Re: [RAI] [dispatch] MSRP Expert Review of draft-pd-dispatch-msrp-websocket-04

Ben Campbell <ben@nostrum.com> Mon, 13 January 2014 22:43 UTC

Return-Path: <ben@nostrum.com>
X-Original-To: rai@ietfa.amsl.com
Delivered-To: rai@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37BE81A1F4E; Mon, 13 Jan 2014 14:43:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.036
X-Spam-Level:
X-Spam-Status: No, score=-1.036 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vCIkBjYDG7wt; Mon, 13 Jan 2014 14:43:50 -0800 (PST)
Received: from shaman.nostrum.com (nostrum-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:267::2]) by ietfa.amsl.com (Postfix) with ESMTP id 1B9EA1A1F1B; Mon, 13 Jan 2014 14:43:50 -0800 (PST)
Received: from [10.0.1.29] (cpe-173-172-146-58.tx.res.rr.com [173.172.146.58]) (authenticated bits=0) by shaman.nostrum.com (8.14.3/8.14.3) with ESMTP id s0DMhWN4002882 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Mon, 13 Jan 2014 16:43:33 -0600 (CST) (envelope-from ben@nostrum.com)
Content-Type: text/plain; charset=iso-8859-1
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
From: Ben Campbell <ben@nostrum.com>
In-Reply-To: <CAEqTk6TQh=9kQF7ZGy4bvo9T0GrKF9EQ-avyvtD1JextbaU6Lw@mail.gmail.com>
Date: Mon, 13 Jan 2014 16:43:34 -0600
Content-Transfer-Encoding: quoted-printable
Message-Id: <8DB83E85-08E6-44DB-AF0F-FE135687F8A2@nostrum.com>
References: <45B84D8F-AD8C-4B28-90DF-9B1C40771104@nostrum.com> <6833E320-7B45-4FC2-853B-62311DCF7E7B@nostrum.com> <CAEqTk6TQh=9kQF7ZGy4bvo9T0GrKF9EQ-avyvtD1JextbaU6Lw@mail.gmail.com>
To: Peter Dunkley <peter.dunkley@crocodilertc.net>
X-Mailer: Apple Mail (2.1827)
Received-SPF: pass (shaman.nostrum.com: 173.172.146.58 is authenticated by a trusted mechanism)
Cc: draft-pd-dispatch-msrp-websocket.all@tools.ietf.org, DISPATCH <dispatch@ietf.org>, rai@ietf.org
Subject: Re: [RAI] [dispatch] MSRP Expert Review of draft-pd-dispatch-msrp-websocket-04
X-BeenThere: rai@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Real-time Applications and Infrastructure \(RAI\)" <rai.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rai>, <mailto:rai-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rai/>
List-Post: <mailto:rai@ietf.org>
List-Help: <mailto:rai-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rai>, <mailto:rai-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jan 2014 22:43:51 -0000

On Jan 13, 2014, at 3:41 AM, Peter Dunkley <peter.dunkley@crocodilertc.net> wrote:

> On 11 January 2014 21:54, Ben Campbell <ben@nostrum.com> wrote:
> 
> I don't have an answer for how to proceed, but at a minimum I would like to see considerably more discussion of the implications and any potential mitigation of this in the Security Considerations sections.
> 
> More discussion is certainly needed here.  The reason I chose to downgrade the security here was purely pragmatic.
> 
> As nice as it would be to make the security requirements for MSRP over WebSockets very strict it would also be utterly pointless as (right now and for the foreseeable future) it would not be possible to implement.

Understood. I think the conversation needs to cover the general case of "how do we handle things when new transport options take security decisions away from the application protocol implementations". MSRP is an especially interesting case due to the MUST USE requirement in RFC 4976.

Maybe that's already been discussed, but if so I've missed it.

Ben.