Re: [MMUSIC] WGLC on draft-ietf-mmusic-dtls-sdp-06.txt

Roman Shpount <roman@telurix.com> Thu, 25 February 2016 18:57 UTC

Return-Path: <roman@telurix.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E6FF1B3124 for <mmusic@ietfa.amsl.com>; Thu, 25 Feb 2016 10:57:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.678
X-Spam-Level:
X-Spam-Status: No, score=-0.678 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_111=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id puUcVPws5Bd7 for <mmusic@ietfa.amsl.com>; Thu, 25 Feb 2016 10:57:11 -0800 (PST)
Received: from mail-ig0-x234.google.com (mail-ig0-x234.google.com [IPv6:2607:f8b0:4001:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C13F31B3174 for <mmusic@ietf.org>; Thu, 25 Feb 2016 10:57:11 -0800 (PST)
Received: by mail-ig0-x234.google.com with SMTP id y8so21299961igp.0 for <mmusic@ietf.org>; Thu, 25 Feb 2016 10:57:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telurix-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=OvnHL+UARRX5su+lIl9XwS/LHIHYadVXNy7DW/oKOv0=; b=ezaldoQe1zDOgUwjWPrfeMsdP7X2oZltgsY1NmT2C0zzZUtluxxibfUpq3FCgLCsVN tECm6o/wufXCtfDIqaGPHRM5xwUnjSyx3NJvWAu6/Pohk3b5F0LUTZL3WXZO2Kv1KV1T 8IsVssnYm08Wxd7wJozJ/0QMso/Zb3hUVVxrTByC8vK2blg8lMzk+QrjcOvKxGvLlqA7 tsT8R/i1y4EVatqc0F8W34bp7sDIiOosXiCd5y1LYyyuQL2/RuWrUGcOXro7NzYX/N/q 5DE/gf1YfuWTPCX6QY5cQ2+e6AMT1vpp6rEPK4i4YIilNlQHrzpK9O3OL7WjqW1azOSi WTnA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=OvnHL+UARRX5su+lIl9XwS/LHIHYadVXNy7DW/oKOv0=; b=F1njDV7LZ5FUycnh8k4L20qQJq8Zu7nIdH1wW8qjiP2ROgJzm1fGX0/f3t/4oZw/JP pUiM3whcRBObBQQkkbSAY5h4Gj5IBRTAyezf/s7zgF68K+aoY17i82hzFSZ9RYHMeWTR xOq4KCMrChaB4HKEYE5FsQyN4jRyWO0rvXrb9L/jBa3nO7kDmiy5bMuI92pNsZ7FcFOJ QS7eWq1yK/8daNXRegiNgvGzhecEx4cNlCmbVIXU55+Yoj7PYb3zmMBH7P7DQcGR41oX miyKOYqLeXj4SM713ygriwCMq3WK/nupqjjQATwt5tPMuSMhkGnluIdbJGSW5pMjF68a pRXQ==
X-Gm-Message-State: AG10YORsuKrKDTeaBSGyy/cxVKH9VAteG30NSqWctYtfIx9c4Zarf8revKcoQ6d5DAxMFQ==
X-Received: by 10.50.36.37 with SMTP id n5mr226276igj.48.1456426631244; Thu, 25 Feb 2016 10:57:11 -0800 (PST)
Received: from mail-io0-f178.google.com (mail-io0-f178.google.com. [209.85.223.178]) by smtp.gmail.com with ESMTPSA id vf11sm1758871igb.20.2016.02.25.10.57.08 for <mmusic@ietf.org> (version=TLSv1/SSLv3 cipher=OTHER); Thu, 25 Feb 2016 10:57:08 -0800 (PST)
Received: by mail-io0-f178.google.com with SMTP id z135so99025858iof.0 for <mmusic@ietf.org>; Thu, 25 Feb 2016 10:57:08 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.107.132.12 with SMTP id g12mr4539393iod.145.1456426628091; Thu, 25 Feb 2016 10:57:08 -0800 (PST)
Received: by 10.36.105.77 with HTTP; Thu, 25 Feb 2016 10:57:07 -0800 (PST)
In-Reply-To: <0EF1AF5F-3AB7-4251-A2C7-C3EF423E917E@vidyo.com>
References: <56B4CDCF.4080100@cisco.com> <56CA320D.9050306@cisco.com> <7594FB04B1934943A5C02806D1A2204B37E389BF@ESESSMB209.ericsson.se> <56CCBE6A.7090709@alum.mit.edu> <7594FB04B1934943A5C02806D1A2204B37E3E3AB@ESESSMB209.ericsson.se> <56CDE4FB.6090002@alum.mit.edu> <7594FB04B1934943A5C02806D1A2204B37E400B7@ESESSMB209.ericsson.se> <56CE145F.5090903@alum.mit.edu> <7594FB04B1934943A5C02806D1A2204B37E4013D@ESESSMB209.ericsson.se> <CABkgnnU2kswQBH=qr6M+wXK8txH4=wA3PLFmTZtZf62KdggNfQ@mail.gmail.com> <56CE24DE.6090300@alum.mit.edu> <CABkgnnUMwweQ0GTsdbvMd9ZJ9vcO5FdMAzZQ-7gW_ukiGyp47A@mail.gmail.com> <0EF1AF5F-3AB7-4251-A2C7-C3EF423E917E@vidyo.com>
Date: Thu, 25 Feb 2016 13:57:07 -0500
X-Gmail-Original-Message-ID: <CAD5OKxtVyxE=udiSS2qe_kaGS6Lcwum2iNBY+wOSJ3c60CmzxQ@mail.gmail.com>
Message-ID: <CAD5OKxtVyxE=udiSS2qe_kaGS6Lcwum2iNBY+wOSJ3c60CmzxQ@mail.gmail.com>
From: Roman Shpount <roman@telurix.com>
To: Jonathan Lennox <jonathan@vidyo.com>
Content-Type: multipart/alternative; boundary="001a113ece60cf1bb2052c9cbfd8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/mmusic/wXSdRsrDRhEYNFxW5jGjgVHySEY>
Cc: mmusic <mmusic@ietf.org>, Paul Kyzivat <pkyzivat@alum.mit.edu>, Christer Holmberg <christer.holmberg@ericsson.com>
Subject: Re: [MMUSIC] WGLC on draft-ietf-mmusic-dtls-sdp-06.txt
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2016 18:57:13 -0000

