Re: [MMUSIC] Draft new version: draft-ietf-mmusic-dtls-sdp-11
Roman Shpount <roman@telurix.com> Mon, 21 March 2016 17:52 UTC
Return-Path: <roman@telurix.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C21C12D9A6 for <mmusic@ietfa.amsl.com>; Mon, 21 Mar 2016 10:52:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=telurix-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vK_T8pOKrngr for <mmusic@ietfa.amsl.com>; Mon, 21 Mar 2016 10:52:00 -0700 (PDT)
Received: from mail-io0-x22e.google.com (mail-io0-x22e.google.com [IPv6:2607:f8b0:4001:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 576D112D9B3 for <mmusic@ietf.org>; Mon, 21 Mar 2016 10:52:00 -0700 (PDT)
Received: by mail-io0-x22e.google.com with SMTP id 124so65973209iov.3 for <mmusic@ietf.org>; Mon, 21 Mar 2016 10:52:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telurix-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=KuM0tAhdaGyT4xmiJSmI4N6YPuiCMTo8znvVlZf6Nzk=; b=kAup2osoSDr30fsj3efFBS6YPd/OBwU3DZ5KwrYNK2SLQNCcVSfuqjbT4rKksZrFCk gr/EcsGQPwUQOgcsJPnnLmGNKLPrs0UTK+n4QVc1biwKzJvmC8PVcZaawEYnY9+p7jGa GuL0zRWglxIT3sD5K2mb/pm8NjhJBSFTaOEGnl9k650wK7EOMEfMK9IoFc0eR6Sv1ERt LBsntL7KmfW8qQts6XrGEuN8R0MxsTh4K9GYLN1VHthTZGf0G2H1WICkL2nXtXjRBAgz 4BL+fOVjK5CFp7QmWz50YNzto2jjXFldhbTpcTQ7Qhdj7C0/VPb1oe6p1WJz6qq7ZHqc veig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=KuM0tAhdaGyT4xmiJSmI4N6YPuiCMTo8znvVlZf6Nzk=; b=EHHITu1OjALekXY8xB6vDmdSqtzdGMoIitu8ParZ8vWlowufevaWYSkC2b8flpE2Ou zy9zgEYAi/N4xJA/3s6fD4u6QQQiUI2KyAkVFl/h6nuY9mBgP3Xq/F+Oo9ZkP4rczJxh //7lkMxYiunWUHfQMKJMXLt1Zt3n90jynIEG03bNjQpuZKCxY1dkmSyCnZRrHMQMeVhn +CXgx/S/sT/OYfOCCdOKFu+g2DKjwIdIN22fJjkT+oKKVBgED57wrrk2dx5QqbQmHNxB T1L7078x0UmQSyevHIicBZbM46Q7DaAmJArTSAHPLj/JZ5Wzy7zL1uUp8jUFMXrOizup He0w==
X-Gm-Message-State: AD7BkJLuOo30BWwVxdDyYIBgLbWKo67SgoqBS8IiMMzr04gZd8PA18HS2THM+lV5+K62cg==
X-Received: by 10.107.8.232 with SMTP id h101mr30231733ioi.93.1458582719544; Mon, 21 Mar 2016 10:51:59 -0700 (PDT)
Received: from mail-io0-f174.google.com (mail-io0-f174.google.com. [209.85.223.174]) by smtp.gmail.com with ESMTPSA id k10sm11047863iod.3.2016.03.21.10.51.58 for <mmusic@ietf.org> (version=TLSv1/SSLv3 cipher=OTHER); Mon, 21 Mar 2016 10:51:58 -0700 (PDT)
Received: by mail-io0-f174.google.com with SMTP id m184so218246779iof.1 for <mmusic@ietf.org>; Mon, 21 Mar 2016 10:51:58 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.107.157.70 with SMTP id g67mr27469321ioe.38.1458582717709; Mon, 21 Mar 2016 10:51:57 -0700 (PDT)
Received: by 10.36.106.194 with HTTP; Mon, 21 Mar 2016 10:51:57 -0700 (PDT)
In-Reply-To: <56F02940.7010308@alum.mit.edu>
References: <7594FB04B1934943A5C02806D1A2204B37EF6200@ESESSMB209.ericsson.se> <56F02940.7010308@alum.mit.edu>
Date: Mon, 21 Mar 2016 13:51:57 -0400
X-Gmail-Original-Message-ID: <CAD5OKxscUbk8Xat_80Yv-3HSX3TCUwi76RG4Z4hoO+MW7Ae=hw@mail.gmail.com>
Message-ID: <CAD5OKxscUbk8Xat_80Yv-3HSX3TCUwi76RG4Z4hoO+MW7Ae=hw@mail.gmail.com>
From: Roman Shpount <roman@telurix.com>
To: Paul Kyzivat <pkyzivat@alum.mit.edu>
Content-Type: multipart/alternative; boundary="001a1140b472c3f515052e92c0a0"
Archived-At: <http://mailarchive.ietf.org/arch/msg/mmusic/ysCglYK_ISy5hcqB_Npf8VoeR3E>
