IETF Logo Mail Archive

Re: [MMUSIC] WGLC on draft-ietf-mmusic-sdp-uks-03

Magnus Westerlund <magnus.westerlund@ericsson.com> Wed, 16 January 2019 12:31 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B54A412F18C for <mmusic@ietfa.amsl.com>; Wed, 16 Jan 2019 04:31:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.852
X-Spam-Level:
X-Spam-Status: No, score=-8.852 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=O369wCW6; dkim=pass (1024-bit key) header.d=ericsson.com header.b=AVoNHe9U
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kV0dRnnxXgAM for <mmusic@ietfa.amsl.com>; Wed, 16 Jan 2019 04:31:54 -0800 (PST)
Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C328B128B01 for <mmusic@ietf.org>; Wed, 16 Jan 2019 04:31:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/relaxed; q=dns/txt; i=@ericsson.com; t=1547641912; x=1550233912; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=qMqYvCCpp4XbfuSYV0IAmYbL8ZErHU+jmN8dAHPtVds=; b=O369wCW6lbWGkBOod5JpWoobF0RQ52rc3IoT78eGZEC9rdWudPmt3QtQLybSN364 Do8iFZKWjZ+kOYEo4GVgrsgxKctSD6UiFju5bIAux8Gr/RscC65n/ayUkIsdK0NM Byt2fAllWrVJpz5KcfEXiUF9L12br0/OK/U/GvmLXKA=;
X-AuditID: c1b4fb25-209009e000005ff7-3c-5c3f2438bfae
Received: from ESESSMB504.ericsson.se (Unknown_Domain [153.88.183.122]) by sesbmg23.ericsson.net (Symantec Mail Security) with SMTP id D6.94.24567.8342F3C5; Wed, 16 Jan 2019 13:31:52 +0100 (CET)
Received: from ESESSMB502.ericsson.se (153.88.183.163) by ESESSMB504.ericsson.se (153.88.183.192) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Wed, 16 Jan 2019 13:31:49 +0100
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (153.88.183.157) by ESESSMB502.ericsson.se (153.88.183.163) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Wed, 16 Jan 2019 13:31:49 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qMqYvCCpp4XbfuSYV0IAmYbL8ZErHU+jmN8dAHPtVds=; b=AVoNHe9Ug6rYfb/tYFUNDGhY6aazYVct49tj3EwRZYYnP6NKB7mrCOXxIR2nmSI8GgZ//5XWrb/K+DzYX4FLuri612q7TTjbIAqg/xoh9jtD6MiOdFnMrgMDpiv/0PX7DMANPyQn0FxQBuMZ0AGgi/Fzc/c35fLuBjNFPBstzDA=
Received: from DB7PR07MB4988.eurprd07.prod.outlook.com (20.178.42.222) by DB7PR07MB5290.eurprd07.prod.outlook.com (20.178.44.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1537.17; Wed, 16 Jan 2019 12:31:48 +0000
Received: from DB7PR07MB4988.eurprd07.prod.outlook.com ([fe80::59db:b1cc:5d05:1f08]) by DB7PR07MB4988.eurprd07.prod.outlook.com ([fe80::59db:b1cc:5d05:1f08%3]) with mapi id 15.20.1537.018; Wed, 16 Jan 2019 12:31:48 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: Flemming Andreasen <fandreas@cisco.com>, mmusic <mmusic@ietf.org>
CC: "draft-ietf-mmusic-sdp-uks@ietf.org" <draft-ietf-mmusic-sdp-uks@ietf.org>
Thread-Topic: [MMUSIC] WGLC on draft-ietf-mmusic-sdp-uks-03
Thread-Index: AQHUppKYaZxIZ8kAEU27G32JD3JWPw==
Date: Wed, 16 Jan 2019 12:31:47 +0000
Message-ID: <DB7PR07MB4988216B696D0E69ED14D5F095820@DB7PR07MB4988.eurprd07.prod.outlook.com>
References: <ec74675d-c576-f728-0481-c9488fb13beb@cisco.com>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.176.1.91]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DB7PR07MB5290; 6:RW8piXGKktRjYHxqnCQE/4ko4XXiv//GKfeHC7qyWdel2qKxK0PV96dbdxQ2khGPj8fxvkjp19TEvCSEI777Pe5Z+nuz+iBAC966SUui/KU6UfG/M2xSACc8EeDxLciVxzCLzyAUEndWqDh+cRj2QowkV/BrPQWESYz256fOZAKPemvLy3MN99m5hUqgcuyPCFrEeQfer2Toq9BC4G5FNtp4denGGMg2p0btxtrkGlMSFY9By+MfDpMPm21W6OHTYROhjNdVF7P/bTHT2JNWmlv//5b5QMKycpOinRGu/pRSFY/D72CFox7e5g9iYNDacCqurQ1dFR0h93fzXBwBpLWBWzkA6bC3zbqHsGsx3ZZK1a6ZZ/GaVDSqWkmGK8P2M+bRS/H1iAJVAyW3u5pihx1nH8MvNvtqKenBIr3CP4tvKYLJ+OG15mPY1XregpmY2dslXaNsWuRBs3HI+AP8/A==; 5:nIB+uOquUtN/ldUOxWfYUK19qngFuZ81D2VF/GV9g8un0Bn37NAosL49g+W0UHLrtqS80JAqalW1no3D4R+Z64v2WmPge1KEl/V7RhvSWXgGNnFr67lvwF1vS5HDEpDQkKzva38/crlHX7FhjDx5pxHFau0h0IUOWXiG7yY9eVr/8fe+a+kUcsjSnN+jAmcJUeR/EoQKwzGBIwNMknnL4A==; 7:oT15pYhL30+mcnlefdw6+XFjZh6T9USQddCNIK9wa+ySk9p7bxT+ylr9OL+u/YcFuflLeMT/uP2nlalB4Z4zz8N9XuIp+dAZxh9Se1Mal/PNqn82aXVmHhRsSMbYjnEJxXt1wTVLqaNH0xk0XJQNAg==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: e38c81fa-2b51-491f-5667-08d67bae9565
