Re: [MMUSIC] Review of draft-ietf-mmusic-udptl-dtls-03
"Adam Gensler (agensler)" <agensler@cisco.com> Fri, 31 January 2014 17:09 UTC
Return-Path: <agensler@cisco.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 115EE1A0416 for <mmusic@ietfa.amsl.com>; Fri, 31 Jan 2014 09:09:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.036
X-Spam-Level:
X-Spam-Status: No, score=-10.036 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id clR3MHOmet4U for <mmusic@ietfa.amsl.com>; Fri, 31 Jan 2014 09:09:56 -0800 (PST)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) by ietfa.amsl.com (Postfix) with ESMTP id 8CB1D1A0367 for <mmusic@ietf.org>; Fri, 31 Jan 2014 09:09:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4356; q=dns/txt; s=iport; t=1391188193; x=1392397793; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=M4fSxyXxVGqlo2lAK973Qdbq7GvXQysndh+l5iQSb+8=; b=jvJawa9Kj38ECAhREyMjRDWT3/tevoQpyJiQNpmsBAJ4/qQ/09d2IClU w+gChN42rl6AIkTS9oVh9XZrX5B8sdsTS87IluXqV+0kXaY6579MRCA2E 5kRDpBwN0fc+4vGJ7Qu4/bSaq625g7XguE1gWaa8+Ry9upC4lKyCTp22w U=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgMFAEDY61KtJV2c/2dsb2JhbABZgww4V704gQwWdIIlAQEBAwE6PxACAQg2EDIlAgQBDQWHfQgNzHAXjwIHhDgElEKDaIEykG+DLYIq
X-IronPort-AV: E=Sophos;i="4.95,758,1384300800"; d="scan'208";a="17036093"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by alln-iport-7.cisco.com with ESMTP; 31 Jan 2014 17:09:52 +0000
Received: from xhc-rcd-x02.cisco.com (xhc-rcd-x02.cisco.com [173.37.183.76]) by rcdn-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id s0VH9qJ2021523 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 31 Jan 2014 17:09:52 GMT
Received: from xmb-aln-x05.cisco.com ([169.254.11.32]) by xhc-rcd-x02.cisco.com ([173.37.183.76]) with mapi id 14.03.0123.003; Fri, 31 Jan 2014 11:09:52 -0600
From: "Adam Gensler (agensler)" <agensler@cisco.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>, "Gonzalo Salgueiro (gsalguei)" <gsalguei@cisco.com>
Thread-Topic: Review of draft-ietf-mmusic-udptl-dtls-03
Thread-Index: AQHPF6Z7X1rBlQF7JUm0AYYGqOYxvZqRgxMAgAn+m0CAA65LAA==
Date: Fri, 31 Jan 2014 17:09:51 +0000
Message-ID: <CF114214.4DD5%agensler@cisco.com>
References: <CEFF0353.44C3%agensler@cisco.com> <A3B5E35A-BE7B-41F2-84C6-BF4565772A95@cisco.com> <7594FB04B1934943A5C02806D1A2204B1D148F76@ESESSMB209.ericsson.se>
In-Reply-To: <7594FB04B1934943A5C02806D1A2204B1D148F76@ESESSMB209.ericsson.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.9.131030
x-originating-ip: [10.150.21.213]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <CA52B497ADF8B349919F55AF9488A662@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailman-Approved-At: Fri, 31 Jan 2014 09:21:53 -0800
Cc: mmusic <mmusic@ietf.org>
Subject: Re: [MMUSIC] Review of draft-ietf-mmusic-udptl-dtls-03
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jan 2014 17:11:38 -0000
Christer, Sorry for the delay, I've been offline for a few days. See inline with [adam]: On 1/29/14, 4:58 AM, "Christer Holmberg" <christer.holmberg@ericsson.com> wrote: >Hi Adam, > >Again, thanks for your review! See my comments inline. > >> After speaking with Gonzalo I've reviewed >>draft-ietf-mmusic-udptl-dtls-03. >> Overall this draft is excellent and appears to cover all the corner >> cases I could think of. I do have a few comments, see below: >> >> 1. In section 3.1, secure channel establishment, there is the >> following text: >> >> "If the endpoint supports, and is willing to use, a cipher suite with >> an associated certificate, it MUST include an SDP fingerprint >> attribute [RFC4572 <http://tools.ietf.org/html/rfc4572>] in the SDP." >> >> "If a cipher suite with an associated certificate is selected during >> the DTLS handshake, the certificate received during the DTLS handshake >> MUST match the fingerprint received in the SDP fingerprint attribute." >> >> To me this seems to indicate the particular cipher suites are >> associated with a particular certificate. While it's true that the >> certificate plays a role in overall TLS negotiation, it does not >> provide a list of ciphers to use. > >The intention of the text is NOT to indicate that a particular cipher >suites are associated with a particular certificate. > >> I think what this is saying is that >> if the client wishes to use a certificate for DTLS it should provide a >> certificate fingerprint. Is that right? > >Only if the cipher suite has an associated certificate. > >But, e.g. a PSK based cipher suite (RFC4279) has no associated >certificate and thus there is no point of indicating certificate >fingerprint for PSK based cipher suite. > >> Given the overall complexity of PKI in general I think being extra >>clear here would help avoid any confusion. > >We did spend quite a bit of time on this part of the text, and I can't >see what modifications I should do in order to make it more clear. > >------------------------ [adam] Thanks for the clarification here. Given this extra context I agree and I'm not sure how to adjust this any further. > >> 2. Section 4.1 describes handling anonymous faxes with freshly >> generated self-signed certificates. It goes on to say: >> >> "...and the content of the subjectAltName attribute inside the >> certificate MUST NOT contain information that either allows >> correlation or identification of the user making anonymous calls." >> >> While the subjectAltName could potentially have identifiable data in >> it, it is not always present as a field within the certificate. Some >> certificates may have a subjectAltName, some may not. However, all >> certificates should have a commonName. I think that is the item that >> should be specifically called out as a place to avoid identifiable >> information. Or, perhaps, simply stipulating that no fields within the >> certificate should contain identifiable information. > >That's a good point. > >What about something like: > > "...and attributes inside the certificate SHALL NOT >contain information that either allows correlation or > identification of the user making anonymous calls. This >is particularly important for the subjectAltName > and commonName attributes" > >------------------------ [adam] This sounds good to me. > >> 3. Section 4.3 describes rekeying a connection that is established. >> The DTLS RFC describes how to handle this, but gives two options to an >> endpoint where out-of-order packets are received that have been >> encrypted with different keys; discard the packet, or, retain two sets >> of keying material for some recommended interval. DTLS is not specific >> as to what to do here. Section 4.3 says the receiver SHOULD maintain >> the keying material. Given the nature of T.38, I think it may be >> prudent to say the receiver MUST maintain the keying material. >> Dropping and/or discarding >> T.38 packets would never be my preference. > >We can change it to MUST. > >------------------------ [adam] Perfect, I think that will help avoid any confusion around this, should the situation occur. > >Regards, > >Christer > >
- Re: [MMUSIC] Review of draft-ietf-mmusic-udptl-dt… Gonzalo Salgueiro (gsalguei)
- Re: [MMUSIC] Review of draft-ietf-mmusic-udptl-dt… Christer Holmberg
- Re: [MMUSIC] Review of draft-ietf-mmusic-udptl-dt… Christer Holmberg
- Re: [MMUSIC] Review of draft-ietf-mmusic-udptl-dt… Adam Gensler (agensler)
- Re: [MMUSIC] Review of draft-ietf-mmusic-udptl-dt… Christer Holmberg