IETF Logo Mail Archive

Re: [MMUSIC] WGLC on draft-ietf-mmusic-dtls-sdp-06.txt

Jonathan Lennox <jonathan@vidyo.com> Thu, 25 February 2016 19:23 UTC

Return-Path: <prvs=68637bd80d=jonathan@vidyo.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D36191B327D for <mmusic@ietfa.amsl.com>; Thu, 25 Feb 2016 11:23:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.896
X-Spam-Level:
X-Spam-Status: No, score=-0.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_111=0.6, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 97j9tzw0aTYV for <mmusic@ietfa.amsl.com>; Thu, 25 Feb 2016 11:23:32 -0800 (PST)
Received: from mx0a-00198e01.pphosted.com (mx0a-00198e01.pphosted.com [67.231.149.202]) (using TLSv1.2 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC59E1B3285 for <mmusic@ietf.org>; Thu, 25 Feb 2016 11:23:31 -0800 (PST)
Received: from pps.filterd (m0073109.ppops.net [127.0.0.1]) by mx0a-00198e01.pphosted.com (8.15.0.59/8.15.0.59) with SMTP id u1PJMitl002570; Thu, 25 Feb 2016 14:23:26 -0500
Received: from mail.vidyo.com ([162.209.16.214]) by mx0a-00198e01.pphosted.com with ESMTP id 214cqcw2s3-1 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 25 Feb 2016 14:23:26 -0500
Received: from 492132-EXCH1.vidyo.com ([fe80::50:56ff:fe85:4f77]) by 492133-EXCH2.vidyo.com ([fe80::50:56ff:fe85:6b62%13]) with mapi id 14.03.0195.001; Thu, 25 Feb 2016 13:23:25 -0600
From: Jonathan Lennox <jonathan@vidyo.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>
Thread-Topic: [MMUSIC] WGLC on draft-ietf-mmusic-dtls-sdp-06.txt
Thread-Index: AQHRb0MX6bWTp5bg6UyLiWt52o6bVp88DisAgAAH8ACAAAnHAIAABB4AgAEoAACAADa0gIAAAJGAgAAFc4CAAAFWAA==
Date: Thu, 25 Feb 2016 19:23:24 +0000
Message-ID: <8C8A7D25-BFB2-488C-B335-7FC531A68EF8@vidyo.com>
References: <56B4CDCF.4080100@cisco.com> <56CA320D.9050306@cisco.com> <7594FB04B1934943A5C02806D1A2204B37E389BF@ESESSMB209.ericsson.se> <56CCBE6A.7090709@alum.mit.edu> <7594FB04B1934943A5C02806D1A2204B37E3E3AB@ESESSMB209.ericsson.se> <56CDE4FB.6090002@alum.mit.edu> <7594FB04B1934943A5C02806D1A2204B37E400B7@ESESSMB209.ericsson.se> <56CE145F.5090903@alum.mit.edu> <7594FB04B1934943A5C02806D1A2204B37E4013D@ESESSMB209.ericsson.se> <CABkgnnU2kswQBH=qr6M+wXK8txH4=wA3PLFmTZtZf62KdggNfQ@mail.gmail.com> <56CE24DE.6090300@alum.mit.edu> <CABkgnnUMwweQ0GTsdbvMd9ZJ9vcO5FdMAzZQ-7gW_ukiGyp47A@mail.gmail.com> <0EF1AF5F-3AB7-4251-A2C7-C3EF423E917E@vidyo.com> <CAD5OKxtVyxE=udiSS2qe_kaGS6Lcwum2iNBY+wOSJ3c60CmzxQ@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B37E442FF@ESESSMB209.ericsson.se> <7594FB04B1934943A5C02806D1A2204B37E443A4@ESESSMB209.ericsson.se>
In-Reply-To: <7594FB04B1934943A5C02806D1A2204B37E443A4@ESESSMB209.ericsson.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [160.79.219.114]
Content-Type: multipart/alternative; boundary="_000_8C8A7D25BFB2488CB3357FC531A68EF8vidyocom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.15.21, 1.0.33, 0.0.0000 definitions=2016-02-25_08:2016-02-25,2016-02-25,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1601100000 definitions=main-1602250248
Archived-At: <http://mailarchive.ietf.org/arch/msg/mmusic/hJpW7rxXI_FeTXIYZqzx1ruT2Jc>
Cc: Paul Kyzivat <pkyzivat@alum.mit.edu>, mmusic <mmusic@ietf.org>
Subject: Re: [MMUSIC] WGLC on draft-ietf-mmusic-dtls-sdp-06.txt
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2016 19:23:35 -0000

On Feb 25, 2016, at 2:18 PM, Christer Holmberg <christer.holmberg@ericsson.com<mailto:christer.holmberg@ericsson.com>> wrote:

Hi,

Personally, I have no problem updating RFC 4572 within draft-ietf-mmusic-dtls-sdp, depending on how big the update would be.

The currently identified potential updates are:

1)      Define the semantics of associating multiple SDP ‘fingerprint’ attributes with an “m=” line.
2)      Update the preferred cipher suite in order to align with DTLS (SHA-1 -> SHA-256).