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600109)(711020)(2017052603328)(7153060)(7193020); SRVR:DB7PR07MB5290;
x-ms-traffictypediagnostic: DB7PR07MB5290:
x-microsoft-antispam-prvs: <DB7PR07MB5290723672874A764DA6BDEF95820@DB7PR07MB5290.eurprd07.prod.outlook.com>
x-forefront-prvs: 091949432C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(136003)(366004)(396003)(346002)(376002)(189003)(199004)(256004)(14444005)(44832011)(5024004)(4326008)(6346003)(6246003)(6506007)(26005)(486006)(71190400001)(71200400001)(186003)(229853002)(53936002)(2906002)(102836004)(7696005)(76176011)(68736007)(478600001)(966005)(5660300001)(236005)(9686003)(6306002)(54896002)(55016002)(7736002)(3846002)(53546011)(25786009)(6116002)(81166006)(81156014)(8676002)(86362001)(316002)(110136005)(99286004)(106356001)(105586002)(74316002)(97736004)(8936002)(606006)(446003)(476003)(6436002)(33656002)(66066001)(14454004); DIR:OUT; SFP:1101; SCL:1; SRVR:DB7PR07MB5290; H:DB7PR07MB4988.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=magnus.westerlund@ericsson.com;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: sF5aV77op1EfDukw98AKYNFE/1qvgWn+OOEvf7sL+eyZs9Hjgz9RmvJQhbfUZ+BNoVq2dKXSJJMroGpxBgPaTE3h0/1I9pSOGWhStlN4BVsne+M6RFyus4a5gEQBtlL9IO8RHRU6LNXWXwJJnt2WIhVLiZyapqp01Jt8lu3EXYcmIUu14s03eP/ymJuF8TrSHvOQfVWfL/tFjREjFGa5yHev1yUMk66QaB+0s7Lp8KkUXkZ9uHiAiPpstn2Qc9wzW+WFa3V5BdbVTGRZef6cnQBdz27ClPWJtT+jDdzP15+J5tdLJRzzPMygUOIAaSwws8BzS/GGRy0PfPkMMWQp3V7pgcwhzeaV6jFF9ePyoMsLLYIE2IYkDZko7oKULFgAjLzvYmax2LoT4CaEV+GHI6wdk6nmGr4iTW+HmImJ4fU=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DB7PR07MB4988216B696D0E69ED14D5F095820DB7PR07MB4988eurp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: e38c81fa-2b51-491f-5667-08d67bae9565
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Jan 2019 12:31:47.9275 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR07MB5290
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02SfUhTYRTGee+9271Ko9vUPPhRsbJIm2WGDT8LMiSQTBAjJjXzouJn95qo RW2BITNrqSO2CL9Ww0zDyLSpYSaJUUwTS8sK1BJJTEOzZVpu7wT/+73PeZ7Dc+BlSGmjyItJ z87j+GxVpkzsShlOthbJFTuilPvKWxjFzGwJrfjRL1fozePUITKmcqlZFGMy2Yg44pRreAqX mZ7P8Xsjz7imtS42U7m69ILJjve0Gg0lapELA+wBMBd3kVrkykjZHgT6WgtlH0jZXwh6x0SY TQT0WrbaTRSrI8Ey9VCME+UEjLR1EPgxhmBgcJa0R8SsAkZ+a8R2dmejoafmE2Fnko2F6zOV tJ3d2FCY+2YjsCcMjA8qEOZAGLJYHTrF+oFuuMfBElYJK7ebnfXCod4w5dAR6wtfFj9TeL8n fJioIvBtLJg6rCRmD5gaXxFh3gYfzb0UZl94W1WK7AcAe4WGO+16Z1gOs3r9aphZ5VjorDuB Pf0I6ts6xNjjD2Plt5xLM6BUrXXqPmCsmRbjwJwIbtQNO1tzYG4sRri1CoY1XwkdkhvXFcec Ay/fmGij4+hN0GeYoLC+B6rbf4oxB8C9mu/kGr/uGifW69WIvo88BE5IzkrdHxzI8elnBSEn OzCby3uEVj/R88dLfm1ocPpwN2IZJNsg0btFKaUiVb5QmNWNgCFl7hKbKVIplaSoCos4Puc0 fz6TE7qRN0PJPCV/pZuUUjZVlcdlcFwux69NCcbFS42Cjhzz7WuIm6d3hWgDRoWKheUEr6u+ 3laf0ZKN7vKizYaLOfRkaKWy9aimYLSvKux4+ErkvxdjTZr45DK+JclcYZupupYUurPsnP+f 5ejarhl+y7vEiJsjxsvxI9oLyREJ49bohoEFg6ZJa23bTh/sDH7ap7v0ZP7VM3XX3ZDdahkl pKmC/EleUP0Hfj0ESEADAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/Gdzi7BH4oPcNw4GQUxWBTpElfDY>
Subject: Re: [MMUSIC] WGLC on draft-ietf-mmusic-sdp-uks-03
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Jan 2019 12:31:57 -0000

