IETF Logo Mail Archive

Re: [MMUSIC] WGLC on draft-ietf-mmusic-dtls-sdp-06.txt

Christer Holmberg <christer.holmberg@ericsson.com> Wed, 24 February 2016 23:48 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5906D1A9092 for <mmusic@ietfa.amsl.com>; Wed, 24 Feb 2016 15:48:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.6
X-Spam-Level:
X-Spam-Status: No, score=-3.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_111=0.6, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pXybQxrugCts for <mmusic@ietfa.amsl.com>; Wed, 24 Feb 2016 15:48:43 -0800 (PST)
Received: from sessmg22.ericsson.net (sessmg22.ericsson.net [193.180.251.58]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96ED71A90A7 for <mmusic@ietf.org>; Wed, 24 Feb 2016 15:48:42 -0800 (PST)
X-AuditID: c1b4fb3a-f79ce6d000005138-f1-56ce41571eed
Received: from ESESSHC024.ericsson.se (Unknown_Domain [153.88.183.90]) by sessmg22.ericsson.net (Symantec Mail Security) with SMTP id FB.83.20792.7514EC65; Thu, 25 Feb 2016 00:48:39 +0100 (CET)
Received: from ESESSMB209.ericsson.se ([169.254.9.73]) by ESESSHC024.ericsson.se ([153.88.183.90]) with mapi id 14.03.0248.002; Thu, 25 Feb 2016 00:48:27 +0100
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Martin Thomson <martin.thomson@gmail.com>, Paul Kyzivat <pkyzivat@alum.mit.edu>
Thread-Topic: [MMUSIC] WGLC on draft-ietf-mmusic-dtls-sdp-06.txt
Thread-Index: AQHRYDJWlchfH5W0vky7ZrpRmrhLnJ83E66AgAJUQ1CAALVrAIAA3K9AgACCd4CAAECHsP//9/iAgAASgkD///dgAIAACcgAgAAEHgCAACp6gA==
Date: Wed, 24 Feb 2016 23:48:26 +0000
Message-ID: <7594FB04B1934943A5C02806D1A2204B37E4061F@ESESSMB209.ericsson.se>
References: <56B4CDCF.4080100@cisco.com> <56CA320D.9050306@cisco.com> <7594FB04B1934943A5C02806D1A2204B37E389BF@ESESSMB209.ericsson.se> <56CCBE6A.7090709@alum.mit.edu> <7594FB04B1934943A5C02806D1A2204B37E3E3AB@ESESSMB209.ericsson.se> <56CDE4FB.6090002@alum.mit.edu> <7594FB04B1934943A5C02806D1A2204B37E400B7@ESESSMB209.ericsson.se> <56CE145F.5090903@alum.mit.edu> <7594FB04B1934943A5C02806D1A2204B37E4013D@ESESSMB209.ericsson.se> <CABkgnnU2kswQBH=qr6M+wXK8txH4=wA3PLFmTZtZf62KdggNfQ@mail.gmail.com> <56CE24DE.6090300@alum.mit.edu> <CABkgnnUMwweQ0GTsdbvMd9ZJ9vcO5FdMAzZQ-7gW_ukiGyp47A@mail.gmail.com>
In-Reply-To: <CABkgnnUMwweQ0GTsdbvMd9ZJ9vcO5FdMAzZQ-7gW_ukiGyp47A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [153.88.183.154]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrHIsWRmVeSWpSXmKPExsUyM2J7lG6447kwg5ZDBhYrXp9jt9i/+Dyz xdapQhbXzvxjtJi6/DGLxYoNB1gd2Dz+vv/A5LFz1l12jwWbSj2WLPnJ5DH5cRuzR9uzO+wB bFFcNimpOZllqUX6dglcGU1fOlkL/ghWLFy2mqmB8YBgFyMnh4SAiURD/yo2CFtM4sK99UA2 F4eQwGFGiauTX7FAOIsZJaad2sraxcjBwSZgIdH9TxukQUQgVKLt4j5GkBpmgd2MEu3bH4FN Ehawl/h3/wMbRJGDxKYb1xgh7DqJf/tOM4PYLAKqElffPQCr4RXwlTh/+QbU5tcsEksWXAUr 4hQIlHj3pwusmRHovO+n1jCB2MwC4hK3nsxngjhbQGLJnvPMELaoxMvH/1ghbCWJRbc/M4Ec zSygKbF+lz5Eq6LElO6H7BB7BSVOznzCMoFRbBaSqbMQOmYh6ZiFpGMBI8sqRtHi1OLi3HQj I73Uoszk4uL8PL281JJNjMBYPLjlt9UOxoPPHQ8xCnAwKvHwbvh7NkyINbGsuDL3EKMEB7OS CK+2w7kwId6UxMqq1KL8+KLSnNTiQ4zSHCxK4rxrnNeHCQmkJ5akZqemFqQWwWSZODilGhhr d1k8mHaF/5GWeJr7/+8vUoKyM2pFdjrum87WsX9+VnXBZXdR+X8+yldm1Fwwnv/h6TLmw3nL H+3/F5uRvrKI+cq2xw/uHTmmE9Qz6epEs2rt6QvzmM3XOG/VW5osVbjqNVdIUUh/ZMX/fm0H c9Z73q6GvsyP/55b82KJpdANLeGFS4743M9VYinOSDTUYi4qTgQAakVs9sECAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/mmusic/ZTT4_bTnlVUZ97fTdDE8szZMzos>
Cc: Jonathan Lennox <jonathan@vidyo.com>, "mmusic@ietf.org" <mmusic@ietf.org>
Subject: Re: [MMUSIC] WGLC on draft-ietf-mmusic-dtls-sdp-06.txt
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2016 23:48:44 -0000

Hi Martin,

...

> However, I see this:
>
>   Endpoints MUST support SHA-256 for generating and verifying the
>   fingerprint value associated with the DTLS association.  The use of
>   SHA-256 is preferred.
>
> Which doesn't mention that this requires an update of 4572.

I do agree that it would make sense to mandate support of the same ciphers for both TLS and DTLS (assuming that is the reason you think an 4572 update is needed), but I wonder whether such change is within the scope of this draft.  Having said that, though, I have no problem making such update in draft-dtls-sdp, if people think we should do it... :)

(The background to mandating support of SHA-256 was when we did RFC 7345. The security folks required it during the IESG review.)

------------------

> And this:
>
>   The certificate received during the DTLS handshake MUST match the
>   fingerprint received in the SDP "fingerprint" attribute.
>
> Which should say '*a* fingerprint', to allow for there being multiple.

Correct. In an earlier reply I told Paul I would modify the text to make sure it allows multiple attributes. This also applies to your subsequent comments on the same issue.

However, Paul is also looking for the semantics of using multiple fingerprints.

------------------

> I also see:
>
>   The subjectAltName is not an important component of the certificate
>   verification.
>
> Which is true but insufficient; the text can simply say that the certificate is only a receptacle for a public key and authentication is tied to an a=fingerprint line in the SDP.

Could you suggest the exact text change?

Thanks!

Regards,

Christer

v2.23.0 | Report a Bug | By Email