IETF Logo Mail Archive

Re: [MMUSIC] WGLC on draft-ietf-mmusic-dtls-sdp-06.txt

Jonathan Lennox <jonathan@vidyo.com> Thu, 25 February 2016 15:41 UTC

Return-Path: <prvs=68637bd80d=jonathan@vidyo.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C66C11B2B07 for <mmusic@ietfa.amsl.com>; Thu, 25 Feb 2016 07:41:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.897
X-Spam-Level:
X-Spam-Status: No, score=-0.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_111=0.6, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QvRVzDlkvRC7 for <mmusic@ietfa.amsl.com>; Thu, 25 Feb 2016 07:41:26 -0800 (PST)
Received: from mx0a-00198e01.pphosted.com (mx0a-00198e01.pphosted.com [67.231.149.202]) (using TLSv1.2 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F415C1B2ABC for <mmusic@ietf.org>; Thu, 25 Feb 2016 07:41:25 -0800 (PST)
Received: from pps.filterd (m0073109.ppops.net [127.0.0.1]) by mx0a-00198e01.pphosted.com (8.15.0.59/8.15.0.59) with SMTP id u1PFfKWM018560; Thu, 25 Feb 2016 10:41:20 -0500
Received: from mail.vidyo.com ([162.209.16.214]) by mx0a-00198e01.pphosted.com with ESMTP id 214cqcvwvk-1 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 25 Feb 2016 10:41:19 -0500
Received: from 492132-EXCH1.vidyo.com ([fe80::50:56ff:fe85:4f77]) by 492133-EXCH2.vidyo.com ([fe80::50:56ff:fe85:6b62%13]) with mapi id 14.03.0195.001; Thu, 25 Feb 2016 09:41:19 -0600
From: Jonathan Lennox <jonathan@vidyo.com>
To: Martin Thomson <martin.thomson@gmail.com>
Thread-Topic: [MMUSIC] WGLC on draft-ietf-mmusic-dtls-sdp-06.txt
Thread-Index: AQHRb0MX6bWTp5bg6UyLiWt52o6bVp88DisAgAAH8ACAAAnHAIAABB4AgAEoAAA=
Date: Thu, 25 Feb 2016 15:41:18 +0000
Message-ID: <0EF1AF5F-3AB7-4251-A2C7-C3EF423E917E@vidyo.com>
References: <56B4CDCF.4080100@cisco.com> <56CA320D.9050306@cisco.com> <7594FB04B1934943A5C02806D1A2204B37E389BF@ESESSMB209.ericsson.se> <56CCBE6A.7090709@alum.mit.edu> <7594FB04B1934943A5C02806D1A2204B37E3E3AB@ESESSMB209.ericsson.se> <56CDE4FB.6090002@alum.mit.edu> <7594FB04B1934943A5C02806D1A2204B37E400B7@ESESSMB209.ericsson.se> <56CE145F.5090903@alum.mit.edu> <7594FB04B1934943A5C02806D1A2204B37E4013D@ESESSMB209.ericsson.se> <CABkgnnU2kswQBH=qr6M+wXK8txH4=wA3PLFmTZtZf62KdggNfQ@mail.gmail.com> <56CE24DE.6090300@alum.mit.edu> <CABkgnnUMwweQ0GTsdbvMd9ZJ9vcO5FdMAzZQ-7gW_ukiGyp47A@mail.gmail.com>
In-Reply-To: <CABkgnnUMwweQ0GTsdbvMd9ZJ9vcO5FdMAzZQ-7gW_ukiGyp47A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [160.79.219.114]
Content-Type: text/plain; charset="utf-8"
Content-ID: <F2D27CB9EBDD9B4FAA334EE94B2D2635@vidyo.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.15.21, 1.0.33, 0.0.0000 definitions=2016-02-25_05:2016-02-25,2016-02-25,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1601100000 definitions=main-1602250221
Archived-At: <http://mailarchive.ietf.org/arch/msg/mmusic/OaqsCuet1x-P7yDBJPQEJXZrFGE>
Cc: mmusic <mmusic@ietf.org>, Paul Kyzivat <pkyzivat@alum.mit.edu>, Christer Holmberg <christer.holmberg@ericsson.com>
Subject: Re: [MMUSIC] WGLC on draft-ietf-mmusic-dtls-sdp-06.txt
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2016 15:41:26 -0000

I can certainly agree that 4572 could use an update. I didn’t completely understand what I was doing when I wrote it; in particular, the idea that the certificate was just a repository for the public key wasn’t something I had completely grasped, and the hash agility was confused.

> On Feb 24, 2016, at 5:01 PM, Martin Thomson <martin.thomson@gmail.com> wrote:
> 
> On 24 February 2016 at 13:47, Paul Kyzivat <pkyzivat@alum.mit.edu> wrote:
>> If we are going to make normative references to multiple fingerprints we
>> need some place authoritative to reference for the details.
> 
> I recommend judicious use of copy and paste.  Feel free to steal text
> that I wrote.
> 
> FWIW, my reading of 4572 is that it permits multiple fingerprints: one
> for each certificate that might be used.  Its failing is that a) it
> doesn't allow for hash agility, and b) it's unclear, perhaps in the
> extreme.
> 
> However, I see this:
> 
>   Endpoints MUST support SHA-256 for generating and verifying the
>   fingerprint value associated with the DTLS association.  The use of
>   SHA-256 is preferred.
> 
> Which doesn't mention that this requires an update of 4572.
> 
> And this:
> 
>   The certificate received during the DTLS handshake MUST match the
>   fingerprint received in the SDP "fingerprint" attribute.
> 
> Which should say '*a* fingerprint', to allow for there being multiple.
> 
> And this:
> 
>   [...]  In addition, the offerer
>   MUST insert an SDP 'setup' attribute according to the procedures in
>   [RFC4145], and an SDP 'fingerprint' attribute according to the
>   procedures in [RFC4572], in the offer.
> 
> Which doesn't deal with multiple certificates.
> 
> I also see:
> 
>   The
>   subjectAltName is not an important component of the certificate
>   verification.
> 
> Which is true but insufficient; the text can simply say that the
> certificate is only a receptacle for a public key and authentication
> is tied to an a=fingerprint line in the SDP.
> 
> And this:
> 
>   This offer includes, as part of the SDP payload, the fingerprint of
>   the certificate that the endpoint wants to use.  The endpoint SHOULD
> 
> Which should be plural fingerprint*s*.
> 
> The pattern repeats throughout.

v2.23.0 | Report a Bug | By Email