Hi,

I have reviewed this document and I don't think this is yet ready for publications. There appears to be issues that appears to question the possibility for interoperable implementation.

1. Section 3.2:

   The "extension_data" for the "external_id_hash" extension contains a
   "ExternalIdentityHash" struct, described below using the syntax
   defined in [TLS13]:

I assume it is the presentation language in Section 3 of RFC 8446 that you are referring to? Can you be a bit more explicit in the reference to point to the actual section?

2. Section 3.2:

"   A WebRTC identity assertion is provided as a JSON [JSON] object that
   is encoded into a JSON text."

That doesn't match what is written in Sections 7.4 and 7.4.1 of draft-ietf-rtcweb-security-arch-17.

What is provided as an JSON is the fingerprint, not the Identity assertion (see 7.4)

What 7.4.1 says about identity assertions are:


   Once an IdP has generated an assertion, it is attached to the SDP
   offer/answer message.  This is done by adding a new 'identity'
   attribute to the SDP.  The sole contents of this value are a
   Base64-encoded [RFC4648] identity assertion.

Thus, they appear to be only Base64 encoded binary blobs.

3. Section 3.2:


"The SDP "identity" attribute includes the base64 [BASE64] encoding of
   the same octets that were input to the hash."

I don't understand this sentence. What was included into which hash. Please rewrite to be descriptive of which information to retrieve or at least be explicit to reference the relevant component of the identity attribute.

Can you also be more explicit that the SDP "identity" attribute is defined in draft-ietf-rtcweb-security-arch?

4. Section 3.2:

  "The "external_id_hash"
   extension is validated by performing base64 decoding on the value of
   the SDP "identity" attribute, hashing the resulting octets using SHA-
   256, and comparing the results with the content of the extension."

To my understanding the binary blob that is Base64 encoded and put in the SDP Identity attribute after the IdP has taken the fingerprint and the user identity assertion is IdP specific and really a binary blob that only the IdP specific validator can check. So why is the validation of a binary blob done on the binary blob rather than the base64 encoding? Risk for non canonical encoding? I don't quite see that as the IdP will produce the assertion and even the base64 encoding happens once before being provided in SDP and can thus the hash can be run on the Base64.

5. Section 3.2:
   "Where a PASSPoRT is used, the compact form of the PASSPoRT MUST be
   expanded into the full form.  The base64 encoding used in the
   Identity (or 'y') header field MUST be decoded then used as input to
   SHA-256."

Also here there appear to be some mismatch between what RFC 8224 defines as a full passport object. See Section 4.1 of RFC 8224:

  After these two JSON objects, the header and the payload, have been
   constructed and base64-encoded, they must each be hashed and signed
   per [RFC8225], Section 6.  The header, payload, and signature
   components comprise a full PASSporT object.

6. As currently written but questioned above, if the object to hash is a JSON object, are the delimitation of the object given, such that one knows if any final CRLF are to be included or not.

7. Section 3.2:

Identity bindings in either form might be provided by only one peer.
   An endpoint that does not produce an identity binding MUST generate
   an empty "external_id_hash" extension in its ClientHello.

What is an empty "external_id_hash" extension? Is that with 0 bytes of hash data?

Cheers

Magnus



On 2019-01-07 15:09, Flemming Andreasen wrote:
Greetings MMUSIC

This is to announce a 2 week WGLC on the draft:

    https://www.ietf.org/id/draft-ietf-mmusic-sdp-uks-03.txt

as Proposed Standard. Please review and provide any comments you may have on the document by Monday, January 21, 2019. Comments should be sent to the document authors and the MMUSIC WG list. If you review the document but do not have any comments, please send a note to that effect as well.

Thanks

-- Flemming (MMUSIC co-chair)


--

Magnus Westerlund

----------------------------------------------------------------------
Network Architecture & Protocols, Ericsson Research
----------------------------------------------------------------------
Ericsson AB                 | Phone  +46 10 7148287
Torshamnsgatan 23           | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com<mailto:magnus.westerlund@ericsson.com>
----------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email