IETF Logo Mail Archive

Re: [MMUSIC] 4572 update: forbid weak hashes?

Roman Shpount <roman@telurix.com> Thu, 07 April 2016 14:36 UTC

Return-Path: <roman@telurix.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E637912DA1B for <mmusic@ietfa.amsl.com>; Thu, 7 Apr 2016 07:36:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=telurix-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oe0vcMxwMva1 for <mmusic@ietfa.amsl.com>; Thu, 7 Apr 2016 07:36:25 -0700 (PDT)
Received: from mail-io0-x233.google.com (mail-io0-x233.google.com [IPv6:2607:f8b0:4001:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6AB012D964 for <mmusic@ietf.org>; Thu, 7 Apr 2016 07:20:27 -0700 (PDT)
Received: by mail-io0-x233.google.com with SMTP id g185so95570531ioa.2 for <mmusic@ietf.org>; Thu, 07 Apr 2016 07:20:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telurix-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=km9Ts6Q/gBGS85BWQGsMPOn3iavKJvzAUYBURcFFn2U=; b=ZhEbF8hqpPBalma3zgkza0iPvKqoWSwYLBFIddyTmlI4S4OTZRJ2t0yRTz98d1yq5B NFYmpacjqqyu5Ry7hFNGvKVWvfCLIGLB9h6Pumz+sjfmohI7dkOn19ZxGNq3K+U9BjZh v+1pnT21LitmITHRs8p/qHop7Tz1ieCJNB9WRz93Z3dlsqtWl0YnfPpNYH7cXE3F81kz j890Y6AjcstjRVczp1v3c/4y5PR7WPgRifXNQsUyXp909q4wYriu6KBEGyMc3PVKT6Sg RmHI/NPiOS+LmdzvRV+h/S8x4w8k3Z6nyAPB1JBLUnp6ckFr7DD7lLtI4z44bmxYj8zI cFtA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=km9Ts6Q/gBGS85BWQGsMPOn3iavKJvzAUYBURcFFn2U=; b=SvBvU/bYGlGQRDw6+6YFJdW3b/14jxoXY528AXL59AsX3Y1LecI3SNKLsjm1uAh4JQ kpGXzLl+hkvIAR7vLpHvlbsTyeczjX7a9H6OX9xtspgGQ6uIdnC2+F/IAXjue32kegfL eh2Kpr3sHKRBqyUI/6i6CgB4IA1meJ5QMh6luvJYP268InfG4947z9ILQyWku+I4WZ/b 9TV1SKo/O6UNd3glxT6L1NNebGtvCj2rrbX6Ng44YQeM7kFj1bPRHS1gCqfGyXsYYNiA TskAwMkNtSBYpPBANSaGTxy0qU4gUcmbhtFD92uYKREUoDwbCM85HAN0v/WUaTevkj3j SYHg==
X-Gm-Message-State: AD7BkJKa+T/mGlVkmmoPK5oV4I4Ci9rzGFdgKIq15a9qwPSlnFmGa5w8G4al0gu1d90Hlg==
X-Received: by 10.107.1.18 with SMTP id 18mr3716155iob.74.1460038827063; Thu, 07 Apr 2016 07:20:27 -0700 (PDT)
Received: from mail-io0-f181.google.com (mail-io0-f181.google.com. [209.85.223.181]) by smtp.gmail.com with ESMTPSA id p1sm3710662iop.12.2016.04.07.07.20.25 for <mmusic@ietf.org> (version=TLSv1/SSLv3 cipher=OTHER); Thu, 07 Apr 2016 07:20:26 -0700 (PDT)
Received: by mail-io0-f181.google.com with SMTP id g185so95569497ioa.2 for <mmusic@ietf.org>; Thu, 07 Apr 2016 07:20:25 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.107.157.70 with SMTP id g67mr3479979ioe.38.1460038825663; Thu, 07 Apr 2016 07:20:25 -0700 (PDT)
Received: by 10.36.106.194 with HTTP; Thu, 7 Apr 2016 07:20:25 -0700 (PDT)
In-Reply-To: <7594FB04B1934943A5C02806D1A2204B37F27D6E@ESESSMB209.ericsson.se>
References: <4D60EE45-BECA-4A46-98EF-FF4AA482B42E@vidyo.com> <7594FB04B1934943A5C02806D1A2204B37F27B70@ESESSMB209.ericsson.se> <CABkgnnU0qwkUGLv4rkax3hbat9Fb6kXDH9TKZv3MukepN7PkmQ@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B37F27D6E@ESESSMB209.ericsson.se>
Date: Thu, 07 Apr 2016 10:20:25 -0400
X-Gmail-Original-Message-ID: <CAD5OKxtb4Ss8BzeBDMUs7V7Yfx3YC0U53JmhZLen1C2+FkyGog@mail.gmail.com>
Message-ID: <CAD5OKxtb4Ss8BzeBDMUs7V7Yfx3YC0U53JmhZLen1C2+FkyGog@mail.gmail.com>
From: Roman Shpount <roman@telurix.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>
Content-Type: multipart/alternative; boundary="001a1140b472906316052fe5c765"
Archived-At: <http://mailarchive.ietf.org/arch/msg/mmusic/X6hX_Sn2JFspK8bQ3hf8RGFAnKk>
Cc: Jonathan Lennox <jonathan@vidyo.com>, mmusic <mmusic@ietf.org>
Subject: Re: [MMUSIC] 4572 update: forbid weak hashes?
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Apr 2016 14:36:27 -0000

On Thu, Apr 7, 2016 at 10:08 AM, Christer Holmberg <
christer.holmberg@ericsson.com> wrote:

> I'd have to double check the MMUSIC minutes, but if I remember correctly
> people did not want to check multiple hashes (point 2).
>

You should check all the hashes you consider secure and if any one of them
matches the DTLS association certificate, accept the media.

It cannot not be the strongest hash or all the hashes that must match.
Either of those things are too restrictive and can break some scenarios.
Just as an example, consider that RTP and RTCP can come from two different
sources (devices) which will use different DTLS associations for each
component, use different certificates, and potentially support different
sets of hash functions. Because of this, the fact that RTP device supports
SHA-256 does not mean that RTCP will use it or support it.

Regards,
_____________
Roman Shpount

v2.23.0 | Report a Bug | By Email