Another potential update would be to remove (or relax) the requirement that the fingerprint use the same hash algorithm as the certificate.  This seems like a necessary corollary to 1), but is also useful on its own.

Regarding 1), I’d be happy if someone could commit to providing text (even if it is simply copying something from Martin’s draft). Also, is it enough to update section 5 of RFC 4572, or do we need to update some other sections too?

Regards,

Christer

From: mmusic [mailto:mmusic-bounces@ietf.org] On Behalf Of Christer Holmberg
Sent: 25 February 2016 20:59
To: Roman Shpount <roman@telurix.com<mailto:roman@telurix.com>>; Jonathan Lennox <jonathan@vidyo.com<mailto:jonathan@vidyo.com>>
Cc: mmusic <mmusic@ietf.org<mailto:mmusic@ietf.org>>; Paul Kyzivat <pkyzivat@alum.mit.edu<mailto:pkyzivat@alum.mit.edu>>
Subject: Re: [MMUSIC] WGLC on draft-ietf-mmusic-dtls-sdp-06.txt

3. Write a separate draft that updates 4572.

Regards,

Christer

From: Roman Shpount [mailto:roman@telurix.com]
Sent: 25 February 2016 20:57
To: Jonathan Lennox <jonathan@vidyo.com<mailto:jonathan@vidyo.com>>
Cc: Martin Thomson <martin.thomson@gmail.com<mailto:martin.thomson@gmail.com>>; mmusic <mmusic@ietf.org<mailto:mmusic@ietf.org>>; Paul Kyzivat <pkyzivat@alum.mit.edu<mailto:pkyzivat@alum.mit.edu>>; Christer Holmberg <christer.holmberg@ericsson.com<mailto:christer.holmberg@ericsson.com>>
Subject: Re: [MMUSIC] WGLC on draft-ietf-mmusic-dtls-sdp-06.txt

There are two options possible here:

1. Make current draft-ietf-mmusic-dtls-sdp draft update 4572 and cover TLS as well, essentially making it draft-ietf-mmusic-tls-and-dtls-sdp

2. Limit the scope of draft-ietf-mmusic-dtls-sdp to DTLS only. Completely define how setup and fingerprint attributes are used there for DTLS only. Let some future draft update RFC 4572.

What is the preference here given that either option will require another major edit for draft-ietf-mmusic-dtls-sdp?

Regards,

_____________
Roman Shpount

On Thu, Feb 25, 2016 at 10:41 AM, Jonathan Lennox <jonathan@vidyo.com<mailto:jonathan@vidyo.com>> wrote:
I can certainly agree that 4572 could use an update. I didn’t completely understand what I was doing when I wrote it; in particular, the idea that the certificate was just a repository for the public key wasn’t something I had completely grasped, and the hash agility was confused.

> On Feb 24, 2016, at 5:01 PM, Martin Thomson <martin.thomson@gmail.com<mailto:martin.thomson@gmail.com>> wrote:
>
> On 24 February 2016 at 13:47, Paul Kyzivat <pkyzivat@alum.mit.edu<mailto:pkyzivat@alum.mit.edu>> wrote:
>> If we are going to make normative references to multiple fingerprints we
>> need some place authoritative to reference for the details.
>
> I recommend judicious use of copy and paste.  Feel free to steal text
> that I wrote.
>
> FWIW, my reading of 4572 is that it permits multiple fingerprints: one
> for each certificate that might be used.  Its failing is that a) it
> doesn't allow for hash agility, and b) it's unclear, perhaps in the
> extreme.
>
> However, I see this:
>
>   Endpoints MUST support SHA-256 for generating and verifying the
>   fingerprint value associated with the DTLS association.  The use of
>   SHA-256 is preferred.
>
> Which doesn't mention that this requires an update of 4572.
>
> And this:
>
>   The certificate received during the DTLS handshake MUST match the
>   fingerprint received in the SDP "fingerprint" attribute.
>
> Which should say '*a* fingerprint', to allow for there being multiple.
>
> And this:
>
>   [...]  In addition, the offerer
>   MUST insert an SDP 'setup' attribute according to the procedures in
>   [RFC4145], and an SDP 'fingerprint' attribute according to the
>   procedures in [RFC4572], in the offer.
>
> Which doesn't deal with multiple certificates.
>
> I also see:
>
>   The
>   subjectAltName is not an important component of the certificate
>   verification.
>
> Which is true but insufficient; the text can simply say that the
> certificate is only a receptacle for a public key and authentication
> is tied to an a=fingerprint line in the SDP.
>
> And this:
>
>   This offer includes, as part of the SDP payload, the fingerprint of
>   the certificate that the endpoint wants to use.  The endpoint SHOULD
>
> Which should be plural fingerprint*s*.
>
> The pattern repeats throughout.

_______________________________________________
mmusic mailing list
mmusic@ietf.org<mailto:mmusic@ietf.org>
https://www.ietf.org/mailman/listinfo/mmusic

v2.23.0 | Report a Bug | By Email