Re: [bfcpbis] AD evaluation: draft-ietf-bfcpbis-sdp-ws-uri-06
"Ram Mohan R (rmohanr)" <rmohanr@cisco.com> Wed, 21 December 2016 16:49 UTC
Return-Path: <rmohanr@cisco.com>
X-Original-To: bfcpbis@ietfa.amsl.com
Delivered-To: bfcpbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E12F12966F for <bfcpbis@ietfa.amsl.com>; Wed, 21 Dec 2016 08:49:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.622
X-Spam-Level:
X-Spam-Status: No, score=-17.622 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-3.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wztfxs0F8kI9 for <bfcpbis@ietfa.amsl.com>; Wed, 21 Dec 2016 08:49:43 -0800 (PST)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 069BB12953E for <bfcpbis@ietf.org>; Wed, 21 Dec 2016 08:49:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=10588; q=dns/txt; s=iport; t=1482338983; x=1483548583; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=M6YOtHlgK2I9c+XyGlEekGTP4UnFFGo0/8oRY1JMWZs=; b=lwDWe1caxdg7qjFuU0ywAC/hjUbiX13vus2UrRMe/B+ytJMYWce15d5V ZklpFOZkHlVSDhXHz9/du+XIXh7a8Qx2ouMK4Zfx64HfpA5tK5MketmnX 2pklRo9ZDZweIbsOy1PoTQcKqcCz5zzmwy8xOEFlmopOQ3aiR1Sqi87nP g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AXAQBpsVpY/5ldJa1dGQEBAQEBAQEBAQEBBwEBAQEBgzUBAQEBAR9agQcHjUmWUpUTggofC4UuSgIagUQ/FAECAQEBAQEBAWIohGgBAQEDAQEBIREzBwsFBwQCAQYCEQMBAgECAiYCAgIlCxUICAIEDgWIYwgOinudTIIoiwYBAQEBAQEBAQEBAQEBAQEBAQEBAQEYBYELhyiCXIQqFgczgkotgjAFjwSLcwGROIF1hQaJVo4khA4BHzeBKi4OAYVPcodLgQ0BAQE
X-IronPort-AV: E=Sophos;i="5.33,384,1477958400"; d="scan'208";a="362374230"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 21 Dec 2016 16:49:42 +0000
Received: from XCH-RTP-017.cisco.com (xch-rtp-017.cisco.com [64.101.220.157]) by rcdn-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id uBLGnffX019462 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 21 Dec 2016 16:49:41 GMT
Received: from xch-rtp-017.cisco.com (64.101.220.157) by XCH-RTP-017.cisco.com (64.101.220.157) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Wed, 21 Dec 2016 11:49:41 -0500
Received: from xch-rtp-017.cisco.com ([64.101.220.157]) by XCH-RTP-017.cisco.com ([64.101.220.157]) with mapi id 15.00.1210.000; Wed, 21 Dec 2016 11:49:41 -0500
From: "Ram Mohan R (rmohanr)" <rmohanr@cisco.com>
To: Alissa Cooper <alissa@cooperw.in>
Thread-Topic: [bfcpbis] AD evaluation: draft-ietf-bfcpbis-sdp-ws-uri-06
Thread-Index: AQHSUlPULEivK+h/zEa27ao50+0e5qESuIoAgAA65gCAAGxcAA==
Date: Wed, 21 Dec 2016 16:49:40 +0000
Message-ID: <5D387442-4F3E-428E-A7F3-7D503F33E2A6@cisco.com>
References: <DDFDCD0B-AD0E-41AF-B6C8-9D29F6B10823@cooperw.in> <A1316C49-E517-49BF-A55A-145976651E63@cisco.com> <83516D34-D1DA-413F-A474-46D2B555C783@cooperw.in>
In-Reply-To: <83516D34-D1DA-413F-A474-46D2B555C783@cooperw.in>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.1a.0.160910
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.65.72.6]
Content-Type: text/plain; charset="utf-8"
Content-ID: <321871DBE501794794D045BF259AC347@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/bfcpbis/MnJjQMLuC25rd7CJRvPY3gnZFgs>
Cc: "bfcpbis@ietf.org" <bfcpbis@ietf.org>
Subject: Re: [bfcpbis] AD evaluation: draft-ietf-bfcpbis-sdp-ws-uri-06
X-BeenThere: bfcpbis@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: BFCPBIS working group discussion list <bfcpbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bfcpbis>, <mailto:bfcpbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bfcpbis/>
List-Post: <mailto:bfcpbis@ietf.org>
List-Help: <mailto:bfcpbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bfcpbis>, <mailto:bfcpbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Dec 2016 16:49:44 -0000
