IETF Logo Mail Archive

Re: [rtcweb] How to determine TLS roles?

Tim Panton <tim@phonefromhere.com> Tue, 11 February 2014 10:08 UTC

Return-Path: <tim@phonefromhere.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 404671A092A for <rtcweb@ietfa.amsl.com>; Tue, 11 Feb 2014 02:08:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.299
X-Spam-Level:
X-Spam-Status: No, score=-1.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, J_CHICKENPOX_56=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CG3HI6aipCwd for <rtcweb@ietfa.amsl.com>; Tue, 11 Feb 2014 02:08:07 -0800 (PST)
Received: from smtp001.apm-internet.net (smtp001-out.apm-internet.net [85.119.248.222]) by ietfa.amsl.com (Postfix) with ESMTP id 6CB8D1A07E0 for <rtcweb@ietf.org>; Tue, 11 Feb 2014 02:08:06 -0800 (PST)
Received: (qmail 68853 invoked from network); 11 Feb 2014 10:08:05 -0000
X-AV-Scan: clean
X-APM-Authkey: 83769 3013
Received: from unknown (HELO zimbra003.verygoodemail.com) (85.119.248.218) by smtp001.apm-internet.net with SMTP; 11 Feb 2014 10:08:05 -0000
Received: from zimbra003.verygoodemail.com (localhost [127.0.0.1]) by zimbra003.verygoodemail.com (Postfix) with ESMTP id 4FCFE18A0555; Tue, 11 Feb 2014 10:08:05 +0000 (GMT)
Received: from limit.westhawk.co.uk (limit.westhawk.co.uk [192.67.4.33]) by zimbra003.verygoodemail.com (Postfix) with ESMTPSA id F052718A01D1; Tue, 11 Feb 2014 10:08:04 +0000 (GMT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_F9F913AA-78E7-4BA2-9C1E-543A1977AB7D"
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
From: Tim Panton <tim@phonefromhere.com>
In-Reply-To: <CABcZeBMymHUdEHCP6cmQrEe1qEWM+0ixkB61TjXHN5+CwZ+2Ng@mail.gmail.com>
Date: Tue, 11 Feb 2014 10:08:03 +0000
Message-Id: <062345FE-A68C-4380-A0DB-ED6F3D20C2FB@phonefromhere.com>
References: <7594FB04B1934943A5C02806D1A2204B1D1672FC@ESESSMB209.ericsson.se> <9ADA7473-1F36-4D96-A875-D2DC0762E9C2@phonefromhere.com> <7594FB04B1934943A5C02806D1A2204B1D1673C4@ESESSMB209.ericsson.se> <54B6400D-3753-4285-96DB-08EDB23BD03F@phonefromhere.com> <7594FB04B1934943A5C02806D1A2204B1D1674E9@ESESSMB209.ericsson.se> <CABcZeBOyQeLSwYjKt7hNqn0WViHYhvLmsGecmwCWyGNgUdgSnA@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B1D167825@ESESSMB209.ericsson.se> <CABcZeBM520F4BAuWkRrdFvUD7yha1CR8xMo74fnf=pQwSvj32g@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B1D167F68@ESESSMB209.ericsson.se> <CABcZeBO2MvWOtK3Ok+SZTyGCfJRuW52yn3Ts4FJDD9foHFjb8Q@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B1D169003@ESESSMB209.ericsson.se> <CABcZeBMymHUdEHCP6cmQrEe1qEWM+0ixkB61TjXHN5+CwZ+2Ng@mail.gmail.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>
X-Mailer: Apple Mail (2.1827)
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] How to determine TLS roles?
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Feb 2014 10:08:10 -0000

On 11 Feb 2014, at 08:01, Eric Rescorla <ekr@rtfm.com> wrote:

> 
> 
> 
> On Mon, Feb 10, 2014 at 11:56 PM, Christer Holmberg <christer.holmberg@ericsson.com> wrote:
> Hi,
> 
> >>>> Q2: If SDP O/A is not used on the wire, there needs to be another mechanism for the peers to negotiate/indicate who is "active" and who is "passive"?
> >>>
> >>> I don't see how this is our problem.
> >>Ok, let me rephrase: we use SDP O/A in the API between the JS App and the browser, and the RFCs you pointed to above say that the SDP setup attribute is used to negotiate the roles.
> >>
> >>So, can the JS App, using the setup attribute, control the DTLS role in the browser
> >
> > That ties into the general question of which a-lines can be modified in
> > the JS app. It's no more decided than those questions.
> 
> So, if I understand correctly, currently the JS App CANNOT control the browser DTLS role?
> 
> Well, that may turn out to be the case, but it's not what I said.
> 
> JSEP Section 6 contains a list of which SDP parameters can
> be manipulated by the JS, however, it's clearly unfinished.
> 
> http://tools.ietf.org/html/draft-ietf-rtcweb-jsep-05#section-6
> 
> Thus, it seems to me to be an open question whether the JS
> can manipulate this field.

But be aware those rules apply to manipulation that happens between 
createOffer and setLocalDescription

In concrete terms this means that a browser might create an offer (with setup:actpass)
set it unaltered as the local description, then send it to a peer.
The peer might reply with an answer with setup:active

This signals that the remote peer wants to be the DTLS client - and the offer said that the local browser was ok with that.
So this example allows the normal roles to be reversed, the non-initiator would be the DTLS client.

However, in a browser-to-browser call this may not be possible, because the JS at the far end may not be
allowed (see above) to change the setup: field between createAnswer() and setting it locally.

A gateway might not feel bound by such rules (code permitting).

Tim.

> 
> -Ekr
>

v2.23.0 | Report a Bug | By Email