[MMUSIC] BUNDLE: Security Considerations TODO

Christer Holmberg <christer.holmberg@ericsson.com> Tue, 02 September 2014 11:58 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1B161A0264 for <mmusic@ietfa.amsl.com>; Tue, 2 Sep 2014 04:58:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tv8fiXjgiJGD for <mmusic@ietfa.amsl.com>; Tue, 2 Sep 2014 04:58:21 -0700 (PDT)
Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D7091A010D for <mmusic@ietf.org>; Tue, 2 Sep 2014 04:58:20 -0700 (PDT)
X-AuditID: c1b4fb25-f791c6d00000617b-9a-5405b0dad99c
Received: from ESESSHC003.ericsson.se (Unknown_Domain [153.88.253.124]) by sesbmg23.ericsson.net (Symantec Mail Security) with SMTP id 81.2B.24955.AD0B5045; Tue, 2 Sep 2014 13:58:18 +0200 (CEST)
Received: from ESESSMB209.ericsson.se ([169.254.9.136]) by ESESSHC003.ericsson.se ([153.88.183.27]) with mapi id 14.03.0174.001; Tue, 2 Sep 2014 13:58:18 +0200
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: "mmusic@ietf.org" <mmusic@ietf.org>
Thread-Topic: BUNDLE: Security Considerations TODO
Thread-Index: Ac/GpPCc0BjMvt9sS/eXLDrXXGt9sg==
Date: Tue, 2 Sep 2014 11:58:17 +0000
Message-ID: <7594FB04B1934943A5C02806D1A2204B1D4371AC@ESESSMB209.ericsson.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [153.88.183.20]
Content-Type: multipart/alternative; boundary="_000_7594FB04B1934943A5C02806D1A2204B1D4371ACESESSMB209erics_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrGLMWRmVeSWpSXmKPExsUyM+Jvje6tDawhBi/7NSymLn/M4sDosWTJ T6YAxigum5TUnMyy1CJ9uwSujIvrjrIWNMtWXP26k7WBcbNkFyMnh4SAicTBn8fYIWwxiQv3 1rOB2EICRxkltqyr7mLkArIXM0q8+3+EtYuRg4NNwEKi+582SI2IgLrE1709zCC2sICuxLxF k1gh4kYS255egrL1JLr637OA2CwCKhJbP99hArF5BXwl1k3pANvFCLT3+6k1YHFmAXGJW0/m M0HcIyCxZM95ZghbVOLl43+sELaixNXpy6Hq8yVOrNsNNVNQ4uTMJywTGIVmIRk1C0nZLCRl EHEdiQW7P7FB2NoSyxa+Zoaxzxx4zIQsvoCRfRWjaHFqcVJuupGxXmpRZnJxcX6eXl5qySZG YEQc3PJbdQfj5TeOhxgFOBiVeHgXqLCGCLEmlhVX5h5ilOZgURLnXXhuXrCQQHpiSWp2ampB alF8UWlOavEhRiYOTqkGRpWbPnsfZwdFTNwatzzbidch1PJa7K/weqc9EzcxXJyw/3rrp7r3 Nr5CibI/2+a1eS/M+Zly3SSv7OvtB0enVsgL8ctyamqVKzzQiFKq25AodV9aoNEwb7HNhEOL DV3mxc0Rvy5VOtWmbe8nyf9VnxZfZNx2U7el3nOzeTDrCcbVt4tZdLZHKrEUZyQaajEXFScC AGqhM3lpAgAA
Archived-At: http://mailarchive.ietf.org/arch/msg/mmusic/v-oZAbQzORwuG1t8Jjhz46WXENo
Subject: [MMUSIC] BUNDLE: Security Considerations TODO
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Sep 2014 11:58:22 -0000

Hi,

In BUNDLE, we have the following TODO in the security considerations:

  "TODO: Think carefully about security analysis of reuse of same SDES
   key on multiple "m=" lines when the far end does not use BUNDLE and
   warn developers of any risks."

Isn't this solved by including unique keys in the initial offer, and then use the same keys IF the other endpoint use BUNDLE - similar to ICE candidates etc?

I would be thankful for any input text in order to address this :)

Regards,

Christer