Trait-Based Authorization Requirements for the Session Initiation Protocol (SIP)
RFC 4484

Document Type RFC - Informational (August 2006; No errata)
Last updated 2013-03-02
Stream IETF
Formats plain text pdf html
Stream WG state (None)
Consensus Unknown
Document shepherd No shepherd assigned
IESG IESG state RFC 4484 (Informational)
Telechat date
Responsible AD Allison Mankin
Send notices to gonzalo.camarillo@ericsson.com, dean.willis@softarmor.com, rohan@ekabal.com, jon.peterson@neustar.biz, hannes.tschofenig@siemens.com, jmpolk@cisco.com, fluffy@cisco.com
Network Working Group                                        J. Peterson
Request for Comments: 4484                                       NeuStar
Category: Informational                                          J. Polk
                                                                   Cisco
                                                               D. Sicker
                                                              CU Boulder
                                                           H. Tschofenig
                                                                 Siemens
                                                             August 2006

                Trait-Based Authorization Requirements
               for the Session Initiation Protocol (SIP)

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   This document lays out a set of requirements related to trait-based
   authorization for the Session Initiation Protocol (SIP).  While some
   authentication mechanisms are described in the base SIP
   specification, trait-based authorization provides information used to
   make policy decisions based on the attributes of a participant in a
   session.  This approach provides a richer framework for
   authorization, as well as allows greater privacy for users of an
   identity system.

Peterson, et al.             Informational                      [Page 1]
RFC 4484                      SIPPING TBA                    August 2006

Table of Contents

   1. Introduction ....................................................2
   2. Terminology .....................................................4
   3. Trait-Based Authorization Framework .............................4
   4. Example Use Cases ...............................................7
      4.1. Settlement for Services ....................................7
      4.2. Associating Gateways with Providers ........................7
      4.3. Permissions on Constrained Resources .......................8
      4.4. Managing Priority and Precedence ...........................9
      4.5. Linking Different Protocols ...............................10
   5. Trait-Based Authorization Requirements .........................11
   6. Security Considerations ........................................13
   7. Acknowledgements ...............................................13
   8. References .....................................................13
      8.1. Normative References ......................................13
      8.2. Informative References ....................................13

1.  Introduction

   This document explores requirements of the Session Initiation
   Protocol (SIP) [1] for enabling trait-based authorization.  This
   effort stems from the recognition that when SIP requests are received
   by a User Agent Server (UAS), there are authorization requirements
   that are orthogonal to ascertaining of the identity of the User Agent
   Client (UAC).  Supplemental authorization information might allow the
   UAS to implement non-identity-based policies that depend on further
   attributes of the principal that originated a SIP request.

   For example, in traditional SIP authorization architectures, the mere
   fact that a UAC has been authenticated by a UAS doesn't mean that the
   UAS will grant the UAC full access to its services or capabilities --
   in most instances, a UAS will compare the authenticated identity of
   the UAC to some set of users that are permitted to make particular
   requests (as a way of making an authorization decision).  However, in
   large communities of users with few preexisting relationships (such
   as federations of discrete service providers), it is unlikely that
   the authenticated identity of a UAC alone will give a UAS sufficient
   information to decide how to handle a given request.

   Trait-based authorization entails an assertion by an authorization
   service of attributes associated with an identity.  An assertion is a
   sort of document consisting of a set of these attributes that are
   wrapped within a digital signature provided by the party that
   generates the assertion (the operator of the authorization service).
   These attributes describe the 'trait' or 'traits' of the identity in
   question -- facts about the principal corresponding to that identity.
   For example, a given principal might be a faculty member at a

Peterson, et al.             Informational                      [Page 2]
RFC 4484                      SIPPING TBA                    August 2006
Show full document text