Hi Alissa, Thanks for your response. Please see inline. -----Original Message----- From: Alissa Cooper <alissa@cooperw.in> Date: Wednesday, 21 December 2016 at 9:21 PM To: "Ram Mohan R (rmohanr)" <rmohanr@cisco.com> Cc: "bfcpbis@ietf.org" <bfcpbis@ietf.org> Subject: Re: [bfcpbis] AD evaluation: draft-ietf-bfcpbis-sdp-ws-uri-06 Hi Ram, > On Dec 21, 2016, at 1:51 AM, Ram Mohan R (rmohanr) <rmohanr@cisco.com> wrote: > > Hi Alissa, > > Thanks for your feedback. Please see inline > > -----Original Message----- > From: bfcpbis <bfcpbis-bounces@ietf.org> on behalf of Alissa Cooper <alissa@cooperw.in> > Date: Saturday, 10 December 2016 at 1:08 AM > To: "bfcpbis@ietf.org" <bfcpbis@ietf.org> > Subject: [bfcpbis] AD evaluation: draft-ietf-bfcpbis-sdp-ws-uri-06 > > I have reviewed this document in preparation for IETF last call. I have a couple of comments to discuss before issuing the last call. I’ve also included some nits below that should be resolved together this IETF LC comments. > > Substantive comments: > > = Section 1 = > > "In most cases it is not viable for certificates signed by well known > authorities." > > <Ram> This text was added to indicate that it is not always possible to get the certificates signed by well known authorities. > Your response says the same thing that the document says, which doesn’t explain why this claim is being made or why it is even being discussed in this paragraph. I actually don’t really >understand what the first half of the this paragraph has to do with the second half. It would make sense to me if the paragraph started with “For applications that use Session Description >Protocol (SDP) …” without the first three sentences. To go through sentence by sentence: > "As defined in Section 3 of [RFC2818], when using Secure WebSockets > the Canonical Name (CNAME) of the Secure Sockets Layer (SSL) > [RFC6101] certificate MUST match the WebSocket connection URI host.” > First, nothing about the WebSocket connection URI is defined in RFC 2818, so that citation is misplaced. Also, why is this document stating a normative requirement about all secure >websockets? > "In most cases it is not viable for certificates signed by well known > authorities.” > This sentence is provided without qualification — why is this the case? > "Thus, there is a need to indicate the connection URI > for the WebSocket Client.” > This doesn’t follow from the previous sentence. If it is true that certificates to be used for secure websockets are not signed by well-known authorities, why would that imply a need to > express the connection URI some other way? A self-signed cert would still give a CNAME, wouldn’t it? I will modify the last para of section 1 to below. Will remove some of the text that is not really relevant. EXISTING: As defined in Section 3 of [RFC2818], when using Secure WebSockets the Canonical Name (CNAME) of the Secure Sockets Layer (SSL) [RFC6101] certificate MUST match the WebSocket connection URI host. In most cases it is not viable for certificates signed by well known authorities. Thus, there is a need to indicate the connection URI for the WebSocket Client. For applications that use Session Description Protocol (SDP) [RFC4566] to negotiate, the connection URI can be indicated by means of an SDP attribute. This specification defines new SDP attributes to indicate the connection URI for the WebSocket client. Applications that use SDP for negotiation and WebSocket as a transport protocol can use this specification to advertise the WebSocket client connection URI. NEW: When