Cc: "mmusic@ietf.org" <mmusic@ietf.org>
Subject: Re: [MMUSIC] Draft new version: draft-ietf-mmusic-dtls-sdp-11
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Mar 2016 17:52:02 -0000
On Mon, Mar 21, 2016 at 1:02 PM, Paul Kyzivat <pkyzivat@alum.mit.edu> wrote: > On 3/21/16 10:46 AM, Christer Holmberg wrote: > >> Hi, >> >> We’ve submitted a new version (-11) of draft-ietf-mmusic-dtls-sdp. >> >> The draft now defines an SDP ‘dtls-association-id’ attribute, replacing >> the previous ‘dtls-connection’ attribute. >> > > * Section 5.1 > > SDP offerers and answerers might reuse certificates across multiple > DTLS associations, and provide identical fingerprint values for each > DTLS association. It MUST be ensured that the combination of the > fingerprint values and the SDP 'dtls-association-id' attribute value > is unique across all DTLS associations. > > If an SDP offerer or answerer generates a new temporary self-signed > certificate for each new DTLS association, they can omit the SDP > 'dtls-association-id' attribute. > > Is the last paragraph above just stating a degenerate case of the prior > paragraph? IOW, if the certificate is new, then the fingerprint will also > be new, and so the combination of the fingerprint with the (empty) > dtls-association-id will be unique? > Yes, this is as you described a degenerative case of the above. > It might be clearer to reframe the rules and matching process throughout > the draft as matching 'dtls-association-id'||'fingerprint', where > 'dtls-association-id' is "" if not specified. > Agreed * Section 5.2 > > This says that one or more fingerprints must be included in the initial > offer. But fingerprints will only be available if the offerer is intending > to supply a certificate. That implies either that the offerer will be the > DTLS server, or else that client authentication is to be done. AFAIK > neither of these is necessarily true. In this usage is there any value to > client authentication? > > So I think more needs to be said about this. > > What if the offer includes 'a=setup:actpass'? Must the offerer include the > fingerprint for the cert it will use *if* it becomes server? > I think we need to spell out that when DTLS SDP is used both parties are authenticated and server and client certificates are always provided. If client or server does not provide the certificate, connection must be torn down. Because of this fingerprint attributes MUST always be provided. This might be something that belongs in RFC4572bis, if it is not already in RFC4572. > * Section 5.3: > > A couple of places talk about "a 'dtls-association-id' attribute with a > previously assigned value". > > I think that needs to say "a 'dtls-association-id' attribute with *the* > previously assigned value". Otherwise it might match a value used earlier, > but not most recently. > > (This issue may exist in other sections too.) > Thank you for catching this. We will review the text for this issue. ______________ Roman Shpount
- [MMUSIC] Draft new version: draft-ietf-mmusic-dtl… Christer Holmberg
- Re: [MMUSIC] Draft new version: draft-ietf-mmusic… Paul Kyzivat
- Re: [MMUSIC] Draft new version: draft-ietf-mmusic… Roman Shpount