IETF Logo Mail Archive

Re: [MMUSIC] WGLC on draft-ietf-mmusic-dtls-sdp-06.txt

Paul Kyzivat <pkyzivat@alum.mit.edu> Wed, 24 February 2016 21:12 UTC

Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84A541B2FF3 for <mmusic@ietfa.amsl.com>; Wed, 24 Feb 2016 13:12:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A5nZZKH7p0eh for <mmusic@ietfa.amsl.com>; Wed, 24 Feb 2016 13:12:36 -0800 (PST)
Received: from resqmta-po-07v.sys.comcast.net (resqmta-po-07v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:166]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3900B1B3844 for <mmusic@ietf.org>; Wed, 24 Feb 2016 13:12:32 -0800 (PST)
Received: from resomta-po-13v.sys.comcast.net ([96.114.154.237]) by resqmta-po-07v.sys.comcast.net with comcast id NMCW1s00A57bBgG01MCXgm; Wed, 24 Feb 2016 21:12:31 +0000
Received: from Paul-Kyzivats-MacBook-Pro.local ([73.218.51.154]) by resomta-po-13v.sys.comcast.net with comcast id NMCW1s0083KdFy101MCWMh; Wed, 24 Feb 2016 21:12:30 +0000
To: mmusic@ietf.org
References: <56B4CDCF.4080100@cisco.com> <56CA320D.9050306@cisco.com> <7594FB04B1934943A5C02806D1A2204B37E389BF@ESESSMB209.ericsson.se> <56CCBE6A.7090709@alum.mit.edu> <7594FB04B1934943A5C02806D1A2204B37E3E3AB@ESESSMB209.ericsson.se> <56CDE4FB.6090002@alum.mit.edu> <7594FB04B1934943A5C02806D1A2204B37E400B7@ESESSMB209.ericsson.se> <56CE145F.5090903@alum.mit.edu> <CAD5OKxsUGZRCJack7d2bTZhssh3YSHX=OvyNX_D0GT7+q7Zqnw@mail.gmail.com>
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
Message-ID: <56CE1CBD.70504@alum.mit.edu>
Date: Wed, 24 Feb 2016 16:12:29 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <CAD5OKxsUGZRCJack7d2bTZhssh3YSHX=OvyNX_D0GT7+q7Zqnw@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1456348351; bh=Vp1XaMbvA+OmQ7TVlcuZwg3dFuCbbSo323ei1bQrCfw=; h=Received:Received:Subject:To:From:Message-ID:Date:MIME-Version: Content-Type; b=Uc1aEfaPOOGMijzx2aCq5ELB8Pl+OsU1BfeBpj7r4W38lzRUo12PTqVOExbgz5Kl8 xlQNbA98su6waw1xvf6r0m8LDYcuqIk13OInsNbLhRbOMThv7y4vX0ER3QMRw1EQtZ 9tYBwo2M7G5U6eWiDOtHzh2Hv68HAH9Mwmmm7kfV9fvRLQbVvtdo5an+lH+PdaJaRA uHkpi33t7vYt+RqZjkR/HRHDvf21yyelJWrNZAVba7zmEpSJ/CQBkXLPgrLK0S1f9P L0w/csmFcwizTB69IMZ27rxG7R0LXYH36HQ+pDc36MzYOZIpQ/P89Agkt414kU93E+ o4fvceZtBZBoQ==
Archived-At: <http://mailarchive.ietf.org/arch/msg/mmusic/jhfQ9x2fzgpaDuN24ukmwq3qEu0>
Subject: Re: [MMUSIC] WGLC on draft-ietf-mmusic-dtls-sdp-06.txt
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2016 21:12:37 -0000

On 2/24/16 3:48 PM, Roman Shpount wrote:
> On Wed, Feb 24, 2016 at 3:36 PM, Paul Kyzivat <pkyzivat@alum.mit.edu
> <mailto:pkyzivat@alum.mit.edu>> wrote:
>
>     Can you (as the author of RFC4572) explain the use of multiple
>     fingerprints? The dtls-sdp draft talks about the possibility of
>     multiple fingerprints, but I can find no explanation of the
>     semantics of that.
>
>
> I think the original explanation was that TLS (or DTLS) session is
> terminated if none of the fingerprints matched. In other words, at least
> one fingerprint MUSt match for the session to be established,
>
> One of the use cases is when RTP and RTCP DTLS flows are using different
> certificates. In this case two fingerprint attributes will be added to
> SDP m= line. When separate DTLS associations are established for RTP and
> RTCP, each of these association will match one of the fingerprints and
> fail to match the other.

Where is that explained?

> Another use case is to generate an offer that will work with remote end
> points that support different certificate signature algorithms. For
> instance when transitioning from SHA-1 to SHA-256 two certificates would
> be created by the origination end point and fingerprints for both will
> be included. When DTLS association is negotiated, it will establish
> which certificate signature algorithm is supported by both parties and
> use the appropriate certificate. Once again, only one of the
> fingerprints will match.

But rfc4572 says:

    A certificate fingerprint MUST be computed using the same one-way
    hash function as is used in the certificate's signature algorithm.
    (This ensures that the security properties required for the
    certificate also apply for the fingerprint.  It also guarantees that
    the fingerprint will be usable by the other endpoint, so long as the
    certificate itself is.)

That seems to exclude creating fingerprints with multiple algorithms, or 
any need to do so.

Looking deeper, I find OLD TEXT (from 7345) that talks about multiple 
fingerprints, for differing cipher suites. So I guess in that case 
multiple certificates will also be presented, with a fingerprint for 
each, and it is only necessary to verify one of them.

But the NEW TEXT removes all of this, changing it to refer to *this* 
draft. But equivalent text isn't present in this draft!!!

	Thanks,
	Paul

v2.23.0 | Report a Bug | By Email