[Wish] Can a client switch tokens?

Juliusz Chroboczek <jch@irif.fr> Sat, 13 January 2024 14:57 UTC

Return-Path: <jch@irif.fr>
X-Original-To: wish@ietfa.amsl.com
Delivered-To: wish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4313C14F5FD for <wish@ietfa.amsl.com>; Sat, 13 Jan 2024 06:57:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=irif.fr
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mudpdmtBdapz for <wish@ietfa.amsl.com>; Sat, 13 Jan 2024 06:57:41 -0800 (PST)
Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FBBEC14F5E3 for <wish@ietf.org>; Sat, 13 Jan 2024 06:57:39 -0800 (PST)
Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253]) by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/82085) with ESMTP id 40DEvaBn016638 for <wish@ietf.org>; Sat, 13 Jan 2024 15:57:36 +0100
Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id 079B62427B for <wish@ietf.org>; Sat, 13 Jan 2024 15:57:35 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=irif.fr; h= content-type:content-type:mime-version:user-agent:subject :subject:from:from:message-id:date:date:received:received; s= dkim-irif; t=1705157854; x=1706021855; bh=riuR73Z5dSGlMXsI1/FPdn 7UHUwiBA0wOvohjwaxQxM=; b=iQex7CUf9pF9rWmTj0pQIvVKKbVOJ3bb0QX5OP DifKNKHgoViDcBkHn+L+S1dbzdjDABqQbRG7pCSMrnYCWZdElX/dg/aOfKPkswfg sOy0fjkyTtY0mwTTYf/7qYQIG1tj2mfDzXKfKZTsS/esCEvYRvRkaHn28gLRGsGZ AvGPyyCG7sjiJHXiXLXlgdLVW6MIYvIdggQ9nK1HfsBkU9yTlnnAjgip1oP7nyPU 1WZ6Dq23IYjJgy3qpXXTl4u0dTpMhY1WNs0kVcCRH8DyLbDnMWLbmHX9Ts1OC1q7 DuOsF8PcqDk7c98bPTceZlbWW/BS6yChwyhDZdYnxz+6c0sA==
X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr
Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id d6Zgg6n6aoi9 for <wish@ietf.org>; Sat, 13 Jan 2024 15:57:34 +0100 (CET)
Received: from pirx.irif.fr (unknown [78.194.40.74]) (Authenticated sender: jch) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id 3E9A92443F for <wish@ietf.org>; Sat, 13 Jan 2024 15:57:33 +0100 (CET)
Date: Sat, 13 Jan 2024 15:57:33 +0100
Message-ID: <87v87x46xu.wl-jch@irif.fr>
From: Juliusz Chroboczek <jch@irif.fr>
To: wish@ietf.org
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/29.1 Mule/6.0
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [194.254.61.138]); Sat, 13 Jan 2024 15:57:36 +0100 (CET)
X-Miltered: at korolev with ID 65A2A4E0.000 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)!
X-j-chkmail-Enveloppe: 65A2A4E0.000 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/<jch@irif.fr>
X-j-chkmail-Score: MSGID : 65A2A4E0.000 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000
X-j-chkmail-Status: Ham
Archived-At: <https://mailarchive.ietf.org/arch/msg/wish/vFS_0XN7j7bLO9xCH3Ja5Z7jzZg>
Subject: [Wish] Can a client switch tokens?
X-BeenThere: wish@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: WebRTC Ingest Signaling over HTTPS <wish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wish>, <mailto:wish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wish/>
List-Post: <mailto:wish@ietf.org>
List-Help: <mailto:wish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wish>, <mailto:wish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Jan 2024 14:57:45 -0000

Hi,

Suppose I issue a token T1 to a client, and the client uses T1 to create
a WHIP session.

  C->S: POST(T1) offer
  S->C: answer, Location: endpoint

Suppose now that I issue a second token T2.  Is it legal for the client to
use T2 with the endpoint that was created with token T1?

  C->S: DELETE(T2) endpoint
  S->C: 200 or 401?

I can see pros and cons to both approaches.

If we allow the token to change, then unless the endpoint URL is kept
secret, a client might be able to destroy the session of a different
client, instant DoS.

If we don't allow the token to change, then we either need to ensure that
tokens have a sufficient lifetime, or specify that the token used for
creating a session may be used with that session even if it has expired.

Galene currently does the following:

  - it keeps the session URL secret;
  - it enforces that the token used in PATCH/DELETE is the same as the one
    that was used when creating the session;
  - it allows the use of expired tokens in PATCH/DELETE (we simply compare
    tokens, and ignore their properties at PATCH/DELETE time).

I'm looking for implementation advice.  I'm not asking for normative
language to be included in the draft (although an informative appendix
might be helpful).

Thanks,

-- Juliusz