IETF Logo Mail Archive

[MMUSIC] comedia-tls: proposed change for certificate identities

Jonathan Lennox <lennox@cs.columbia.edu> Sun, 29 January 2006 19:04 UTC

Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1F3Hr0-0005Qh-JQ; Sun, 29 Jan 2006 14:04:50 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1F3Hqt-0005PF-Ca; Sun, 29 Jan 2006 14:04:49 -0500
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA18790; Sun, 29 Jan 2006 14:02:42 -0500 (EST)
Received: from cs.columbia.edu ([128.59.16.20]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1F3I13-0008UV-MN; Sun, 29 Jan 2006 14:15:16 -0500
Received: from cnr.cs.columbia.edu (cnr.cs.columbia.edu [128.59.19.133]) by cs.columbia.edu (8.12.10/8.12.10) with ESMTP id k0TJ48KG026030 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sun, 29 Jan 2006 14:04:08 -0500 (EST)
Received: from cnr.cs.columbia.edu (localhost [127.0.0.1]) by cnr.cs.columbia.edu (8.13.3/8.13.3) with ESMTP id k0TJ48WI036653; Sun, 29 Jan 2006 14:04:08 -0500 (EST) (envelope-from lennox@cnr.cs.columbia.edu)
Received: (from lennox@localhost) by cnr.cs.columbia.edu (8.13.3/8.13.3/Submit) id k0TJ427k036632; Sun, 29 Jan 2006 14:04:02 -0500 (EST) (envelope-from lennox)
From: Jonathan Lennox <lennox@cs.columbia.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <17373.4514.607960.660335@cnr.cs.columbia.edu>
Date: Sun, 29 Jan 2006 14:04:02 -0500
To: mmusic@ietf.org, tls@ietf.org
X-Mailer: VM 7.19 under Emacs 21.3.1
X-PerlMx-Spam: Gauge=IIIIIII, Probability=7%, Report='__CT 0, __CTE 0, __CT_TEXT_PLAIN 0, __HAS_MSGID 0, __HAS_X_MAILER 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __SANE_MSGID 0'
X-Spam-Score: 0.0 (/)
X-Scan-Signature: e8a67952aa972b528dd04570d58ad8fe
Content-Transfer-Encoding: 7bit
Cc: Sam Hartman <hartmans-ietf@mit.edu>, EKR <ekr@networkresonance.com>, jon.peterson@neustar.biz, mankin@psg.com
Subject: [MMUSIC] comedia-tls: proposed change for certificate identities
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
Sender: mmusic-bounces@ietf.org
Errors-To: mmusic-bounces@ietf.org

Hi, all --

I'm working on a revision of draft-ietf-mmusic-comedia-tls following IESG
review.  A preliminary version of the revised draft is available at
<http://www1.cs.columbia.edu/~lennox/draft-ietf-mmusic-comedia-tls-06pre1.html> and
<http://www1.cs.columbia.edu/~lennox/draft-ietf-mmusic-comedia-tls-06pre1.txt>;
a document showing changes from the previous version is at
<http://www1.cs.columbia.edu/~lennox/draft-ietf-mmusic-comedia-tls-06pre1.diff.html>.

Most of the issues raised resulted in pretty minor and hopefully
uncontroversial changes, but one change, having to do with certificate
identity choice, is fairly major.  I'm still
uncertain about the practical usability of the resulting rules.

Here's the scheme I'm proposing:

* If your SDP was sent over an end-to-end authenticated and
integrity-protected channel, there are no constraints on what identity you
assert in your TLS certificates; you can use anything you want.  Identity is
handled by the transporting protocol.

* If it wasn't, however, you have to have use certificate that asserts
either a) the host in your SDP c= line (which can be either an IP address or
host name), or b) a URI representing the protocol transporting the SDP
(which in practice usually means a SIP URI).

* For self-signed certificates sent un-authenticated, you can use SSH
"leap-of-faith" mode: you warn the user if you've never seen a certificate
before for a given identity, or if the certificate you got for an identity
is different from the one you have cached.  This means that once you've
communicated with someone, you can be sure no one's launching a
man-in-the-middle on you in the future.  It does, however, present usability
problems when someone has to change their cert.

* For SIP, if the unauthenticated cert you get (whether or not self-signed)
doesn't reflect the AoR of the party you initially contacted, the user is
again warned and user confirmation is requested.  (This applies whether it's
a different AoR, a device URI, or a hostname/IP address.)


This last point is the tricky one.  The goal here is that if you were trying
to reach sip:alice@example.com, and you get a cert asserting the identity
sip:bob@example.com, this could be a problem, and only a human can usefully
determine whether it is or not.

Of course, given that the initial user of comedia-TLS will be BFCP, for
which at least one side is an automated system without a human in the loop,
it's not entirely clear how practical this requirement will be.  But the
alternative leaves you vulnerable to hostile or subverted sip proxy servers.

The other question is whether it's worthwhile to say that single-hop sips
connections should count as end-to-end integrity-protected.  On the one
hand, they are; on the other hand, allowing certain operational modes for
single-hop but not multi-hop SIP seems like a bad idea, and it would break
in the face of third-party call control and other back-to-back UAs.

Do people have alternate suggestions, or thoughts on better solutions?  I
note that these requirements are strictly more lenient than the protocol
mode which got through WGLC.

-- 
Jonathan Lennox
lennox@cs.columbia.edu

_______________________________________________
mmusic mailing list
mmusic@ietf.org
https://www1.ietf.org/mailman/listinfo/mmusic

v2.23.0 | Report a Bug | By Email