Re: [RAI] [dispatch] MSRP Expert Review of draft-pd-dispatch-msrp-websocket-04

"Cullen Jennings (fluffy)" <fluffy@cisco.com> Wed, 29 January 2014 19:24 UTC

Return-Path: <fluffy@cisco.com>
X-Original-To: rai@ietfa.amsl.com
Delivered-To: rai@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4B011A03E9; Wed, 29 Jan 2014 11:24:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.036
X-Spam-Level:
X-Spam-Status: No, score=-110.036 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QE6YwV5Cpaeh; Wed, 29 Jan 2014 11:24:35 -0800 (PST)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) by ietfa.amsl.com (Postfix) with ESMTP id B37D01A0346; Wed, 29 Jan 2014 11:24:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2936; q=dns/txt; s=iport; t=1391023473; x=1392233073; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=6nVPrq+XYjWE3NgaJ+7wmhRqqmOYA9AyXXGHlXWNowQ=; b=bgCwXc0Sa5wRHNfQ2Z3tYmG5u51u+zEP8hSM0vPRlFoFkJVfhs9KvHRe 8yBQZy32ihpfJbWuXyEzw8pZ+PmPh/D3ABIVy7NbVpmsymIQardDcRbyd yaYXdGqo46r/tV9xvqqLc3oPVGBLr5lyi6f4z9kli/VQ05yedlgive9De c=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ag0FACxU6VKtJXHA/2dsb2JhbABZgww4Vrw5T4EHFnSCJQEBAQMBAQEBaAMLBQsCAQgYLicLJQIEDgWHfQgNyX8TBI5MMweDJIEUBJgokh+DLYFqJBw
X-IronPort-AV: E=Sophos;i="4.95,743,1384300800"; d="scan'208";a="16471525"
Received: from rcdn-core2-5.cisco.com ([173.37.113.192]) by alln-iport-1.cisco.com with ESMTP; 29 Jan 2014 19:24:32 +0000
Received: from xhc-aln-x13.cisco.com (xhc-aln-x13.cisco.com [173.36.12.87]) by rcdn-core2-5.cisco.com (8.14.5/8.14.5) with ESMTP id s0TJOUMw004617 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 29 Jan 2014 19:24:30 GMT
Received: from xmb-aln-x02.cisco.com ([169.254.5.76]) by xhc-aln-x13.cisco.com ([173.36.12.87]) with mapi id 14.03.0123.003; Wed, 29 Jan 2014 13:24:29 -0600
From: "Cullen Jennings (fluffy)" <fluffy@cisco.com>
To: Peter Dunkley <peter.dunkley@crocodilertc.net>
Thread-Topic: [dispatch] [RAI] MSRP Expert Review of draft-pd-dispatch-msrp-websocket-04
Thread-Index: AQHPHSbhsOjdfxbdLEen8YpQET53pZqcebkA
Date: Wed, 29 Jan 2014 19:24:29 +0000
Message-ID: <DB0CE001-12CF-48F5-95A2-C948A17447AB@cisco.com>
References: <45B84D8F-AD8C-4B28-90DF-9B1C40771104@nostrum.com> <6833E320-7B45-4FC2-853B-62311DCF7E7B@nostrum.com> <A25E55DD-59E3-4F43-BE9A-6304378FAE0B@cisco.com> <CALiegf=mn1Lg6ihhf8hamn6rVpkLnF3ydGxm1tK1JaNMaioxoQ@mail.gmail.com> <CAEqTk6Q2Dv4a2P-8KJtK=xGZx=mmayt_YdagF2=JyoJ1oYQu7w@mail.gmail.com> <1E320318-64CE-4F8B-AB76-8C4A5244379A@cisco.com> <CALiegfmWXmOYu2gQj8b6=JgC2CfZoFJqebM=E6OrJ6j-QwLepg@mail.gmail.com> <8DB45325-9CCA-411C-A809-9B716616CE2F@cisco.com> <CAEqTk6RzkDVZaeOvAkD4JfLG_HGEYp+CXH6Nm7hMdSoLoyGLFg@mail.gmail.com>
In-Reply-To: <CAEqTk6RzkDVZaeOvAkD4JfLG_HGEYp+CXH6Nm7hMdSoLoyGLFg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.20.249.164]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <20F656351E498247BA9A9B38B573002F@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: =?Windows-1252?Q?I=F1aki_Baz_Castillo?= <ibc@aliax.net>, DISPATCH <dispatch@ietf.org>, "rai@ietf.org" <rai@ietf.org>, "draft-pd-dispatch-msrp-websocket.all@tools.ietf.org" <draft-pd-dispatch-msrp-websocket.all@tools.ietf.org>, Ben Campbell <ben@nostrum.com>
Subject: Re: [RAI] [dispatch] MSRP Expert Review of draft-pd-dispatch-msrp-websocket-04
X-BeenThere: rai@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Real-time Applications and Infrastructure \(RAI\)" <rai.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rai>, <mailto:rai-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rai/>
List-Post: <mailto:rai@ietf.org>
List-Help: <mailto:rai-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rai>, <mailto:rai-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jan 2014 19:24:38 -0000