WebSocket sub-protocol is used as a transport mechanism between a server and client, there needs to be a way to indicate the connection URI from the Server to the WebSocket Client. For applications that use Session Description Protocol (SDP) [RFC4566] to negotiate, the connection URI can be indicated by means of an SDP attribute. This specification defines new SDP attributes to indicate the connection URI for the WebSocket client. Applications that use SDP for negotiation and WebSocket as a transport protocol can use this specification to advertise the WebSocket client connection URI. Is this better? > > I don't understand what this sentence means. > > = Section 5 = > > "If there are > multiple records returned for the connection URI in the "a=wss-uri" > or "a=ws-uri" then the clients MAY use procedures in Section 4 of > [RFC6555] to attempt the connection towards the server." > > I'm confused about this. Why would there be multiple URIs? This isn't explained anywhere in the document. (Furthermore, I don't understand the comment from Dan Wing that was the origin of this text, I think. I thought the point of all of this work is to take advantage of the underlying WebSocket to send BFCP messages, so wouldn't DNS resolution be handled by the HTTP stack on the client?) > > <Ram> Yes this text was added based on feedback from SDP directorate. I think you have a valid point that the DNS resolution may be taken care at HTTP stack and the procedures in > RFC6555 may be used at that level. In that case this text may not fit well in here. Do you want me to remove this from the doc ? > If the text stays in, it needs to be clarified. Or if you think you don’t need it, it can be taken out. Yes. Will remove this line. > > = Section 6 = > > "Consequently, it is strongly > RECOMMENDED that integrity protection be applied to the SDP session > descriptions. For session descriptions carried in SIP [RFC3261], S/ > MIME is the natural choice to provide such end-to-end integrity > protection." > > Is this just suggesting S/MIME to have nice words in the text, or do you expect to see implementations using S/MIME to protect their SDP bodies? > > <Ram> I have not seen many implementations use S/MIME. Most of them use SIP over TLS (even though it may not provide e2e security) in case they need to protect the SIP/SDP > Then I would suggest s/is the natural choice/is available/ Thanks, will fix it Regards, Ram > Thanks, > Alissa > > Will take care of the NITS below. > > Thanks, > Ram > > Nits: > > = Section 1 = > > OLD > As defined in Section 3 of [RFC2818], when using Secure WebSockets > the Canonical Name (CNAME) of the Secure Sockets Layer (SSL) > [RFC6101] certificate MUST match the WebSocket connection URI host. > > NEW > When using Secure WebSockets > the Canonical Name (CNAME) of the Secure Sockets Layer (SSL) > [RFC6101] certificate MUST match the WebSocket connection URI host (see Section 3 of [RFC2818]). > > = Section 5 = > > s/on Internet/on the Internet/ > > s/ports (80 or 443)/port (80 or 443)/ > > = Section 6 = > > s/it is strongly RECOMMENDED/it is RECOMMENDED/ > > > _______________________________________________ > bfcpbis mailing list > bfcpbis@ietf.org > https://www.ietf.org/mailman/listinfo/bfcpbis > >
- [bfcpbis] AD evaluation: draft-ietf-bfcpbis-sdp-w… Alissa Cooper
- Re: [bfcpbis] AD evaluation: draft-ietf-bfcpbis-s… Ram Mohan R (rmohanr)
- Re: [bfcpbis] AD evaluation: draft-ietf-bfcpbis-s… Alissa Cooper
- Re: [bfcpbis] AD evaluation: draft-ietf-bfcpbis-s… Ram Mohan R (rmohanr)
- Re: [bfcpbis] AD evaluation: draft-ietf-bfcpbis-s… Alissa Cooper