[Perc] Diet review of draft-ietf-perc-srtp-ekt-diet-03
Martin Thomson <martin.thomson@gmail.com> Tue, 14 March 2017 00:13 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: perc@ietfa.amsl.com
Delivered-To: perc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE4D7129514 for <perc@ietfa.amsl.com>; Mon, 13 Mar 2017 17:13:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RDL3xLBfsJtN for <perc@ietfa.amsl.com>; Mon, 13 Mar 2017 17:13:39 -0700 (PDT)
Received: from mail-qk0-x22a.google.com (mail-qk0-x22a.google.com [IPv6:2607:f8b0:400d:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB7751293DA for <perc@ietf.org>; Mon, 13 Mar 2017 17:13:39 -0700 (PDT)
Received: by mail-qk0-x22a.google.com with SMTP id y76so236393105qkb.0 for <perc@ietf.org>; Mon, 13 Mar 2017 17:13:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=HOAh3TPfAo4+xV3c+u9lELZf+cgcZHPA0JrE+Aps9IE=; b=ACkfyRxn91oK8RBrOYWZXsY9FyvbAcg8CTMC37h0D/VIMHPktoerBhLuBEnRKGpl9B F69ttpq1fMHzDQ7IDfmlEWXwl1El7I/HF+KO0/7bs95AcSeQaVJlC7I8Z9VTE762zlb8 zUrKdn1Jm5n58f9VqztiTd2Ir1xZjPdoQ5WimrPeAMugJxGPsWV2/2I6QulsvXOUMwEo BKZWAasQ+UG1eFjuM6SmDVkVKK0ZN2SLQ9CGj0UUpJjseDLwAjAuvkLi2UlvrOLZAWKC OQKyNj1z1W1hJ1Ha5h3fPZJY3Y6irS2VG8pasV6BCJ4tUcy3viRFJHvr9dlBHrYmPX93 rmag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=HOAh3TPfAo4+xV3c+u9lELZf+cgcZHPA0JrE+Aps9IE=; b=A8UYAH4FvpR0lwrZ0AuSxd7DVN3iJKKuc0ICGvlVQwMnZ16jm6wW1k4cKSMNJkFnHI Pj9Bx05rIaTUn+uWQ5k2gPnGO7Xkn/nbb3k5J2OIQgxgkLFf9tVss0HSVLqAs2bGBSk6 VZ9JO6J6gJvtKurWGBIqvSf8EQiOt0DI6AJz6Cx3antl/fqS/QIoJvSUOt4LZRIRLg27 jaNTWkgKl9S6WKDa0z2P9pKutBrfMEMuHoccRmf/e3C9P1WK4VPk3+o/H2N579vWEL0w SeMl6l0oJsZx9tZQRCis/9WPvaODAXlzSqohr3ox08WwIniAktatbhbQR+KeF9UGoCcl b7Uw==
X-Gm-Message-State: AMke39kIqn3V8dIV0QYjejTCPfjsytYWlwOyZX2zjwEd2K3WX9pm8+75h+4L3kDtK2pyi8uOEYkqHtT+5CFFmw==
X-Received: by 10.233.216.68 with SMTP id u65mr33397533qkf.68.1489450418748; Mon, 13 Mar 2017 17:13:38 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.27.194 with HTTP; Mon, 13 Mar 2017 17:13:38 -0700 (PDT)
From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 14 Mar 2017 11:13:38 +1100
Message-ID: <CABkgnnWSNAGdKbj=uvPxvV6TZ0axJL8R6wUOMhGZx8kxpR4+aA@mail.gmail.com>
To: perc@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/perc/pxXUM4u1VCZk5G6C_0hMN765qkg>
Subject: [Perc] Diet review of draft-ietf-perc-srtp-ekt-diet-03
X-BeenThere: perc@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Privacy Enhanced RTP Conferencing <perc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perc>, <mailto:perc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/perc/>
List-Post: <mailto:perc@ietf.org>
List-Help: <mailto:perc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perc>, <mailto:perc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Mar 2017 00:13:40 -0000
If this is the diet version of the protocol, the full-blown version must have been mammoth, because this has lots of moving parts. Not that it can be trimmed much (see below), it's just an observation. This document really needs an overview of how the pieces fit together. It defines two separate mechanisms and the relationship between those is not very well articulated. A reader shouldn't have to read as much as I did to understand that you have: 1. a DTLS connection established between peers 2. that connection used to exchange an EKT key (or keys) indexed by SPI 3. each endpoint that sends SRTP occasionally sends the keys it is using to all recipients, encrypted under one of the EKT keys it knows In the Security Considerations: EKT inherits the security properties of the DTLS-SRTP (or other) keying it uses. This is untrue in a very important way. DTLS explicitly provides protection against key synchronization (certain attacks notwithstanding). The entire purpose of EKT is to enable key synchronization. This is introduction-worthy material in my opinion. Finally, a design complaint: this document adds a new message to TLS (one of the two key exchange methods). That message has an inner type that is extensible. I would prefer if this were to define multiple message types. In particular, DTLS 1.3 is adding acknowledgments at the DTLS layer, which will produce redundant mechanisms.
- [Perc] Diet review of draft-ietf-perc-srtp-ekt-di… Martin Thomson