Sure I understand. But understand that MSRP has a really bad downgrade attack if you allow self signed certs. So if you want to change MSRP so it is can self signed certs for the relay, then I suggest writing a draft to do mate that change to MSRP that is separate from the Websockets draft because this is an orthogonal issue to the web sockets. 

For people that don’t want to have to get a signed certificate, I’d suggest trying to look at how to design the system to not need MSRP relays. There is a long list of ways in which MSRP relays are a huge PITA. I wish we had never added them and instead had just used TURN, or SOCKS. 


On Jan 29, 2014, at 12:18 PM, Peter Dunkley <peter.dunkley@crocodilertc.net>; wrote:

> It's really just that using self-signed certificates in a browser is a real pain.
> 
> If you have a good signed certificate it all works out.  On an internal system many organisations don't buy certificates for internal use, people are used to making exceptions, seeing warnings, etc.  But right now today if your certificate is self signed and you haven't imported the right stuff into each device that might try and make the secure WebSocket connection, the certificate validation will fail and the connection won't be made.
> 
> I do get the argument that people and organisations SHOULD be more secure.  Telling them they MUST be more secure tends not to work.  I am happy to change the document to say MUST, but it comes back to the point that doing this would be because MUST is what we put in these documents rather than expecting people to actually do that in all situations.
> 
> 
> 
> 
> On 29 January 2014 13:29, Cullen Jennings (fluffy) <fluffy@cisco.com>; wrote:
> 
> On Jan 29, 2014, at 11:17 AM, Iñaki Baz Castillo <ibc@aliax.net>; wrote:
> 
> > 2014-01-29 Cullen Jennings (fluffy) <fluffy@cisco.com>;:
> >> On Jan 29, 2014, at 10:16 AM, Peter Dunkley <peter.dunkley@crocodilertc.net>; wrote:
> >>
> >>> Even if TLS is left as MUST all of the additional checks from the RFC cannot be enforced on the client because (in a browser) you don't have any access to that information.
> >>
> >> So help educate me on what is missing and lets go get that fixed in web sockets.
> >
> >
> > The browser inspects the certificate retrieved from the WS server in
> > the same way than when the browser connects to a HTTPS site. And the
> > certificate inspection means matching the server domain with the CN or
> > SubjectAltNames fields (DNS entries) and others usual checks.
> 
> 
> Right - that sounds good - so what is missing ?
> 
> 
> _______________________________________________
> dispatch mailing list
> dispatch@ietf.org
> https://www.ietf.org/mailman/listinfo/dispatch
> 
> 
> 
> -- 
> Peter Dunkley
> Technical Director
> Crocodile RCS Ltd