been written yet.

> * Generate a unique random token, associate it to a stream/account on your
>   service and persist it on db or similar

What procedure do you suggest for securely communicating the token to each
user?  The obvious solution would be to make it available over HTTPS
protected by HTTP Basic, but then, we might as well cut out the middleman
and use HTTP Basic for WHIP.

> * Generate a signed jwt containing the stream/account information which does
>   not require to be persisted on the db,  then use a generic url
>   /whip/endpoint for all the requests and extract the stream info from the jwt
>   once the signature is validated

I assume this implies that the client is generating the token in
a compatible manner.  If we want to ensure interoperability, we need to
normatively reference a document that describes the procedure.

> * Generate a custom token (like base64(${username}:${password})),  then use a
>   generic url /whip/endpoint for all the requests and extract the stream info
>   from the token. [insecure]

I wouldn't be opposed to implementing that, but, again, this implies that
the client is generating the token in a compatible manner.  So we need
a normative reference so we can ensure interoperability.

-- Juliusz

v2.8.7 | Report a Bug | By Email