There are two options possible here:

1. Make current draft-ietf-mmusic-dtls-sdp draft update 4572 and cover TLS
as well, essentially making it draft-ietf-mmusic-tls-and-dtls-sdp

2. Limit the scope of draft-ietf-mmusic-dtls-sdp to DTLS only. Completely
define how setup and fingerprint attributes are used there for DTLS only.
Let some future draft update RFC 4572.

What is the preference here given that either option will require another
major edit for draft-ietf-mmusic-dtls-sdp?

Regards,

_____________
Roman Shpount

On Thu, Feb 25, 2016 at 10:41 AM, Jonathan Lennox <jonathan@vidyo.com>
wrote:

> I can certainly agree that 4572 could use an update. I didn’t completely
> understand what I was doing when I wrote it; in particular, the idea that
> the certificate was just a repository for the public key wasn’t something I
> had completely grasped, and the hash agility was confused.
>
> > On Feb 24, 2016, at 5:01 PM, Martin Thomson <martin.thomson@gmail.com>
> wrote:
> >
> > On 24 February 2016 at 13:47, Paul Kyzivat <pkyzivat@alum.mit.edu>
> wrote:
> >> If we are going to make normative references to multiple fingerprints we
> >> need some place authoritative to reference for the details.
> >
> > I recommend judicious use of copy and paste.  Feel free to steal text
> > that I wrote.
> >
> > FWIW, my reading of 4572 is that it permits multiple fingerprints: one
> > for each certificate that might be used.  Its failing is that a) it
> > doesn't allow for hash agility, and b) it's unclear, perhaps in the
> > extreme.
> >
> > However, I see this:
> >
> >   Endpoints MUST support SHA-256 for generating and verifying the
> >   fingerprint value associated with the DTLS association.  The use of
> >   SHA-256 is preferred.
> >
> > Which doesn't mention that this requires an update of 4572.
> >
> > And this:
> >
> >   The certificate received during the DTLS handshake MUST match the
> >   fingerprint received in the SDP "fingerprint" attribute.
> >
> > Which should say '*a* fingerprint', to allow for there being multiple.
> >
> > And this:
> >
> >   [...]  In addition, the offerer
> >   MUST insert an SDP 'setup' attribute according to the procedures in
> >   [RFC4145], and an SDP 'fingerprint' attribute according to the
> >   procedures in [RFC4572], in the offer.
> >
> > Which doesn't deal with multiple certificates.
> >
> > I also see:
> >
> >   The
> >   subjectAltName is not an important component of the certificate
> >   verification.
> >
> > Which is true but insufficient; the text can simply say that the
> > certificate is only a receptacle for a public key and authentication
> > is tied to an a=fingerprint line in the SDP.
> >
> > And this:
> >
> >   This offer includes, as part of the SDP payload, the fingerprint of
> >   the certificate that the endpoint wants to use.  The endpoint SHOULD
> >
> > Which should be plural fingerprint*s*.
> >
> > The pattern repeats throughout.
>
> _______________________________________________
> mmusic mailing list
> mmusic@ietf.org
> https://www.ietf.org/mailman/listinfo/mmusic
>